From 4fd1ae556ec5d9a94f9ca73884a756ca21e1769f Mon Sep 17 00:00:00 2001
From: Elizabeth Hunt <elizabeth.hunt@simponic.xyz>
Date: Wed, 3 Jan 2024 14:21:07 -0500
Subject: deploy webservers behind reverse proxy (added poc for headscale)

---
 roles/webservers/tasks/main.yml | 74 ++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 73 insertions(+), 1 deletion(-)

(limited to 'roles/webservers/tasks/main.yml')

diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml
index 680b050..03fba22 100644
--- a/roles/webservers/tasks/main.yml
+++ b/roles/webservers/tasks/main.yml
@@ -15,4 +15,76 @@
   service: name=ufw state=restarted enabled=yes
 
 - name: install nginx
-  apt: name=nginx status=latest
+  apt: name=nginx state=latest
+
+- name: install letsencrypt
+  apt: name=letsencrypt state=latest
+
+- name: create letsencrypt directory
+  file: name=/var/www/letsencrypt state=directory
+
+- name: remove default nginx
+  file: name=/etc/nginx/sites-enabled/default state=absent
+
+- name: generate dhparams
+  shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+  args:
+    creates: /etc/nginx/dhparams.pem
+
+- name: add system nginx config
+  template:
+    src: ../files/nginx.conf
+    dest: /etc/nginx/nginx.conf
+
+- name: copy http nginx configuration for each domain
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/sites-enabled/"
+  with_fileglob:
+    - "files/{{ inventory_hostname }}/http.*.conf"
+
+- name: restart nginx to get letsencrypt certificate
+  service: name=nginx state=restarted enabled=yes
+
+- name: find deployed domains
+  ansible.builtin.find:
+    paths: "/etc/nginx/sites-enabled/"
+    patterns: "http.*.conf"
+  register: nginx_conf_files
+  delegate_to: "{{ inventory_hostname }}"
+
+- name: extract domains from deployed nginx configurations
+  shell: |
+    grep -oP 'server_name\s+\K[^;]+' "{{ item.path }}"
+  loop: "{{ nginx_conf_files.files }}"
+  register: extracted_domains
+
+- name: request letsencrypt certificate
+  shell: >
+    letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
+      --agree-tos -d {{ item.stdout }}
+  args:
+    creates: "/etc/letsencrypt/live/{{ item.stdout }}"
+  loop: "{{ extracted_domains.results }}"
+  when: item.stdout != ""
+
+- name: copy https nginx configuration for each domain
+  copy:
+    src: "{{ item }}"
+    dest: "/etc/nginx/sites-enabled/"
+  with_fileglob:
+    - "files/{{ inventory_hostname }}/https.*.conf"
+
+- name: reload nginx to activate sites
+  service: name=nginx state=restarted
+
+- name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
+  cron:
+    name: "letsencrypt_renewal_{{ item.stdout }}"
+    day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}"
+    hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}"
+    minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}"
+    job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos && service nginx reload"
+  loop: "{{ extracted_domains.results }}"
+  when: item.stdout != ""
+
-- 
cgit v1.2.3-70-g09d2