blob: 858f6a9c42a1a1f6b173e760e994c163c1c5770d (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
|
---
- name: allow http
ufw:
rule: allow
port: '80'
proto: tcp
- name: allow https
ufw:
rule: allow
port: '443'
proto: tcp
- name: restart ufw
service: name=ufw state=restarted enabled=yes
- name: install nginx
apt: name=nginx state=latest
- name: install letsencrypt
apt: name=letsencrypt state=latest
- name: create letsencrypt directory
file: name=/var/www/letsencrypt state=directory
- name: remove default nginx
file: name=/etc/nginx/sites-enabled/default state=absent
- name: generate dhparams
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
args:
creates: /etc/nginx/dhparams.pem
- name: add system nginx config
template:
src: ../files/nginx.conf
dest: /etc/nginx/nginx.conf
- name: copy http nginx configuration for each domain
copy:
src: "{{ item }}"
dest: "/etc/nginx/sites-enabled/"
with_fileglob:
- "files/{{ inventory_hostname }}/http.*.conf"
- "files/{{ inventory_hostname }}/https.*.conf"
- name: restart nginx to get letsencrypt certificate
service: name=nginx state=restarted enabled=yes
- name: find deployed domains
ansible.builtin.find:
paths: "/etc/nginx/sites-enabled/"
patterns: "http.*.conf"
register: nginx_conf_files
delegate_to: "{{ inventory_hostname }}"
- name: extract domains from deployed nginx configurations
shell: |
grep -oP 'server_name\s+\K[^;]+' "{{ item.path }}"
loop: "{{ nginx_conf_files.files }}"
register: extracted_domains
# simponic.xyz & others
- name: request simponic letsencrypt certificates
shell: >
letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \
--agree-tos -d {{ item.stdout }}
args:
creates: "/etc/letsencrypt/live/{{ item.stdout }}"
loop: "{{ extracted_domains.results }}"
when: 'not "hatecomputers.club" in item.stdout and not "rainrain" in item.stdout'
# hatecomputers.club
- name: build plugin template
template:
src: ../templates/plugin.sh.j2
dest: /etc/letsencrypt/hcdns.sh
mode: 0744
owner: root
group: root
- name: clone hcdns auth repo
ansible.builtin.git:
repo: https://git.hatecomputers.club/simponic/hc-cert-dns
dest: /root/hc-cert-dns
- name: request hatecomputers letsencrypt certificate
shell: >
letsencrypt certonly -n \
--manual --manual-auth-hook /etc/letsencrypt/hcdns.sh \
--preferred-challenges dns \
-d {{ item.stdout }} \
--email {{ letsencrypt_email }} \
--agree-tos \
--no-eff-email
args:
creates: "/etc/letsencrypt/live/{{ item.stdout }}"
loop: "{{ extracted_domains.results }}"
when: '"hatecomputers.club" in item.stdout'
- name: copy https nginx configuration for each domain
copy:
src: "{{ item }}"
dest: "/etc/nginx/sites-enabled/"
with_fileglob:
- "files/{{ inventory_hostname }}/https.*.conf"
- "files/{{ inventory_hostname }}/https.*.servconf"
- name: reload nginx to activate sites
service: name=nginx state=restarted
- name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
cron:
name: "letsencrypt_renewal_{{ item.stdout }}"
day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}"
hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}"
minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}"
job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos ; service nginx restart"
loop: "{{ extracted_domains.results }}"
when: item.stdout != ""
|
