pvessl: nginx based reverse proxy w/ certs for PVE

2019-05-13 21:46:37 +02:00 · 2019-05-13 21:46:37 +02:00 · e99c8d34dd
commit e99c8d34dd
parent c4bcc13ccd
6 changed files with 90 additions and 0 deletions
--- a/roles/pvessl/handlers/main.yml
+++ b/roles/pvessl/handlers/main.yml
@ -0,0 +1,7 @@
+---
+
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Run acertmgr
+  command: /opt/acertmgr/acertmgr.py
--- a/roles/pvessl/meta/main.yml
+++ b/roles/pvessl/meta/main.yml
@ -0,0 +1,5 @@
+---
+
+dependencies:
+- { role: acertmgr }
+- { role: nginx, nginx_ssl: True }
--- a/roles/pvessl/tasks/main.yml
+++ b/roles/pvessl/tasks/main.yml
@ -0,0 +1,19 @@
+---
+
+- name: Request nsupdate key for certificate
+  include_role: name=acme-dnskey-generate
+
+- name: Configure certificate manager
+  template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}.conf
+  notify: Run acertmgr
+
+- name: Configure vhosts
+  template: src=vhost.j2 dest=/etc/nginx/sites-available/pve
+  notify: Restart nginx
+
+- name: Disable default vhost
+  file: path=/etc/nginx/sites-enabled/default state=absent
+
+- name: Enable vhosts
+  file: src=/etc/nginx/sites-available/pve dest=/etc/nginx/sites-enabled/pve state=link
+  notify: Restart nginx
--- a/roles/pvessl/templates/certs.j2
+++ b/roles/pvessl/templates/certs.j2
@ -0,0 +1,18 @@
+---
+
+{{ ansible_fqdn }}:
+- mode: dns.nsupdate
+  nsupdate_server: {{ acme_dnskey_server }}
+  nsupdate_keyfile: {{ acme_dnskey_file }}
+- path: /etc/nginx/ssl/{{ ansible_fqdn }}.crt
+  user: root
+  group: root
+  perm: '400'
+  format: crt,ca
+  action: '/usr/sbin/service nginx restart'
+- path: /etc/nginx/ssl/{{ ansible_fqdn }}.key
+  user: root
+  group: root
+  perm: '400'
+  format: key
+  action: '/usr/sbin/service nginx restart'
--- a/roles/pvessl/templates/vhost.j2
+++ b/roles/pvessl/templates/vhost.j2
@ -0,0 +1,36 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	server_name {{ ansible_fqdn }};
+
+	location /.well-known/acme-challenge {
+		default_type "text/plain";
+		alias /var/www/acme-challenge;
+	}
+
+	location / {
+		return 301 https://{{ ansible_fqdn }}$request_uri;
+	}
+}
+
+server {
+	listen 443 ssl http2;
+	listen [::]:443 ssl http2;
+
+	server_name {{ ansible_fqdn }};
+
+	ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key;
+	ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt;
+
+	proxy_redirect off;
+	location / {
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_pass https://localhost:8006;
+		proxy_buffering off;
+		client_max_body_size 0;
+	}
+}
--- a/site.yml
+++ b/site.yml
@ -12,6 +12,11 @@
  roles:
  - uau

+- name: Setup Proxmox VE hosts
+  hosts: [salat.binary.kitchen, wurst.binary.kitchen]
+  roles:
+  - pvessl
+
 - name: Setup BK infrastructure server
  hosts: [bacon.binary.kitchen, aveta.binary.kitchen]
  roles: