From e99c8d34dd4a56c8f805f1cf8cdd43992d189918 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 13 May 2019 21:46:37 +0200 Subject: [PATCH] pvessl: nginx based reverse proxy w/ certs for PVE --- roles/pvessl/handlers/main.yml | 7 +++++++ roles/pvessl/meta/main.yml | 5 +++++ roles/pvessl/tasks/main.yml | 19 +++++++++++++++++ roles/pvessl/templates/certs.j2 | 18 +++++++++++++++++ roles/pvessl/templates/vhost.j2 | 36 +++++++++++++++++++++++++++++++++ site.yml | 5 +++++ 6 files changed, 90 insertions(+) create mode 100644 roles/pvessl/handlers/main.yml create mode 100644 roles/pvessl/meta/main.yml create mode 100644 roles/pvessl/tasks/main.yml create mode 100644 roles/pvessl/templates/certs.j2 create mode 100644 roles/pvessl/templates/vhost.j2 diff --git a/roles/pvessl/handlers/main.yml b/roles/pvessl/handlers/main.yml new file mode 100644 index 0000000..2c3a4e3 --- /dev/null +++ b/roles/pvessl/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Run acertmgr + command: /opt/acertmgr/acertmgr.py diff --git a/roles/pvessl/meta/main.yml b/roles/pvessl/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/pvessl/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/pvessl/tasks/main.yml b/roles/pvessl/tasks/main.yml new file mode 100644 index 0000000..0e7a458 --- /dev/null +++ b/roles/pvessl/tasks/main.yml @@ -0,0 +1,19 @@ +--- + +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}.conf + notify: Run acertmgr + +- name: Configure vhosts + template: src=vhost.j2 dest=/etc/nginx/sites-available/pve + notify: Restart nginx + +- name: Disable default vhost + file: path=/etc/nginx/sites-enabled/default state=absent + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/pve dest=/etc/nginx/sites-enabled/pve state=link + notify: Restart nginx diff --git a/roles/pvessl/templates/certs.j2 b/roles/pvessl/templates/certs.j2 new file mode 100644 index 0000000..225bec0 --- /dev/null +++ b/roles/pvessl/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ ansible_fqdn }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/nginx/ssl/{{ ansible_fqdn }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ ansible_fqdn }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/pvessl/templates/vhost.j2 b/roles/pvessl/templates/vhost.j2 new file mode 100644 index 0000000..b4545c4 --- /dev/null +++ b/roles/pvessl/templates/vhost.j2 @@ -0,0 +1,36 @@ +server { + listen 80; + listen [::]:80; + + server_name {{ ansible_fqdn }}; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + location / { + return 301 https://{{ ansible_fqdn }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ ansible_fqdn }}; + + ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key; + ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt; + + proxy_redirect off; + location / { + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header X-Real-IP $remote_addr; + proxy_pass https://localhost:8006; + proxy_buffering off; + client_max_body_size 0; + } +} diff --git a/site.yml b/site.yml index d97f29f..19c4eb6 100644 --- a/site.yml +++ b/site.yml @@ -12,6 +12,11 @@ roles: - uau +- name: Setup Proxmox VE hosts + hosts: [salat.binary.kitchen, wurst.binary.kitchen] + roles: + - pvessl + - name: Setup BK infrastructure server hosts: [bacon.binary.kitchen, aveta.binary.kitchen] roles: