From 747feab2ad3da8b553e0108c51fbd97fc1c55f93 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Thu, 7 Apr 2016 15:50:58 +0200 Subject: [PATCH] Add a very basic web role. --- roles/web/files/certs | 15 +++++++++++++++ roles/web/files/vhost | 27 +++++++++++++++++++++++++++ roles/web/handlers/main.yml | 7 +++++++ roles/web/meta/main.yml | 5 +++++ roles/web/tasks/main.yml | 25 +++++++++++++++++++++++++ site.yml | 5 +++++ 6 files changed, 84 insertions(+) create mode 100644 roles/web/files/certs create mode 100644 roles/web/files/vhost create mode 100644 roles/web/handlers/main.yml create mode 100644 roles/web/meta/main.yml create mode 100644 roles/web/tasks/main.yml diff --git a/roles/web/files/certs b/roles/web/files/certs new file mode 100644 index 0000000..2343dea --- /dev/null +++ b/roles/web/files/certs @@ -0,0 +1,15 @@ +--- + +www.binary-kitchen.de: +- path: /etc/nginx/ssl/www.binary-kitchen.de.crt + user: root + group: root + perm: '400' + format: crt,ca + action: 'service nginx restart' +- path: /etc/nginx/ssl/www.binary-kitchen.de.key + user: root + group: root + perm: '400' + format: key + action: 'service nginx restart' diff --git a/roles/web/files/vhost b/roles/web/files/vhost new file mode 100644 index 0000000..0f6ff56 --- /dev/null +++ b/roles/web/files/vhost @@ -0,0 +1,27 @@ +server { + listen 80; + listen [::]:80; + + server_name binary-kitchen.de www.binary-kitchen.de binary-kitchen.com www.binary-kitchen.com binary-kitchen.net www.binary-kitchen.net binary.kitchen www.binary.kitchen; + + location /.well-known/acme-challenge/ { + default_type "text/plain"; + root /var/www/acme-challenge/; + } + + location / { + return 301 https://www.binary-kitchen.de$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name www.binary-kitchen.de; + + ssl_certificate_key /etc/nginx/ssl/www.binary-kitchen.de.key; + ssl_certificate /etc/nginx/ssl/www.binary-kitchen.de.crt; + + root /var/www/kitchen; +} diff --git a/roles/web/handlers/main.yml b/roles/web/handlers/main.yml new file mode 100644 index 0000000..b8367c9 --- /dev/null +++ b/roles/web/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Restart php5-fpm + service: name=php5-fpm state=restarted diff --git a/roles/web/meta/main.yml b/roles/web/meta/main.yml new file mode 100644 index 0000000..923f9d1 --- /dev/null +++ b/roles/web/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: certmgr } +- { role: nginx } diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml new file mode 100644 index 0000000..8a47658 --- /dev/null +++ b/roles/web/tasks/main.yml @@ -0,0 +1,25 @@ +--- + +- name: Install php5-fpm + apt: name=php5-fpm state=present + +- name: Create vhost directory + file: path=/var/www/kitchen state=directory owner=www-data group=www-data + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/www.binary-kitchen.de.key -out /etc/nginx/ssl/www.binary-kitchen.de.crt -days 730 -subj "/CN=www.binary-kitchen.de" creates=/etc/nginx/ssl/www.binary-kitchen.de.crt + notify: Restart nginx + +- name: Configure certificate manager + copy: src=certs dest=/etc/acme/domains.d/www.binary-kitchen.de.conf + +- name: Configure vhosts + copy: src=vhost dest=/etc/nginx/sites-available/www + notify: Restart nginx + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link + notify: Restart nginx + +- name: Start php5-fpm + service: name=php5-fpm state=started enabled=yes diff --git a/site.yml b/site.yml index 09ddd29..0936f66 100644 --- a/site.yml +++ b/site.yml @@ -16,6 +16,11 @@ roles: - mail +- name: Setup web server + hosts: beryllium.binary-kitchen.net + roles: + - web + - name: Setup jabber server hosts: carbon.binary-kitchen.net roles: