From a0ef587a41b22306c0f203fa223770d64d9ae3b4 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Mon, 3 Jul 2017 21:18:45 +0200 Subject: [PATCH] Add web-server for gateways --- roles/certmgr/tasks/main.yml | 3 +++ roles/web-gw/handlers/main.yml | 7 +++++++ roles/web-gw/meta/main.yml | 5 +++++ roles/web-gw/tasks/main.yml | 17 +++++++++++++++++ roles/web-gw/templates/certs.j2 | 15 +++++++++++++++ roles/web-gw/templates/vhost.j2 | 25 +++++++++++++++++++++++++ site.yml | 1 + 7 files changed, 73 insertions(+) create mode 100644 roles/web-gw/handlers/main.yml create mode 100644 roles/web-gw/meta/main.yml create mode 100644 roles/web-gw/tasks/main.yml create mode 100644 roles/web-gw/templates/certs.j2 create mode 100644 roles/web-gw/templates/vhost.j2 diff --git a/roles/certmgr/tasks/main.yml b/roles/certmgr/tasks/main.yml index 1ee3dfd..f8bf19d 100644 --- a/roles/certmgr/tasks/main.yml +++ b/roles/certmgr/tasks/main.yml @@ -32,6 +32,9 @@ - /etc/acme/account.key - /etc/acme/server.key +- name: Download Lets Encrypt CA certificate + get_url: url=https://letsencrypt.org/certs/lets-encrypt-x3-cross-signed.pem dest=/etc/acme/lets-encrypt-x3-cross-signed.pem + - name: Create challenge directory file: path=/var/www/acme-challenge/ owner=root mode=0755 state=directory diff --git a/roles/web-gw/handlers/main.yml b/roles/web-gw/handlers/main.yml new file mode 100644 index 0000000..9735dcd --- /dev/null +++ b/roles/web-gw/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Restart nginx + service: name=nginx state=restarted + +- name: Run certmgr + command: /opt/acertmgr/acertmgr.py diff --git a/roles/web-gw/meta/main.yml b/roles/web-gw/meta/main.yml new file mode 100644 index 0000000..8d2c010 --- /dev/null +++ b/roles/web-gw/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: certmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/web-gw/tasks/main.yml b/roles/web-gw/tasks/main.yml new file mode 100644 index 0000000..36a824a --- /dev/null +++ b/roles/web-gw/tasks/main.yml @@ -0,0 +1,17 @@ +--- + +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ ansible_fqdn }}.key -out /etc/nginx/ssl/{{ ansible_fqdn }}.crt -days 730 -subj "/CN={{ ansible_fqdn }}" creates=/etc/nginx/ssl/{{ ansible_fqdn }}.crt + notify: Restart nginx + +- name: Configure certificate manager + template: src=certs.j2 dest=/etc/acme/domains.d/{{ ansible_fqdn }}.conf + notify: Run certmgr + +- name: Configure vhosts + template: src=vhost.j2 dest=/etc/nginx/sites-available/www + notify: Restart nginx + +- name: Enable vhosts + file: src=/etc/nginx/sites-available/www dest=/etc/nginx/sites-enabled/www state=link + notify: Restart nginx diff --git a/roles/web-gw/templates/certs.j2 b/roles/web-gw/templates/certs.j2 new file mode 100644 index 0000000..406db07 --- /dev/null +++ b/roles/web-gw/templates/certs.j2 @@ -0,0 +1,15 @@ +--- + +{{ ansible_fqdn }}: +- path: /etc/nginx/ssl/{{ ansible_fqdn }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ ansible_fqdn }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' diff --git a/roles/web-gw/templates/vhost.j2 b/roles/web-gw/templates/vhost.j2 new file mode 100644 index 0000000..cff2d88 --- /dev/null +++ b/roles/web-gw/templates/vhost.j2 @@ -0,0 +1,25 @@ +server { + listen 80; + listen [::]:80; + + server_name _; + + location /.well-known/acme-challenge { + default_type "text/plain"; + alias /var/www/acme-challenge; + } + + root /var/www/html; +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ ansible_fqdn }}; + + ssl_certificate_key /etc/nginx/ssl/{{ ansible_fqdn }}.key; + ssl_certificate /etc/nginx/ssl/{{ ansible_fqdn }}.crt; + + root /var/www/html; +} diff --git a/site.yml b/site.yml index ab4c353..bdb9733 100644 --- a/site.yml +++ b/site.yml @@ -18,6 +18,7 @@ - dhcpd - respondd - yanic + - web-gw - name: Setup confluence server hosts: confluence.regensburg.freifunk.net