diff options
| author | Lars Wirzenius <liw@liw.fi> | 2018-05-22 08:18:19 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2018-05-22 08:18:19 +0300 |
| commit | 6b9e35fd4d34d6b26cc7d749dba4cd7a5d7c8ca8 (patch) | |
| tree | e55225528894f37243d9a464193f76a83fc87caf | |
| parent | 9443898ed15a4fa7b8d2712a073b1bd2b011fa0a (diff) | |
| parent | 7e0a78dbc97c945fe9e8301eddec941649453909 (diff) | |
| download | debian-ansible-6b9e35fd4d34d6b26cc7d749dba4cd7a5d7c8ca8.tar.gz | |
Merge branch 'liw/le'
| -rw-r--r-- | roles/apache_server/defaults/main.yml | 4 | ||||
| -rw-r--r-- | roles/apache_server/tasks/main.yml | 52 | ||||
| -rw-r--r-- | roles/apache_server/templates/deploy_static_site_certs | 29 | ||||
| -rw-r--r-- | roles/apache_server/templates/virtualhost.conf.tmpl | 40 |
4 files changed, 121 insertions, 4 deletions
diff --git a/roles/apache_server/defaults/main.yml b/roles/apache_server/defaults/main.yml index cfa797c..dfd4ec0 100644 --- a/roles/apache_server/defaults/main.yml +++ b/roles/apache_server/defaults/main.yml @@ -15,3 +15,7 @@ # ownermail: liw@liw.fi static_sites: [] + + +# Enable letsencrypt? +letsencrypt: no diff --git a/roles/apache_server/tasks/main.yml b/roles/apache_server/tasks/main.yml index 0f59f67..79b5054 100644 --- a/roles/apache_server/tasks/main.yml +++ b/roles/apache_server/tasks/main.yml @@ -1,9 +1,44 @@ -- name: install rsync (so one can publish files via server) +- name: install apache and related packages apt: - name: rsync + name: "{{ item }}" + with_items: + - rsync + - apache2 -- name: install apache2 - apt: name=apache2 +- name: install certbot + apt: + name: certbot + default_release: stretch-backports + when: letsencrypt + +- name: "empty list of domains for Let's Encrypt" + shell: rm -f /etc/letsencrypt/static_sites/* + +- name: "create list of domains for static sites to get Let's Encrypt certs for" + shell: | + listdir="/etc/letsencrypt/static_sites" + wellknown="/srv/letsencrypt" + mkdir -p "$listdir" "$wellknown" + if [ "{{ item.letsencrypt|default(false) }}" = True ] + then + touch "$listdir/{{ item.domain }}" + mkdir -p "$wellknown/{{ item.domain }}" + fi + with_items: "{{ static_sites }}" + when: letsencrypt + +- name: install script to run certbot + template: + src: deploy_static_site_certs + dest: /usr/local/sbin/deploy_static_site_certs + owner: root + group: root + mode: 755 + when: letsencrypt + +- name: "get initial certificate from Let's Encrypt" + shell: /usr/local/sbin/deploy_static_site_certs + when: letsencrypt - name: create dirs for static site contents file: @@ -13,6 +48,7 @@ group: "{{ item.owner }}" mode: 0755 with_items: "{{ static_sites }}" + when: letsencrypt - name: create log dirs for websites file: @@ -42,6 +78,14 @@ with_items: "{{ static_sites }}" when: item.htpasswd is defined +- name: enable apache modules for ssl + apache2_module: + state: present + name: "{{ item }}" + with_items: + - ssl + - rewrite + - name: enable apache sites shell: a2ensite "{{ item.domain }}" with_items: "{{ static_sites }}" diff --git a/roles/apache_server/templates/deploy_static_site_certs b/roles/apache_server/templates/deploy_static_site_certs new file mode 100644 index 0000000..3521651 --- /dev/null +++ b/roles/apache_server/templates/deploy_static_site_certs @@ -0,0 +1,29 @@ +#!/bin/sh + +set -eu + + +domains() +{ + cd /etc/letsencrypt/static_sites + ls +} + + +opts() +{ + for domain in $(domains) + do + echo -w "/srv/http/$domain" -d "$domain" \ + --webroot-path "/srv/letsencrypt/$domain" + done +} + + +certbot certonly \ + --noninteractive \ + --email "{{ letsencrypt_email }}" \ + --agree-tos \ + --expand \ + --cert-name static_sites \ + --webroot $(opts) diff --git a/roles/apache_server/templates/virtualhost.conf.tmpl b/roles/apache_server/templates/virtualhost.conf.tmpl index 1fa060a..fd6bb51 100644 --- a/roles/apache_server/templates/virtualhost.conf.tmpl +++ b/roles/apache_server/templates/virtualhost.conf.tmpl @@ -8,6 +8,41 @@ ErrorLog /var/log/apache2/{{ item.domain }}/error.log CustomLog /var/log/apache2/{{ item.domain }}/access.log combined <Directory /srv/http/{{ item.domain }}> +{% if item.letsencrypt|default(false) %} + Redirect permanent / "https://{{ item.domain }}/" +{% else %} + Options +SymlinksIfOwnerMatch +Indexes +MultiViews +{% if item.htpasswd is defined %} + AuthType Basic + AuthName "{{ item.htpasswd_name }}" + AuthUserFile "/srv/http/{{ item.domain }}.htpasswd" + Require valid-user +{% else %} + AllowOverride AuthConfig + Require all granted +{% endif %} +{% endif %} + </Directory> + + Alias /.well-known/ /srv/letsencrypt/{{ item.domain }}/ + <Directory /srv/letsencrypt/{{ item.domain }}> + Require all granted + </Directory> + +</VirtualHost> + + +{% if item.letsencrypt|default(false) %} +<VirtualHost _default_:443> + ServerName {{ item.domain }} +{% if item.alias is defined %} + ServerAlias {{ item.alias }} +{% endif %} + ServerAdmin {{ item.ownermail }} + DocumentRoot /srv/http/{{ item.domain }} + ErrorLog /var/log/apache2/{{ item.domain }}/error.log + CustomLog /var/log/apache2/{{ item.domain }}/access.log combined + <Directory /srv/http/{{ item.domain }}> Options +SymlinksIfOwnerMatch +Indexes +MultiViews {% if item.htpasswd is defined %} AuthType Basic @@ -19,4 +54,9 @@ Require all granted {% endif %} </Directory> + + SSLEngine on + SSLCertificateFile "/etc/letsencrypt/live/static_sites/fullchain.pem" + SSLCertificateKeyFile "/etc/letsencrypt/live/static_sites/privkey.pem" </VirtualHost> +{% endif %} |