archives/pleroma-ansible-playbook
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

feat: support for proving your site with Keybase.

Browse source 
This commit adds support for uploading the site
owner's keybase.txt file onto their Pleroma server
so that Keybase can prove that they are the owner
of their site. This is diabled by default but can
be enabled by the user.

Resolves dananglin/pleroma-ansible-playbook#1
This commit is contained in:
Dan Anglin 2019-11-08 05:55:25 +00:00
parent 42904fbaa4
commit 8db0186fec
No known key found for this signature in database
GPG key ID: 7AC2B18EC1D09F27
4 changed files with 53 additions and 18 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/init/defaults/main.yml
View file

@ -49,3 +49,7 @@ pleroma_defaults:
remainingDays: 10
termsAgreed: no
validateCerts: true
keybase:
enable: false
proof:
filepath: "{{ lookup('env','HOME') }}/keybase.txt"

54
roles/pleroma-nginx/tasks/main.yml
View file

@ -1,10 +1,10 @@
---
- name: Nginx -- Ensuring Nginx dependencies are installed.
- name: Nginx | Ensuring Nginx dependencies are installed.
apk:
name: "{{ pleroma_deps_nginx }}"
state: present
- name: Nginx -- Ensuring the Nginx configuration is present.
- name: Nginx | Ensuring the Nginx configuration is present.
template:
src: etc_ngnix_confd_pleroma.conf.j2
dest: "{{ pleroma_nginx_conf_file }}"
@ -12,7 +12,25 @@
group: root
mode: '0600'
- name: Nginx -- Ensuring that the SSL folder exists
- name: Nginx | Ensuring that the server root directory is present.
file:
name: "{{ pleroma_nginx_root_dir }}"
recurse: true
state: directory
mode: '0700'
owner: nginx
group: nginx
- name: Nginx | Ensuring the Keybase text file is present.
copy:
src: "{{ pleroma.keybase.proof.filepath }}"
dest: "{{ pleroma_nginx_root_dir }}/keybase.txt"
mode: '0644'
owner: nginx
group: nginx
when: pleroma.keybase.enable
- name: Nginx | Ensuring that the SSL folder exists
file:
name: "{{ pleroma_ssl_folder }}"
state: directory
@ -20,7 +38,7 @@
owner: root
group: root
- name: Nginx -- Ensuring that the ssl private key is generated.
- name: Nginx | Ensuring that the ssl private key is generated.
openssl_privatekey:
mode: '0400'
group: root
@ -30,7 +48,7 @@
state: present
type: RSA
- name: Nginx -- Ensuring that the certificate signing request is generated.
- name: Nginx | Ensuring that the certificate signing request is generated.
openssl_csr:
common_name: "{{ pleroma.config.host }}"
country_name: "{{ pleroma.ssl.csr.countryName }}"
@ -45,7 +63,7 @@
path: "{{ pleroma_ssl_csrPath }}"
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
- name: Nginx -- Ensuring the self-signed certificate is generated.
- name: Nginx | Ensuring the self-signed certificate is generated.
openssl_certificate:
path: "{{ pleroma_ssl_selfSignedCertPath }}"
mode: '0400'
@ -55,7 +73,7 @@
csr_path: "{{ pleroma_ssl_csrPath }}"
provider: selfsigned
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate.
- name: Nginx | Ensuring Nginx configuration references the self signed certificate.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
@ -66,7 +84,7 @@
state: present
when: not pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present.
- name: Nginx | Ensuring that the Let's encrypt challenge directory is present.
file:
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
state: directory
@ -76,7 +94,7 @@
recurse: yes
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that the private ACME account key is present.
- name: Nginx | Ensuring that the private ACME account key is present.
openssl_privatekey:
mode: '0400'
group: root
@ -87,13 +105,13 @@
type: RSA
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Checking if the full chain certificate exists.
- name: Nginx | Checking if the full chain certificate exists.
stat:
path: "{{ pleroma_ssl_fullChainCert }}"
register: certificate_file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge.
- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
@ -104,7 +122,7 @@
state: present
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config.
- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
@ -115,7 +133,7 @@
state: present
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
- name: Nginx | Ensuring that Nginx is running for the ACME challenge.
service:
name: nginx
state: started
@ -137,13 +155,13 @@
register: acme_challenge
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Creating the Acme challenge file
- name: Nginx | Creating the Acme challenge file
copy:
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
acme_certificate:
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
@ -160,7 +178,7 @@
register: acme_challenge
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Updating file permissions of the SSL certificate.
- name: Nginx | Updating file permissions of the SSL certificate.
file:
path: "{{ pleroma_ssl_fullChainCert }}"
owner: root
@ -169,7 +187,7 @@
state: file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
@ -180,7 +198,7 @@
state: present
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that Nginx is enabled and restarted.
- name: Nginx | Ensuring that Nginx is enabled and restarted.
service:
name: nginx
enabled: yes

12
roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2
View file

@ -4,9 +4,12 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac
server {
server_name {{ pleroma.config.host }};
root {{ pleroma_nginx_root_dir }};
listen 80;
listen [::]:80;
{% if pleroma.ssl.letsEncrypt.enable == true -%}
location ~/\.well-known/acme-challenge {
root {{ pleroma_letsEncrypt_baseDir }}/;
@ -28,6 +31,8 @@ ssl_session_cache shared:ssl_session_cache:10m;
server {
server_name {{ pleroma.config.host }};
root {{ pleroma_nginx_root_dir }};
listen 443 ssl http2;
listen [::]:443 ssl http2;
ssl_session_timeout 5m;
@ -82,4 +87,11 @@ server {
proxy_hide_header Cache-Control;
proxy_pass http://localhost:{{ pleroma.config.listeningPort }};
}
{% if pleroma.keybase.enable == true -%}
location = /keybase.txt {
try_files $uri =404;
}
{% endif %}
}

1
roles/pleroma-nginx/vars/main.yml
View file

@ -3,6 +3,7 @@ pleroma_deps_nginx: nginx, py-cryptography
pleroma_nginx_conf_dir: /etc/nginx/conf.d
pleroma_nginx_conf_file: "{{ pleroma_nginx_conf_dir }}/pleroma.conf"
pleroma_nginx_root_dir: /var/www/{{ pleroma.config.host }}
pleroma_ssl_folder: /etc/ssl/pleroma
pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key"