diff --git a/roles/init/defaults/main.yml b/roles/init/defaults/main.yml index bea20b5..9b25ce9 100644 --- a/roles/init/defaults/main.yml +++ b/roles/init/defaults/main.yml @@ -49,3 +49,7 @@ pleroma_defaults: remainingDays: 10 termsAgreed: no validateCerts: true + keybase: + enable: false + proof: + filepath: "{{ lookup('env','HOME') }}/keybase.txt" diff --git a/roles/pleroma-nginx/tasks/main.yml b/roles/pleroma-nginx/tasks/main.yml index 998cb92..fbe3925 100644 --- a/roles/pleroma-nginx/tasks/main.yml +++ b/roles/pleroma-nginx/tasks/main.yml @@ -1,10 +1,10 @@ --- -- name: Nginx -- Ensuring Nginx dependencies are installed. +- name: Nginx | Ensuring Nginx dependencies are installed. apk: name: "{{ pleroma_deps_nginx }}" state: present -- name: Nginx -- Ensuring the Nginx configuration is present. +- name: Nginx | Ensuring the Nginx configuration is present. template: src: etc_ngnix_confd_pleroma.conf.j2 dest: "{{ pleroma_nginx_conf_file }}" @@ -12,7 +12,25 @@ group: root mode: '0600' -- name: Nginx -- Ensuring that the SSL folder exists +- name: Nginx | Ensuring that the server root directory is present. + file: + name: "{{ pleroma_nginx_root_dir }}" + recurse: true + state: directory + mode: '0700' + owner: nginx + group: nginx + +- name: Nginx | Ensuring the Keybase text file is present. + copy: + src: "{{ pleroma.keybase.proof.filepath }}" + dest: "{{ pleroma_nginx_root_dir }}/keybase.txt" + mode: '0644' + owner: nginx + group: nginx + when: pleroma.keybase.enable + +- name: Nginx | Ensuring that the SSL folder exists file: name: "{{ pleroma_ssl_folder }}" state: directory @@ -20,7 +38,7 @@ owner: root group: root -- name: Nginx -- Ensuring that the ssl private key is generated. +- name: Nginx | Ensuring that the ssl private key is generated. openssl_privatekey: mode: '0400' group: root @@ -30,7 +48,7 @@ state: present type: RSA -- name: Nginx -- Ensuring that the certificate signing request is generated. +- name: Nginx | Ensuring that the certificate signing request is generated. openssl_csr: common_name: "{{ pleroma.config.host }}" country_name: "{{ pleroma.ssl.csr.countryName }}" @@ -45,7 +63,7 @@ path: "{{ pleroma_ssl_csrPath }}" privatekey_path: "{{ pleroma_ssl_privateKeyPath }}" -- name: Nginx -- Ensuring the self-signed certificate is generated. +- name: Nginx | Ensuring the self-signed certificate is generated. openssl_certificate: path: "{{ pleroma_ssl_selfSignedCertPath }}" mode: '0400' @@ -55,7 +73,7 @@ csr_path: "{{ pleroma_ssl_csrPath }}" provider: selfsigned -- name: Nginx -- Ensuring Nginx configuration references the self signed certificate. +- name: Nginx | Ensuring Nginx configuration references the self signed certificate. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -66,7 +84,7 @@ state: present when: not pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present. +- name: Nginx | Ensuring that the Let's encrypt challenge directory is present. file: name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge" state: directory @@ -76,7 +94,7 @@ recurse: yes when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring that the private ACME account key is present. +- name: Nginx | Ensuring that the private ACME account key is present. openssl_privatekey: mode: '0400' group: root @@ -87,13 +105,13 @@ type: RSA when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Checking if the full chain certificate exists. +- name: Nginx | Checking if the full chain certificate exists. stat: path: "{{ pleroma_ssl_fullChainCert }}" register: certificate_file when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge. +- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -104,7 +122,7 @@ state: present when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false -- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config. +- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -115,7 +133,7 @@ state: present when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true -- name: Nginx -- Ensuring that Nginx is running for the ACME challenge. +- name: Nginx | Ensuring that Nginx is running for the ACME challenge. service: name: nginx state: started @@ -137,13 +155,13 @@ register: acme_challenge when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Creating the Acme challenge file +- name: Nginx | Creating the Acme challenge file copy: dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}" content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}" when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed -- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate. +- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate. acme_certificate: account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}" account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}" @@ -160,7 +178,7 @@ register: acme_challenge when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Updating file permissions of the SSL certificate. +- name: Nginx | Updating file permissions of the SSL certificate. file: path: "{{ pleroma_ssl_fullChainCert }}" owner: root @@ -169,7 +187,7 @@ state: file when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration. +- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -180,7 +198,7 @@ state: present when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring that Nginx is enabled and restarted. +- name: Nginx | Ensuring that Nginx is enabled and restarted. service: name: nginx enabled: yes diff --git a/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 b/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 index a64c4ea..c66917f 100644 --- a/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 +++ b/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 @@ -4,9 +4,12 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac server { server_name {{ pleroma.config.host }}; + root {{ pleroma_nginx_root_dir }}; + listen 80; listen [::]:80; + {% if pleroma.ssl.letsEncrypt.enable == true -%} location ~/\.well-known/acme-challenge { root {{ pleroma_letsEncrypt_baseDir }}/; @@ -28,6 +31,8 @@ ssl_session_cache shared:ssl_session_cache:10m; server { server_name {{ pleroma.config.host }}; + root {{ pleroma_nginx_root_dir }}; + listen 443 ssl http2; listen [::]:443 ssl http2; ssl_session_timeout 5m; @@ -82,4 +87,11 @@ server { proxy_hide_header Cache-Control; proxy_pass http://localhost:{{ pleroma.config.listeningPort }}; } + + {% if pleroma.keybase.enable == true -%} + location = /keybase.txt { + try_files $uri =404; + } + {% endif %} + } diff --git a/roles/pleroma-nginx/vars/main.yml b/roles/pleroma-nginx/vars/main.yml index 00b034a..fc86339 100644 --- a/roles/pleroma-nginx/vars/main.yml +++ b/roles/pleroma-nginx/vars/main.yml @@ -3,6 +3,7 @@ pleroma_deps_nginx: nginx, py-cryptography pleroma_nginx_conf_dir: /etc/nginx/conf.d pleroma_nginx_conf_file: "{{ pleroma_nginx_conf_dir }}/pleroma.conf" +pleroma_nginx_root_dir: /var/www/{{ pleroma.config.host }} pleroma_ssl_folder: /etc/ssl/pleroma pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key"