From 8db0186fec501f464ad5d0fb233c98e5a7feb7e6 Mon Sep 17 00:00:00 2001 From: Dan Anglin Date: Fri, 8 Nov 2019 05:55:25 +0000 Subject: [PATCH] feat: support for proving your site with Keybase. This commit adds support for uploading the site owner's keybase.txt file onto their Pleroma server so that Keybase can prove that they are the owner of their site. This is diabled by default but can be enabled by the user. Resolves dananglin/pleroma-ansible-playbook#1 --- roles/init/defaults/main.yml | 4 ++ roles/pleroma-nginx/tasks/main.yml | 54 ++++++++++++------- .../templates/etc_ngnix_confd_pleroma.conf.j2 | 12 +++++ roles/pleroma-nginx/vars/main.yml | 1 + 4 files changed, 53 insertions(+), 18 deletions(-) diff --git a/roles/init/defaults/main.yml b/roles/init/defaults/main.yml index bea20b5..9b25ce9 100644 --- a/roles/init/defaults/main.yml +++ b/roles/init/defaults/main.yml @@ -49,3 +49,7 @@ pleroma_defaults: remainingDays: 10 termsAgreed: no validateCerts: true + keybase: + enable: false + proof: + filepath: "{{ lookup('env','HOME') }}/keybase.txt" diff --git a/roles/pleroma-nginx/tasks/main.yml b/roles/pleroma-nginx/tasks/main.yml index 998cb92..fbe3925 100644 --- a/roles/pleroma-nginx/tasks/main.yml +++ b/roles/pleroma-nginx/tasks/main.yml @@ -1,10 +1,10 @@ --- -- name: Nginx -- Ensuring Nginx dependencies are installed. +- name: Nginx | Ensuring Nginx dependencies are installed. apk: name: "{{ pleroma_deps_nginx }}" state: present -- name: Nginx -- Ensuring the Nginx configuration is present. +- name: Nginx | Ensuring the Nginx configuration is present. template: src: etc_ngnix_confd_pleroma.conf.j2 dest: "{{ pleroma_nginx_conf_file }}" @@ -12,7 +12,25 @@ group: root mode: '0600' -- name: Nginx -- Ensuring that the SSL folder exists +- name: Nginx | Ensuring that the server root directory is present. + file: + name: "{{ pleroma_nginx_root_dir }}" + recurse: true + state: directory + mode: '0700' + owner: nginx + group: nginx + +- name: Nginx | Ensuring the Keybase text file is present. + copy: + src: "{{ pleroma.keybase.proof.filepath }}" + dest: "{{ pleroma_nginx_root_dir }}/keybase.txt" + mode: '0644' + owner: nginx + group: nginx + when: pleroma.keybase.enable + +- name: Nginx | Ensuring that the SSL folder exists file: name: "{{ pleroma_ssl_folder }}" state: directory @@ -20,7 +38,7 @@ owner: root group: root -- name: Nginx -- Ensuring that the ssl private key is generated. +- name: Nginx | Ensuring that the ssl private key is generated. openssl_privatekey: mode: '0400' group: root @@ -30,7 +48,7 @@ state: present type: RSA -- name: Nginx -- Ensuring that the certificate signing request is generated. +- name: Nginx | Ensuring that the certificate signing request is generated. openssl_csr: common_name: "{{ pleroma.config.host }}" country_name: "{{ pleroma.ssl.csr.countryName }}" @@ -45,7 +63,7 @@ path: "{{ pleroma_ssl_csrPath }}" privatekey_path: "{{ pleroma_ssl_privateKeyPath }}" -- name: Nginx -- Ensuring the self-signed certificate is generated. +- name: Nginx | Ensuring the self-signed certificate is generated. openssl_certificate: path: "{{ pleroma_ssl_selfSignedCertPath }}" mode: '0400' @@ -55,7 +73,7 @@ csr_path: "{{ pleroma_ssl_csrPath }}" provider: selfsigned -- name: Nginx -- Ensuring Nginx configuration references the self signed certificate. +- name: Nginx | Ensuring Nginx configuration references the self signed certificate. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -66,7 +84,7 @@ state: present when: not pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present. +- name: Nginx | Ensuring that the Let's encrypt challenge directory is present. file: name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge" state: directory @@ -76,7 +94,7 @@ recurse: yes when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring that the private ACME account key is present. +- name: Nginx | Ensuring that the private ACME account key is present. openssl_privatekey: mode: '0400' group: root @@ -87,13 +105,13 @@ type: RSA when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Checking if the full chain certificate exists. +- name: Nginx | Checking if the full chain certificate exists. stat: path: "{{ pleroma_ssl_fullChainCert }}" register: certificate_file when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge. +- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -104,7 +122,7 @@ state: present when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false -- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config. +- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -115,7 +133,7 @@ state: present when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true -- name: Nginx -- Ensuring that Nginx is running for the ACME challenge. +- name: Nginx | Ensuring that Nginx is running for the ACME challenge. service: name: nginx state: started @@ -137,13 +155,13 @@ register: acme_challenge when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Creating the Acme challenge file +- name: Nginx | Creating the Acme challenge file copy: dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}" content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}" when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed -- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate. +- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate. acme_certificate: account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}" account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}" @@ -160,7 +178,7 @@ register: acme_challenge when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Updating file permissions of the SSL certificate. +- name: Nginx | Updating file permissions of the SSL certificate. file: path: "{{ pleroma_ssl_fullChainCert }}" owner: root @@ -169,7 +187,7 @@ state: file when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration. +- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration. lineinfile: path: "{{ pleroma_nginx_conf_file }}" owner: root @@ -180,7 +198,7 @@ state: present when: pleroma.ssl.letsEncrypt.enable -- name: Nginx -- Ensuring that Nginx is enabled and restarted. +- name: Nginx | Ensuring that Nginx is enabled and restarted. service: name: nginx enabled: yes diff --git a/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 b/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 index a64c4ea..c66917f 100644 --- a/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 +++ b/roles/pleroma-nginx/templates/etc_ngnix_confd_pleroma.conf.j2 @@ -4,9 +4,12 @@ proxy_cache_path /tmp/pleroma-media-cache levels=1:2 keys_zone=pleroma_media_cac server { server_name {{ pleroma.config.host }}; + root {{ pleroma_nginx_root_dir }}; + listen 80; listen [::]:80; + {% if pleroma.ssl.letsEncrypt.enable == true -%} location ~/\.well-known/acme-challenge { root {{ pleroma_letsEncrypt_baseDir }}/; @@ -28,6 +31,8 @@ ssl_session_cache shared:ssl_session_cache:10m; server { server_name {{ pleroma.config.host }}; + root {{ pleroma_nginx_root_dir }}; + listen 443 ssl http2; listen [::]:443 ssl http2; ssl_session_timeout 5m; @@ -82,4 +87,11 @@ server { proxy_hide_header Cache-Control; proxy_pass http://localhost:{{ pleroma.config.listeningPort }}; } + + {% if pleroma.keybase.enable == true -%} + location = /keybase.txt { + try_files $uri =404; + } + {% endif %} + } diff --git a/roles/pleroma-nginx/vars/main.yml b/roles/pleroma-nginx/vars/main.yml index 00b034a..fc86339 100644 --- a/roles/pleroma-nginx/vars/main.yml +++ b/roles/pleroma-nginx/vars/main.yml @@ -3,6 +3,7 @@ pleroma_deps_nginx: nginx, py-cryptography pleroma_nginx_conf_dir: /etc/nginx/conf.d pleroma_nginx_conf_file: "{{ pleroma_nginx_conf_dir }}/pleroma.conf" +pleroma_nginx_root_dir: /var/www/{{ pleroma.config.host }} pleroma_ssl_folder: /etc/ssl/pleroma pleroma_ssl_privateKeyPath: "{{ pleroma_ssl_folder }}/pleroma.key"