archives/pleroma-ansible-playbook
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
This repository has been archived on 2023-05-06. You can view files and clone it, but cannot push or open issues or pull requests.
pleroma-ansible-playbook/roles/pleroma-nginx/tasks/main.yml
Dan Anglin 8db0186fec
feat: support for proving your site with Keybase. 
This commit adds support for uploading the site
owner's keybase.txt file onto their Pleroma server
so that Keybase can prove that they are the owner
of their site. This is diabled by default but can
be enabled by the user.

Resolves dananglin/pleroma-ansible-playbook#1
2019-11-08 05:55:25 +00:00

205 lines
6.8 KiB
YAML
Raw Permalink Blame History

---
- name: Nginx | Ensuring Nginx dependencies are installed.
apk:
name: "{{ pleroma_deps_nginx }}"
state: present
- name: Nginx | Ensuring the Nginx configuration is present.
template:
src: etc_ngnix_confd_pleroma.conf.j2
dest: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
- name: Nginx | Ensuring that the server root directory is present.
file:
name: "{{ pleroma_nginx_root_dir }}"
recurse: true
state: directory
mode: '0700'
owner: nginx
group: nginx
- name: Nginx | Ensuring the Keybase text file is present.
copy:
src: "{{ pleroma.keybase.proof.filepath }}"
dest: "{{ pleroma_nginx_root_dir }}/keybase.txt"
mode: '0644'
owner: nginx
group: nginx
when: pleroma.keybase.enable
- name: Nginx | Ensuring that the SSL folder exists
file:
name: "{{ pleroma_ssl_folder }}"
state: directory
mode: '0700'
owner: root
group: root
- name: Nginx | Ensuring that the ssl private key is generated.
openssl_privatekey:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_privateKeyPath }}"
size: 4096
state: present
type: RSA
- name: Nginx | Ensuring that the certificate signing request is generated.
openssl_csr:
common_name: "{{ pleroma.config.host }}"
country_name: "{{ pleroma.ssl.csr.countryName }}"
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
locality_name: "{{ pleroma.ssl.csr.localityName }}"
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_csrPath }}"
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
- name: Nginx | Ensuring the self-signed certificate is generated.
openssl_certificate:
path: "{{ pleroma_ssl_selfSignedCertPath }}"
mode: '0400'
group: root
owner: root
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
csr_path: "{{ pleroma_ssl_csrPath }}"
provider: selfsigned
- name: Nginx | Ensuring Nginx configuration references the self signed certificate.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
state: present
when: not pleroma.ssl.letsEncrypt.enable
- name: Nginx | Ensuring that the Let's encrypt challenge directory is present.
file:
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
state: directory
mode: '0700'
owner: nginx
group: nginx
recurse: yes
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx | Ensuring that the private ACME account key is present.
openssl_privatekey:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
size: 4096
state: present
type: RSA
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx | Checking if the full chain certificate exists.
stat:
path: "{{ pleroma_ssl_fullChainCert }}"
register: certificate_file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
state: present
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
state: present
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
- name: Nginx | Ensuring that Nginx is running for the ACME challenge.
service:
name: nginx
state: started
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
acme_certificate:
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
acme_version: 2
challenge: http-01
csr: "{{ pleroma_ssl_csrPath }}"
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
select_crypto_backend: cryptography
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
register: acme_challenge
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx | Creating the Acme challenge file
copy:
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
acme_certificate:
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
acme_version: 2
challenge: http-01
csr: "{{ pleroma_ssl_csrPath }}"
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
select_crypto_backend: cryptography
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
data: "{{ acme_challenge }}"
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
register: acme_challenge
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx | Updating file permissions of the SSL certificate.
file:
path: "{{ pleroma_ssl_fullChainCert }}"
owner: root
group: root
mode: 0400
state: file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
state: present
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx | Ensuring that Nginx is enabled and restarted.
service:
name: nginx
enabled: yes
state: restarted
Reference in a new issue View git blame Copy permalink