Dan Anglin
8db0186fec
This commit adds support for uploading the site owner's keybase.txt file onto their Pleroma server so that Keybase can prove that they are the owner of their site. This is diabled by default but can be enabled by the user. Resolves dananglin/pleroma-ansible-playbook#1
205 lines
6.8 KiB
YAML
205 lines
6.8 KiB
YAML
---
|
|
- name: Nginx | Ensuring Nginx dependencies are installed.
|
|
apk:
|
|
name: "{{ pleroma_deps_nginx }}"
|
|
state: present
|
|
|
|
- name: Nginx | Ensuring the Nginx configuration is present.
|
|
template:
|
|
src: etc_ngnix_confd_pleroma.conf.j2
|
|
dest: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
|
|
- name: Nginx | Ensuring that the server root directory is present.
|
|
file:
|
|
name: "{{ pleroma_nginx_root_dir }}"
|
|
recurse: true
|
|
state: directory
|
|
mode: '0700'
|
|
owner: nginx
|
|
group: nginx
|
|
|
|
- name: Nginx | Ensuring the Keybase text file is present.
|
|
copy:
|
|
src: "{{ pleroma.keybase.proof.filepath }}"
|
|
dest: "{{ pleroma_nginx_root_dir }}/keybase.txt"
|
|
mode: '0644'
|
|
owner: nginx
|
|
group: nginx
|
|
when: pleroma.keybase.enable
|
|
|
|
- name: Nginx | Ensuring that the SSL folder exists
|
|
file:
|
|
name: "{{ pleroma_ssl_folder }}"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Nginx | Ensuring that the ssl private key is generated.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
|
|
- name: Nginx | Ensuring that the certificate signing request is generated.
|
|
openssl_csr:
|
|
common_name: "{{ pleroma.config.host }}"
|
|
country_name: "{{ pleroma.ssl.csr.countryName }}"
|
|
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
|
|
locality_name: "{{ pleroma.ssl.csr.localityName }}"
|
|
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
|
|
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
|
|
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_csrPath }}"
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
|
|
- name: Nginx | Ensuring the self-signed certificate is generated.
|
|
openssl_certificate:
|
|
path: "{{ pleroma_ssl_selfSignedCertPath }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
csr_path: "{{ pleroma_ssl_csrPath }}"
|
|
provider: selfsigned
|
|
|
|
- name: Nginx | Ensuring Nginx configuration references the self signed certificate.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: not pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring that the Let's encrypt challenge directory is present.
|
|
file:
|
|
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: nginx
|
|
group: nginx
|
|
recurse: yes
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring that the private ACME account key is present.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Checking if the full chain certificate exists.
|
|
stat:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
register: certificate_file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
|
|
|
- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
|
|
|
|
- name: Nginx | Ensuring that Nginx is running for the ACME challenge.
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Creating the Acme challenge file
|
|
copy:
|
|
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
|
|
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
|
|
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
|
|
|
|
- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
data: "{{ acme_challenge }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Updating file permissions of the SSL certificate.
|
|
file:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0400
|
|
state: file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring that Nginx is enabled and restarted.
|
|
service:
|
|
name: nginx
|
|
enabled: yes
|
|
state: restarted
|