Dan Anglin
42904fbaa4
Removed the 'blockinfile' task and added the location block for Let's Encrypt in the Nginx config template. This bloc will be rendered if Let's encrypt support is enabled. Part of dananglin/pleroma-ansible-playbook#1
187 lines
6.4 KiB
YAML
187 lines
6.4 KiB
YAML
---
|
|
- name: Nginx -- Ensuring Nginx dependencies are installed.
|
|
apk:
|
|
name: "{{ pleroma_deps_nginx }}"
|
|
state: present
|
|
|
|
- name: Nginx -- Ensuring the Nginx configuration is present.
|
|
template:
|
|
src: etc_ngnix_confd_pleroma.conf.j2
|
|
dest: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
|
|
- name: Nginx -- Ensuring that the SSL folder exists
|
|
file:
|
|
name: "{{ pleroma_ssl_folder }}"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Nginx -- Ensuring that the ssl private key is generated.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
|
|
- name: Nginx -- Ensuring that the certificate signing request is generated.
|
|
openssl_csr:
|
|
common_name: "{{ pleroma.config.host }}"
|
|
country_name: "{{ pleroma.ssl.csr.countryName }}"
|
|
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
|
|
locality_name: "{{ pleroma.ssl.csr.localityName }}"
|
|
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
|
|
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
|
|
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_csrPath }}"
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
|
|
- name: Nginx -- Ensuring the self-signed certificate is generated.
|
|
openssl_certificate:
|
|
path: "{{ pleroma_ssl_selfSignedCertPath }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
csr_path: "{{ pleroma_ssl_csrPath }}"
|
|
provider: selfsigned
|
|
|
|
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: not pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present.
|
|
file:
|
|
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: nginx
|
|
group: nginx
|
|
recurse: yes
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that the private ACME account key is present.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Checking if the full chain certificate exists.
|
|
stat:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
register: certificate_file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
|
|
|
- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
|
|
|
|
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Creating the Acme challenge file
|
|
copy:
|
|
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
|
|
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
|
|
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
|
|
|
|
- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
data: "{{ acme_challenge }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Updating file permissions of the SSL certificate.
|
|
file:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0400
|
|
state: file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that Nginx is enabled and restarted.
|
|
service:
|
|
name: nginx
|
|
enabled: yes
|
|
state: restarted
|