Dan Anglin
317adf3931
When running the pleybook more than once the ssl_certificate_key line was being overwritten by the 'lineinfile' tasks because the regular expression was too greedy. This merge request uses a stricter regular expression to indentify and update the ssl_certificate line in the Nginx configuration.
205 lines
7 KiB
YAML
205 lines
7 KiB
YAML
---
|
|
- name: Nginx -- Ensuring Nginx dependencies are installed.
|
|
apk:
|
|
name: "{{ pleroma_deps_nginx }}"
|
|
state: present
|
|
|
|
- name: Nginx -- Ensuring the Nginx configuration is present.
|
|
template:
|
|
src: etc_ngnix_confd_pleroma.conf.j2
|
|
dest: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
|
|
- name: Nginx -- Ensuring that the SSL folder exists
|
|
file:
|
|
name: "{{ pleroma_ssl_folder }}"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Nginx -- Ensuring that the ssl private key is generated.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
|
|
- name: Nginx -- Ensuring that the certificate signing request is generated.
|
|
openssl_csr:
|
|
common_name: "{{ pleroma.config.host }}"
|
|
country_name: "{{ pleroma.ssl.csr.countryName }}"
|
|
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
|
|
locality_name: "{{ pleroma.ssl.csr.localityName }}"
|
|
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
|
|
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
|
|
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_csrPath }}"
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
|
|
- name: Nginx -- Ensuring the self-signed certificate is generated.
|
|
openssl_certificate:
|
|
path: "{{ pleroma_ssl_selfSignedCertPath }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
csr_path: "{{ pleroma_ssl_csrPath }}"
|
|
provider: selfsigned
|
|
|
|
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: not pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present.
|
|
file:
|
|
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: nginx
|
|
group: nginx
|
|
recurse: yes
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that the private ACME account key is present.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring the location block for the ACME challenge is configured.
|
|
blockinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
state: present
|
|
mode: '0600'
|
|
owner: root
|
|
group: root
|
|
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sLETS\sENCRYPT\sFOLDER\]\].*$'
|
|
block: |2
|
|
location ~/\.well-known/acme-challenge {
|
|
root {{ pleroma_letsEncrypt_baseDir }}/;
|
|
try_files $uri @forward_https;
|
|
}
|
|
location @forward_https {
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Checking if the full chain certificate exists.
|
|
stat:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
register: certificate_file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
|
|
|
- name: Nginx -- Ensuring the existing full chain certificate is referenced in the Nginx config.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
|
|
|
|
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Creating the Acme challenge file
|
|
copy:
|
|
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
|
|
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
|
|
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
|
|
|
|
- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
data: "{{ acme_challenge }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Updating file permissions of the SSL certificate.
|
|
file:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0400
|
|
state: file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that Nginx is enabled and restarted.
|
|
service:
|
|
name: nginx
|
|
enabled: yes
|
|
state: restarted
|