archives/pleroma-ansible-playbook
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
This repository has been archived on 2023-05-06. You can view files and clone it, but cannot push or open issues or pull requests.
pleroma-ansible-playbook/roles/pleroma-nginx/tasks/main.yml
Dan Anglin b03c997960
change: add a site playbook to the project. 
This merge request changes the project from a single role project to a
single playbook project with multiple plays and roles. The single
playbook has multiple plays with each having its own role to
install and configure the different components to run Pleroma.
(postgres database, pleroma backend and nginx).

Certain playbooks can be executed by specifying the
relevant tags.

This change is the first of many changes to start supporting
installations on both single and multiple hosts.

This change includes also includes:

- inventory file.
- host_vars directory for users to add their variables.
- an init playbook to merge the default and the user defined config for Pleroma.
- users can now specify whether to validate certs when performing acme
challenges (default: true).
- more task templating.
2019-10-24 22:51:53 +01:00

194 lines
6.5 KiB
YAML
Raw Blame History

---
- name: Nginx -- Ensuring Nginx dependencies are installed.
apk:
name: "{{ pleroma_deps_nginx }}"
state: present
- name: Nginx -- Ensuring the Nginx configuration is present.
template:
src: etc_ngnix_confd_pleroma.conf.j2
dest: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
- name: Nginx -- Ensuring that the SSL folder exists
file:
name: "{{ pleroma_ssl_folder }}"
state: directory
mode: '0700'
owner: root
group: root
- name: Nginx -- Ensuring that the ssl private key is generated.
openssl_privatekey:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_privateKeyPath }}"
size: 4096
state: present
type: RSA
- name: Nginx -- Ensuring that the certificate signing request is generated.
openssl_csr:
common_name: "{{ pleroma.config.host }}"
country_name: "{{ pleroma.ssl.csr.countryName }}"
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
locality_name: "{{ pleroma.ssl.csr.localityName }}"
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_csrPath }}"
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
- name: Nginx -- Ensuring the self-signed certificate is generated.
openssl_certificate:
path: "{{ pleroma_ssl_selfSignedCertPath }}"
mode: '0400'
group: root
owner: root
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
csr_path: "{{ pleroma_ssl_csrPath }}"
provider: selfsigned
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
state: present
when: not pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present.
file:
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
state: directory
mode: '0700'
owner: nginx
group: nginx
recurse: yes
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that the private ACME account key is present.
openssl_privatekey:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
size: 4096
state: present
type: RSA
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring the location block for the ACME challenge is configured.
blockinfile:
path: "{{ pleroma_nginx_conf_file }}"
state: present
mode: '0600'
owner: root
group: root
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sLETS\sENCRYPT\sFOLDER\]\].*$'
block: |2
location ~/\.well-known/acme-challenge {
root {{ pleroma_letsEncrypt_baseDir }}/;
try_files $uri @forward_https;
}
location @forward_https {
return 301 https://$server_name$request_uri;
}
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Checking if certificate file exists.
stat:
path: "{{ pleroma_ssl_fullChainCert }}"
register: certificate_file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
state: present
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
service:
name: nginx
state: started
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
acme_certificate:
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
acme_version: 2
challenge: http-01
csr: "{{ pleroma_ssl_csrPath }}"
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
select_crypto_backend: cryptography
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
register: acme_challenge
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Creating the Acme challenge file
copy:
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
acme_certificate:
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
acme_version: 2
challenge: http-01
csr: "{{ pleroma_ssl_csrPath }}"
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
select_crypto_backend: cryptography
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
data: "{{ acme_challenge }}"
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
register: acme_challenge
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Updating file permissions of the SSL certificate.
file:
path: "{{ pleroma_ssl_fullChainCert }}"
owner: root
group: root
mode: 0400
state: file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
regexp: '^\s+ssl_certificate.*$'
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
state: present
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that Nginx is enabled and restarted.
service:
name: nginx
enabled: yes
state: restarted
Reference in a new issue View git blame Copy permalink