Dan Anglin
b03c997960
This merge request changes the project from a single role project to a single playbook project with multiple plays and roles. The single playbook has multiple plays with each having its own role to install and configure the different components to run Pleroma. (postgres database, pleroma backend and nginx). Certain playbooks can be executed by specifying the relevant tags. This change is the first of many changes to start supporting installations on both single and multiple hosts. This change includes also includes: - inventory file. - host_vars directory for users to add their variables. - an init playbook to merge the default and the user defined config for Pleroma. - users can now specify whether to validate certs when performing acme challenges (default: true). - more task templating.
194 lines
6.5 KiB
YAML
194 lines
6.5 KiB
YAML
---
|
|
- name: Nginx -- Ensuring Nginx dependencies are installed.
|
|
apk:
|
|
name: "{{ pleroma_deps_nginx }}"
|
|
state: present
|
|
|
|
- name: Nginx -- Ensuring the Nginx configuration is present.
|
|
template:
|
|
src: etc_ngnix_confd_pleroma.conf.j2
|
|
dest: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
|
|
- name: Nginx -- Ensuring that the SSL folder exists
|
|
file:
|
|
name: "{{ pleroma_ssl_folder }}"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Nginx -- Ensuring that the ssl private key is generated.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
|
|
- name: Nginx -- Ensuring that the certificate signing request is generated.
|
|
openssl_csr:
|
|
common_name: "{{ pleroma.config.host }}"
|
|
country_name: "{{ pleroma.ssl.csr.countryName }}"
|
|
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
|
|
locality_name: "{{ pleroma.ssl.csr.localityName }}"
|
|
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
|
|
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
|
|
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_csrPath }}"
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
|
|
- name: Nginx -- Ensuring the self-signed certificate is generated.
|
|
openssl_certificate:
|
|
path: "{{ pleroma_ssl_selfSignedCertPath }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
csr_path: "{{ pleroma_ssl_csrPath }}"
|
|
provider: selfsigned
|
|
|
|
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: not pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present.
|
|
file:
|
|
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: nginx
|
|
group: nginx
|
|
recurse: yes
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that the private ACME account key is present.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring the location block for the ACME challenge is configured.
|
|
blockinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
state: present
|
|
mode: '0600'
|
|
owner: root
|
|
group: root
|
|
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sLETS\sENCRYPT\sFOLDER\]\].*$'
|
|
block: |2
|
|
location ~/\.well-known/acme-challenge {
|
|
root {{ pleroma_letsEncrypt_baseDir }}/;
|
|
try_files $uri @forward_https;
|
|
}
|
|
location @forward_https {
|
|
return 301 https://$server_name$request_uri;
|
|
}
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Checking if certificate file exists.
|
|
stat:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
register: certificate_file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
|
|
|
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Creating the Acme challenge file
|
|
copy:
|
|
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
|
|
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
|
|
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
|
|
|
|
- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
data: "{{ acme_challenge }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Updating file permissions of the SSL certificate.
|
|
file:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0400
|
|
state: file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '^\s+ssl_certificate.*$'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Ensuring that Nginx is enabled and restarted.
|
|
service:
|
|
name: nginx
|
|
enabled: yes
|
|
state: restarted
|