Dan Anglin
274056bbed
- pleroma-postgres renamed to pleroma-database. - pleroma-nginx renamed to pleroma-proxy. - site.yml in examples is updated to reflect the change. resolves dananglin/pleroma-ansible-playbook#12
205 lines
6.8 KiB
YAML
205 lines
6.8 KiB
YAML
---
|
|
- name: Nginx | Ensuring Nginx dependencies are installed.
|
|
apk:
|
|
name: "{{ pleroma_deps_nginx }}"
|
|
state: present
|
|
|
|
- name: Nginx | Ensuring the Nginx configuration is present.
|
|
template:
|
|
src: etc_ngnix_confd_pleroma.conf.j2
|
|
dest: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
|
|
- name: Nginx | Ensuring that the server root directory is present.
|
|
file:
|
|
name: "{{ pleroma_nginx_root_dir }}"
|
|
recurse: true
|
|
state: directory
|
|
mode: '0700'
|
|
owner: nginx
|
|
group: nginx
|
|
|
|
- name: Nginx | Ensuring the Keybase text file is present.
|
|
copy:
|
|
src: "{{ pleroma.keybase.proof.filepath }}"
|
|
dest: "{{ pleroma_nginx_root_dir }}/keybase.txt"
|
|
mode: '0644'
|
|
owner: nginx
|
|
group: nginx
|
|
when: pleroma.keybase.enable
|
|
|
|
- name: Nginx | Ensuring that the SSL folder exists
|
|
file:
|
|
name: "{{ pleroma_ssl_folder }}"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Nginx | Ensuring that the ssl private key is generated.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
|
|
- name: Nginx | Ensuring that the certificate signing request is generated.
|
|
openssl_csr:
|
|
common_name: "{{ pleroma.config.host }}"
|
|
country_name: "{{ pleroma.ssl.csr.countryName }}"
|
|
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
|
|
locality_name: "{{ pleroma.ssl.csr.localityName }}"
|
|
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
|
|
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
|
|
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_csrPath }}"
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
|
|
- name: Nginx | Ensuring the self-signed certificate is generated.
|
|
openssl_certificate:
|
|
path: "{{ pleroma_ssl_selfSignedCertPath }}"
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
|
|
csr_path: "{{ pleroma_ssl_csrPath }}"
|
|
provider: selfsigned
|
|
|
|
- name: Nginx | Ensuring Nginx configuration references the self signed certificate.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: not pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring that the Let's encrypt challenge directory is present.
|
|
file:
|
|
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
|
|
state: directory
|
|
mode: '0700'
|
|
owner: nginx
|
|
group: nginx
|
|
recurse: yes
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring that the private ACME account key is present.
|
|
openssl_privatekey:
|
|
mode: '0400'
|
|
group: root
|
|
owner: root
|
|
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
size: 4096
|
|
state: present
|
|
type: RSA
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Checking if the full chain certificate exists.
|
|
stat:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
register: certificate_file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Temporarily adding the reference to the self signed certificate for ACME challenge.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
|
|
|
|
- name: Nginx | Ensuring the existing full chain certificate is referenced in the Nginx config.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == true
|
|
|
|
- name: Nginx | Ensuring that Nginx is running for the ACME challenge.
|
|
service:
|
|
name: nginx
|
|
state: started
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Creating the Acme challenge file
|
|
copy:
|
|
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
|
|
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
|
|
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
|
|
|
|
- name: Nginx | Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
|
|
acme_certificate:
|
|
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
|
|
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
|
|
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
|
|
acme_version: 2
|
|
challenge: http-01
|
|
csr: "{{ pleroma_ssl_csrPath }}"
|
|
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
|
|
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
|
|
select_crypto_backend: cryptography
|
|
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
|
|
data: "{{ acme_challenge }}"
|
|
validate_certs: "{{ pleroma.ssl.letsEncrypt.validateCerts }}"
|
|
register: acme_challenge
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Updating file permissions of the SSL certificate.
|
|
file:
|
|
path: "{{ pleroma_ssl_fullChainCert }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0400
|
|
state: file
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
|
|
lineinfile:
|
|
path: "{{ pleroma_nginx_conf_file }}"
|
|
owner: root
|
|
group: root
|
|
mode: '0600'
|
|
regexp: '{{ pleroma_ssl_certificate_path_regexp }}'
|
|
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
|
|
state: present
|
|
when: pleroma.ssl.letsEncrypt.enable
|
|
|
|
- name: Nginx | Ensuring that Nginx is enabled and restarted.
|
|
service:
|
|
name: nginx
|
|
enabled: yes
|
|
state: restarted
|