archives/pleroma-ansible-playbook
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
This repository has been archived on 2023-05-06. You can view files and clone it, but cannot push or open issues or pull requests.
pleroma-ansible-playbook/tasks/nginx.yml

191 lines
6.4 KiB
YAML
Raw Blame History

---
- name: Nginx -- Ensuring Nginx dependencies are installed.
apk:
name: "{{ pleroma_deps_nginx }}"
state: present
- name: Nginx -- Ensuring the Nginx configuration is present.
template:
src: etc_ngnix_confd_pleroma.conf.j2
dest: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
- name: Nginx -- Ensuring that the SSL folder exists
file:
name: "{{ pleroma_ssl_folder }}"
state: directory
mode: '0700'
owner: root
group: root
- name: Nginx -- Ensuring that the ssl private key is generated.
openssl_privatekey:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_privateKeyPath }}"
size: 4096
state: present
type: RSA
- name: Nginx -- Ensuring that the certificate signing request is generated.
openssl_csr:
common_name: "{{ pleroma.config.host }}"
country_name: "{{ pleroma.ssl.csr.countryName }}"
email_address: "{{ pleroma.ssl.csr.emailAddress }}"
locality_name: "{{ pleroma.ssl.csr.localityName }}"
organization_name: "{{ pleroma.ssl.csr.organizationName }}"
organizational_unit_name: "{{ pleroma.ssl.csr.organizationUnitName }}"
state_or_province_name: "{{ pleroma.ssl.csr.stateOrProvinceName }}"
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_csrPath }}"
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
- name: Nginx -- Ensuring the self-signed certificate is generated.
openssl_certificate:
path: "{{ pleroma_ssl_selfSignedCertPath }}"
mode: '0400'
group: root
owner: root
privatekey_path: "{{ pleroma_ssl_privateKeyPath }}"
csr_path: "{{ pleroma_ssl_csrPath }}"
provider: selfsigned
- name: Nginx -- Ensuring Nginx configuration references the self signed certificate
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
state: present
when: not pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that the Let's encrypt challenge directory is present.
file:
name: "{{ pleroma_letsEncrypt_baseDir }}/.well-known/acme-challenge"
state: directory
mode: '0700'
owner: nginx
group: nginx
recurse: yes
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that the private ACME account key is present.
openssl_privatekey:
mode: '0400'
group: root
owner: root
path: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
size: 4096
state: present
type: RSA
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring the location block for the ACME challenge is configured.
blockinfile:
path: "{{ pleroma_nginx_conf_file }}"
state: present
mode: '0600'
owner: root
group: root
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sLETS\sENCRYPT\sFOLDER\]\].*$'
block: |2
location ~/\.well-known/acme-challenge {
root {{ pleroma_letsEncrypt_baseDir }}/;
try_files $uri @forward_https;
}
location @forward_https {
return 301 https://$server_name$request_uri;
}
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Checking if certificate file exists.
stat:
path: "{{ pleroma_ssl_fullChainCert }}"
register: certificate_file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Temporarily adding the reference to the self signed certificate for ACME challenge.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
insertafter: '^\s+#\s\[\[PLACEHOLDER\sFOR\sSSL\sCERTIFICATE\]\].*$'
line: ' ssl_certificate {{ pleroma_ssl_selfSignedCertPath }};'
state: present
when: pleroma.ssl.letsEncrypt.enable and certificate_file.stat.exists == false
- name: Nginx -- Ensuring that Nginx is running for the ACME challenge.
service:
name: nginx
state: started
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Acme challenge part 1 - Creating Acme challenge.
acme_certificate:
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
acme_version: 2
challenge: http-01
csr: "{{ pleroma_ssl_csrPath }}"
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
select_crypto_backend: cryptography
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
register: acme_challenge
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Creating the Acme challenge file
copy:
dest: "{{ pleroma_letsEncrypt_baseDir }}/{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource'] }}"
content: "{{ acme_challenge['challenge_data'][pleroma.config.host]['http-01']['resource_value'] }}"
when: pleroma.ssl.letsEncrypt.enable and acme_challenge is changed
- name: Nginx -- Acme challenge part 2 - Validating the Acme challenge to create the SSL certificate.
acme_certificate:
account_key_src: "{{ pleroma_ssl_privateAcmeAccountKeyPath }}"
account_email: "{{ pleroma.ssl.letsEncrypt.acmeAccountEmail }}"
acme_directory: "{{ pleroma.ssl.letsEncrypt.acmeDirectory }}"
acme_version: 2
challenge: http-01
csr: "{{ pleroma_ssl_csrPath }}"
fullchain_dest: "{{ pleroma_ssl_fullChainCert }}"
remaining_days: "{{ pleroma.ssl.letsEncrypt.remainingDays }}"
select_crypto_backend: cryptography
terms_agreed: "{{ pleroma.ssl.letsEncrypt.termsAgreed }}"
data: "{{ acme_challenge }}"
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Updating file permissions of the SSL certificate.
file:
path: "{{ pleroma_ssl_fullChainCert }}"
owner: root
group: root
mode: 0400
state: file
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring the ssl_ceritificate option is up to date in the Nginx configuration.
lineinfile:
path: "{{ pleroma_nginx_conf_file }}"
owner: root
group: root
mode: '0600'
regexp: '^\s+ssl_certificate.*$'
line: ' ssl_certificate {{ pleroma_ssl_fullChainCert }};'
state: present
when: pleroma.ssl.letsEncrypt.enable
- name: Nginx -- Ensuring that Nginx is enabled and restarted.
service:
name: nginx
enabled: yes
state: restarted
Reference in a new issue View git blame Copy permalink