Commit 86147086 authored by Florian Pritz's avatar Florian Pritz
Browse files

Create SSL certificates automatically for nginx configs


Signed-off-by: Florian Pritz's avatarFlorian Pritz <bluewind@xinu.at>
parent 315d1cfc
......@@ -18,10 +18,8 @@
- name: set up sudoers.d for special users
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
register: certfile
tags:
- nginx
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ repos_domain }}' create='/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem'
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
......
......@@ -51,11 +51,9 @@ server {
server_name {{ repos_domain }} {{repos_rsync_domain}};
root /srv/ftp;
{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
{% endif %}
satisfy any;
......
---
- stat: path="/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem"
register: certfile
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ matrix_domain }}' create='/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem'
when: 'matrix_domain != ""'
- name: install packages
......
......@@ -25,11 +25,9 @@ server {
access_log /var/log/nginx/{{ matrix_domain }}/access.log;
error_log /var/log/nginx/{{ matrix_domain }}/error.log;
{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ matrix_domain }}/chain.pem;
{% endif %}
location /_matrix {
proxy_pass http://matrix;
......
---
- stat: path="/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem"
register: certfile
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ public_domain }}' create='/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem'
- name: copy webroot files
copy: src=public_html dest=/srv owner=root group=root mode=0644 directory_mode=0755
......
......@@ -25,11 +25,9 @@ server {
access_log /var/log/nginx/{{ public_domain }}/access.log;
error_log /var/log/nginx/{{ public_domain }}/error.log;
{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ public_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ public_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ public_domain }}/chain.pem;
{% endif %}
location ~ ^/~([A-Za-z0-9]+)(/.*)? {
alias /home/$1/public_html$2;
......
---
- stat: path="/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem"
register: certfile
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ mirror_domain }}' create='/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem'
when: 'mirror_domain != ""'
- name: install rsync
......
......@@ -21,11 +21,9 @@ server {
access_log /var/log/nginx/{{ mirror_domain }}/access.log;
error_log /var/log/nginx/{{ mirror_domain }}/error.log;
{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ mirror_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ mirror_domain }}/chain.pem;
{% endif %}
autoindex on;
}
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment