From 8614708627eb7d19599812a4e92400225fe36c7b Mon Sep 17 00:00:00 2001
From: Florian Pritz <bluewind@xinu.at>
Date: Fri, 20 Oct 2017 21:26:55 +0200
Subject: [PATCH] Create SSL certificates automatically for nginx configs
Signed-off-by: Florian Pritz <bluewind@xinu.at>
---
roles/dbscripts/tasks/main.yml | 6 ++----
roles/dbscripts/templates/nginx.d.conf.j2 | 2 --
roles/matrix/tasks/main.yml | 4 ++--
roles/matrix/templates/nginx.d.conf.j2 | 2 --
roles/public_html/tasks/main.yml | 4 ++--
roles/public_html/templates/nginx.d.conf.j2 | 2 --
roles/syncrepo/tasks/main.yml | 4 ++--
roles/syncrepo/templates/nginx.d.conf.j2 | 2 --
8 files changed, 8 insertions(+), 18 deletions(-)
diff --git a/roles/dbscripts/tasks/main.yml b/roles/dbscripts/tasks/main.yml
index 5b5869117..e8710a516 100644
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -18,10 +18,8 @@
- name: set up sudoers.d for special users
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
-- stat: path="/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem"
- register: certfile
- tags:
- - nginx
+- name: create ssl cert
+ command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ repos_domain }}' create='/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem'
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/dbscripts.conf owner=root group=root mode=0644
diff --git a/roles/dbscripts/templates/nginx.d.conf.j2 b/roles/dbscripts/templates/nginx.d.conf.j2
index 4ab50863c..70e672003 100644
--- a/roles/dbscripts/templates/nginx.d.conf.j2
+++ b/roles/dbscripts/templates/nginx.d.conf.j2
@@ -51,11 +51,9 @@ server {
server_name {{ repos_domain }} {{repos_rsync_domain}};
root /srv/ftp;
-{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ repos_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ repos_domain }}/chain.pem;
-{% endif %}
satisfy any;
diff --git a/roles/matrix/tasks/main.yml b/roles/matrix/tasks/main.yml
index ecbd53556..24b9f3439 100644
--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
@@ -1,7 +1,7 @@
---
-- stat: path="/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem"
- register: certfile
+- name: create ssl cert
+ command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ matrix_domain }}' create='/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem'
when: 'matrix_domain != ""'
- name: install packages
diff --git a/roles/matrix/templates/nginx.d.conf.j2 b/roles/matrix/templates/nginx.d.conf.j2
index 13236104b..271a9fb43 100644
--- a/roles/matrix/templates/nginx.d.conf.j2
+++ b/roles/matrix/templates/nginx.d.conf.j2
@@ -25,11 +25,9 @@ server {
access_log /var/log/nginx/{{ matrix_domain }}/access.log;
error_log /var/log/nginx/{{ matrix_domain }}/error.log;
-{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ matrix_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ matrix_domain }}/chain.pem;
-{% endif %}
location /_matrix {
proxy_pass http://matrix;
diff --git a/roles/public_html/tasks/main.yml b/roles/public_html/tasks/main.yml
index 1fd59b034..545fb610f 100644
--- a/roles/public_html/tasks/main.yml
+++ b/roles/public_html/tasks/main.yml
@@ -1,7 +1,7 @@
---
-- stat: path="/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem"
- register: certfile
+- name: create ssl cert
+ command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ public_domain }}' create='/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem'
- name: copy webroot files
copy: src=public_html dest=/srv owner=root group=root mode=0644 directory_mode=0755
diff --git a/roles/public_html/templates/nginx.d.conf.j2 b/roles/public_html/templates/nginx.d.conf.j2
index 041901525..034af8e11 100644
--- a/roles/public_html/templates/nginx.d.conf.j2
+++ b/roles/public_html/templates/nginx.d.conf.j2
@@ -25,11 +25,9 @@ server {
access_log /var/log/nginx/{{ public_domain }}/access.log;
error_log /var/log/nginx/{{ public_domain }}/error.log;
-{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ public_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ public_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ public_domain }}/chain.pem;
-{% endif %}
location ~ ^/~([A-Za-z0-9]+)(/.*)? {
alias /home/$1/public_html$2;
diff --git a/roles/syncrepo/tasks/main.yml b/roles/syncrepo/tasks/main.yml
index 2c900ed49..c5505025f 100644
--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
@@ -1,7 +1,7 @@
---
-- stat: path="/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem"
- register: certfile
+- name: create ssl cert
+ command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{letsencrypt_validation_dir}} -d '{{ mirror_domain }}' create='/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem'
when: 'mirror_domain != ""'
- name: install rsync
diff --git a/roles/syncrepo/templates/nginx.d.conf.j2 b/roles/syncrepo/templates/nginx.d.conf.j2
index 58e4107b9..1e69ceb4d 100644
--- a/roles/syncrepo/templates/nginx.d.conf.j2
+++ b/roles/syncrepo/templates/nginx.d.conf.j2
@@ -21,11 +21,9 @@ server {
access_log /var/log/nginx/{{ mirror_domain }}/access.log;
error_log /var/log/nginx/{{ mirror_domain }}/error.log;
-{% if certfile.stat.exists %}
ssl_certificate /etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ mirror_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ mirror_domain }}/chain.pem;
-{% endif %}
autoindex on;
}
--
GitLab