Verified Commit d7d4a083 authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Add letsencrypt/certbot stuff

parent 1e5f77ff
......@@ -11,6 +11,14 @@ After the provisioning script has run, it is safe to reboot.
Once in the new system, run the regular playbook: `ansible-playbook playbooks/$hostname.yml`. This
playbook is the one regularily used for adminstrating the server and is entirely idempotent.
##### Note about first time certificates
The first time a certificate is issued, you'll have to do this manually by yourself. First, configure the DNS to
point to the new server and then run a playbook onto the server which includes the nginx role. Then on the server,
it is necessary to run the following once:
certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w /var/lib/letsencrypt/ <domain-name>
## Servers
### vostok
......@@ -22,7 +30,7 @@ playbook is the one regularily used for adminstrating the server and is entirely
#### Services
- repos/sync (repos.archlinux.org)
- sources
- sources (sources.archlinux.org)
- archive (archive.archlinux.org)
### apollo
......
......@@ -12,7 +12,8 @@
- { role: opendkim, dkim_selector: orion, tags: ['mail'] }
- { role: postfix, tags: ['mail'] }
- { role: archusers, tags: ['archusers'] }
- { role: nginx, tags: ["nginx"] }
- { role: nginx, letsencrypt_validation_dir: "/var/lib/letsencrypt", tags: ["nginx"] }
- { role: dbscripts, repos_domain: "repos.archlinux.org", svntogit_repos: "/srv/svntogit/repos", tags: ['dbscripts', 'archusers'] }
- { role: sudo, tags: ['sudo', 'archusers'] }
- { role: archweb, archweb_home: "/srv/http/archweb", tags: ['archweb'] }
- { role: sources, sources_domain: "sources.archlinux.org", tags: ['sources'] }
server {
listen 80 default_server;
listen [::];
listen 80;
listen [::]:80;
server_name {{ repos_domain }};
root /srv/ftp;
......@@ -10,6 +10,8 @@ server {
allow all;
}
include snippets/letsencrypt.conf;
# Server at velocitynet
allow 66.211.214.130; # dom0.archlinux.org.
allow 66.211.214.131; # gudrun.archlinux.org.
......
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart=/usr/bin/certbot renew --rsa-key-size 4096
ExecStartPost=/bin/systemctl reload nginx.service
[Unit]
Description=Daily renewal of Let's Encrypt's certificates
[Timer]
OnCalendar=daily
Persistent=true
[Install]
WantedBy=timers.target
---
- name: install nginx
pacman: name=nginx-mainline state=present
pacman: name=nginx-mainline,certbot state=present
- name: configure nginx
template: src=nginx.conf.j2 dest=/etc/nginx/nginx.conf owner=root group=root mode=644
notify:
- restart nginx
- name: snippets directory
file: state=directory path=/etc/nginx/snippets owner=root group=root mode=755
- name: copy snippets
template: src={{ item }} dest=/etc/nginx/snippets owner=root group=root mode=644
with_items:
- letsencrypt.conf
- sslsettings.conf
- name: create nginx.d directory
file: state=directory path=/etc/nginx/nginx.d owner=root group=root mode=755
......@@ -17,5 +26,22 @@
- name: create default nginx log directory
file: state=directory path=/var/log/nginx/default owner=http group=log mode=750
- name: create unique DH group
command: openssl dhparam -out /etc/ssl/dhparams.pem 2048 creates=/etc/ssl/dhparams.pem
- name: create directory to store validation stuff in
file: owner=root group=http mode=750 path={{ letsencrypt_validation_dir }} state=directory
- name: install letsencrypt renewal service
copy: src={{ item }} dest=/etc/systemd/system/{{ item }} owner=root group=root mode=644
with_items:
- certbot-renewal.service
- certbot-renewal.timer
notify:
- daemon reload
- name: activate letsencrypt renewal service
service: name=certbot-renewal.timer enabled=yes state=started
- name: enable nginx
service: name=nginx enabled=yes
location /.well-known/acme-challenge {
root {{ letsencrypt_validation_dir }};
default_type "text/plain";
try_files $uri =404;
}
ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
ssl_protocols TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_dhparam /etc/ssl/dhparams.pem;
ssl_session_timeout 5m;
ssl_session_cache shared:SSL:10m;
ssl_stapling on;
ssl_stapling_verify on;
add_header Strict-Transport-Security "max-age=31536000; includeSubdomains;";
---
- name: set up nginx
template: src=nginx.d.conf.j2 dest=/etc/nginx/nginx.d/sources.conf owner=root group=root mode=644
notify:
- restart nginx
- name: make nginx log dir
file: path=/var/log/nginx/{{ sources_domain }} state=directory owner=http group=log mode=755
server {
listen 80;
listen [::]:80;
server_name {{ sources_domain }};
access_log /var/log/nginx/{{ sources_domain }}/access.log;
error_log /var/log/nginx/{{ sources_domain }}/error.log;
include snippets/letsencrypt.conf;
location / {
rewrite ^(.*) https://$server_name$1 permanent;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ sources_domain }};
access_log /var/log/nginx/{{ sources_domain }}/access.log;
error_log /var/log/nginx/{{ sources_domain }}/error.log;
ssl_certificate /etc/letsencrypt/live/{{ sources_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ sources_domain }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ sources_domain }}/chain.pem;
include snippets/sslsettings.conf;
root /srv/ftp/sources;
autoindex on;
}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment