AFPy/infra
AFPy
/
infra
9
0
Fork 2
Code Issues 5 Pull Requests Projects Releases Wiki Activity

www.afpy.org migré.

This commit is contained in:
Julien Palard 2021-11-18 08:08:04 +01:00
parent 1d1346dbd1
commit 0faa1cf53f
Signed by: mdk
GPG Key ID: 0EFC1AC1006886F8
9 changed files with 45 additions and 22 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
afpy.org.yml
View File

@ -32,7 +32,7 @@
notify: reload nginx
- name: Setup afpy.org
include_role: name=julienpalard.nginx
include_role: name=nginx
vars:
nginx_owner: afpy-org
nginx_domain: afpy.org
@ -143,7 +143,7 @@
become: true
become_user: afpy-org
pip:
name: /home/afpy-org/src/
requirements: /home/afpy-org/src/requirements.txt
virtualenv_command: /usr/bin/python3 -m venv
virtualenv: "/home/afpy-org/venv/"
@ -183,7 +183,7 @@
- service: name=afpy-org state=started enabled=yes
- name: Redirect planet.afpy.org
include_role: name=julienpalard.nginx
include_role: name=nginx
vars:
nginx_domain: planet.afpy.org
nginx_certificates: [planet.afpy.org]
@ -208,7 +208,7 @@
}
- name: Setup salt-fr.afpy.org
include_role: name=julienpalard.nginx
include_role: name=nginx
vars:
nginx_owner: salt-fr-afpy-org
nginx_path: /var/www/salt-fr.afpy.org
@ -217,7 +217,7 @@
nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVrME7+AYhM4n6opE5gVJbWsZHLETucV2wV+kDvnLk3"
- name: Setup nantes.afpy.org
include_role: name=julienpalard.nginx
include_role: name=nginx
vars:
nginx_owner: nantes-afpy-org
nginx_path: /var/www/nantes.afpy.org
@ -226,7 +226,7 @@
nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsky9ccA9SkMbFpaL9yEwLUW6y320kmwoCdGVCsWd3L"
- name: Setup lists.afpy.org redirection
include_role: name=julienpalard.nginx
include_role: name=nginx
vars:
nginx_domain: lists.afpy.org
nginx_certificates: [lists.afpy.org]

2
afpyro.afpy.org.yml
View File

@ -11,7 +11,7 @@
include_role: name=nginx
vars:
nginx_owner: afpyro-afpy-org
nginx_name: afpyro.afpy.org
nginx_domain: afpyro.afpy.org
nginx_certificates: [afpyro.afpy.org]
nginx_conf: |
server

2
autoconfig.yml
View File

@ -11,7 +11,7 @@
include_role: name=nginx
vars:
nginx_owner: www-data
nginx_name: autoconfig.afpy.org
nginx_domain: autoconfig.afpy.org
nginx_certificates: [autoconfig.afpy.org, autoconfig.pycon.fr]
nginx_path: /var/www/autoconfig.afpy.org
nginx_conf: |

2
dl.yml
View File

@ -63,7 +63,7 @@
include_role: name=nginx
vars:
nginx_owner: dl-afpy-org
nginx_name: dl.afpy.org
nginx_domain: dl.afpy.org
nginx_certificates: [dl.afpy.org, videos-2015.pycon.fr]
nginx_conf: |
server

12
pycon.fr.yml
View File

@ -17,7 +17,7 @@
include_role: name=nginx
vars:
nginx_owner: pyconfr
nginx_name: pycon.fr
nginx_domain: pycon.fr
nginx_certificates: ['pycon.fr', 'www.pycon.fr']
nginx_path: /var/www/pycon.fr/
nginx_conf: |
@ -59,7 +59,7 @@
- name: Setup PyConFr 2016
include_role: name=nginx
vars:
nginx_name: 2016.pycon.fr
nginx_domain: 2016.pycon.fr
nginx_certificates: [2016.pycon.fr]
nginx_conf: |
server
@ -85,7 +85,7 @@
- name: Setup PyConFr 2012
include_role: name=nginx
vars:
nginx_name: 2012.pycon.fr
nginx_domain: 2012.pycon.fr
nginx_certificates: [2012.pycon.fr]
nginx_conf: |
server
@ -110,7 +110,7 @@
- name: Setup PyConFr 2011
include_role: name=nginx
vars:
nginx_name: 2011.pycon.fr
nginx_domain: 2011.pycon.fr
nginx_certificates: [2011.pycon.fr]
nginx_conf: |
server
@ -135,7 +135,7 @@
- name: Setup PyConFr 2010
include_role: name=nginx
vars:
nginx_name: 2010.pycon.fr
nginx_domain: 2010.pycon.fr
nginx_certificates: [2010.pycon.fr]
nginx_conf: |
server
@ -161,7 +161,7 @@
include_role: name=nginx
vars:
nginx_owner: paullaroid
nginx_name: paullaroid.pycon.fr
nginx_domain: paullaroid.pycon.fr
nginx_certificates: [paullaroid.pycon.fr]
nginx_path: /var/www/paullaroid.pycon.fr/
nginx_conf: |

2
roles/nginx/README.md
View File

@ -10,7 +10,7 @@ The mandatory variables are:
- `admin_email`: For letsencrypt.
- `gandi_api_key` ([see doc](https://github.com/obynio/certbot-plugin-gandi/)).
- `nginx_certificates`: A list of domain to put in this certificate.
- `nginx_name`: Used for file names and certificate name.
- `nginx_domain`: Used for file names, certificate name, and default server_name if no nginx_conf is given.
- `nginx_conf`: The nginx config.
Optional variables are:

23
roles/nginx/defaults/main.yml
View File

@ -4,3 +4,26 @@ ssl_protocols: "TLSv1.2 TLSv1.3"
ssl_prefer_server_ciphers: "off"
ssl_session_cache: "shared:ssl_session_cache:10m"
HSTS_header: 'Strict-Transport-Security "max-age=63072000; always"'
nginx_conf: |
server
{
listen 80;
server_name {{ nginx_domain }};
access_log /var/log/nginx/{{ nginx_domain }}-access.log;
error_log /var/log/nginx/{{ nginx_domain }}-error.log;
return 301 https://$host$request_uri;
}
server
{
listen 443 ssl;
charset utf-8;
server_name {{ nginx_domain }};
access_log /var/log/nginx/{{ nginx_domain }}-access.log;
error_log /var/log/nginx/{{ nginx_domain }}-error.log;
include snippets/letsencrypt-{{ nginx_domain }}.conf;
root {{ nginx_path }};
index index.html;
}

8
roles/nginx/tasks/main.yml
View File

@ -34,7 +34,7 @@
dest: /root/gandi.ini
- name: Generate TLS certificates
command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_name | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini
command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini
register: certbot
changed_when: '"no action taken." not in certbot.stdout'
@ -63,7 +63,7 @@
- name: Create letsencrypt snippets
template:
src: letsencrypt.conf.j2
dest: '/etc/nginx/snippets/letsencrypt-{{ nginx_name }}.conf'
dest: '/etc/nginx/snippets/letsencrypt-{{ nginx_domain }}.conf'
- name: User
user:
@ -85,14 +85,14 @@
owner: "{{ nginx_owner }}"
mode: 0644
path: "~{{ nginx_owner }}/.ssh/authorized_keys"
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK: Deploy key for {{ nginx_name }} -->"
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK: Deploy key for {{ nginx_domain }} -->"
block: "{{ nginx_public_deploy_key }}"
when: nginx_owner is defined and nginx_public_deploy_key is defined
- name: Configure nginx
copy:
content: "{{ nginx_conf }}"
dest: "/etc/nginx/conf.d/{{ nginx_name }}.conf"
dest: "/etc/nginx/conf.d/{{ nginx_domain }}.conf"
notify: reload nginx
- name: WWW directory

4
roles/nginx/templates/letsencrypt.conf.j2
View File

@ -8,8 +8,8 @@ ssl_session_cache {{ ssl_session_cache }};
ssl_session_timeout 1d;
ssl_session_tickets off;
ssl_certificate /etc/letsencrypt/live/{{ nginx_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_name }}/privkey.pem;
ssl_certificate /etc/letsencrypt/live/{{ nginx_domain }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_domain }}/privkey.pem;
ssl_dhparam /etc/ssl/certs/dhparam.pem;
ssl_stapling on;