diff --git a/afpy.org.yml b/afpy.org.yml index e428f45..c05886b 100644 --- a/afpy.org.yml +++ b/afpy.org.yml @@ -32,7 +32,7 @@ notify: reload nginx - name: Setup afpy.org - include_role: name=julienpalard.nginx + include_role: name=nginx vars: nginx_owner: afpy-org nginx_domain: afpy.org @@ -143,7 +143,7 @@ become: true become_user: afpy-org pip: - name: /home/afpy-org/src/ + requirements: /home/afpy-org/src/requirements.txt virtualenv_command: /usr/bin/python3 -m venv virtualenv: "/home/afpy-org/venv/" @@ -183,7 +183,7 @@ - service: name=afpy-org state=started enabled=yes - name: Redirect planet.afpy.org - include_role: name=julienpalard.nginx + include_role: name=nginx vars: nginx_domain: planet.afpy.org nginx_certificates: [planet.afpy.org] @@ -208,7 +208,7 @@ } - name: Setup salt-fr.afpy.org - include_role: name=julienpalard.nginx + include_role: name=nginx vars: nginx_owner: salt-fr-afpy-org nginx_path: /var/www/salt-fr.afpy.org @@ -217,7 +217,7 @@ nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVrME7+AYhM4n6opE5gVJbWsZHLETucV2wV+kDvnLk3" - name: Setup nantes.afpy.org - include_role: name=julienpalard.nginx + include_role: name=nginx vars: nginx_owner: nantes-afpy-org nginx_path: /var/www/nantes.afpy.org @@ -226,7 +226,7 @@ nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsky9ccA9SkMbFpaL9yEwLUW6y320kmwoCdGVCsWd3L" - name: Setup lists.afpy.org redirection - include_role: name=julienpalard.nginx + include_role: name=nginx vars: nginx_domain: lists.afpy.org nginx_certificates: [lists.afpy.org] diff --git a/afpyro.afpy.org.yml b/afpyro.afpy.org.yml index db0fd63..f59d70e 100644 --- a/afpyro.afpy.org.yml +++ b/afpyro.afpy.org.yml @@ -11,7 +11,7 @@ include_role: name=nginx vars: nginx_owner: afpyro-afpy-org - nginx_name: afpyro.afpy.org + nginx_domain: afpyro.afpy.org nginx_certificates: [afpyro.afpy.org] nginx_conf: | server diff --git a/autoconfig.yml b/autoconfig.yml index 571f844..326cabb 100644 --- a/autoconfig.yml +++ b/autoconfig.yml @@ -11,7 +11,7 @@ include_role: name=nginx vars: nginx_owner: www-data - nginx_name: autoconfig.afpy.org + nginx_domain: autoconfig.afpy.org nginx_certificates: [autoconfig.afpy.org, autoconfig.pycon.fr] nginx_path: /var/www/autoconfig.afpy.org nginx_conf: | diff --git a/dl.yml b/dl.yml index b65cf0e..5ba2c9d 100644 --- a/dl.yml +++ b/dl.yml @@ -63,7 +63,7 @@ include_role: name=nginx vars: nginx_owner: dl-afpy-org - nginx_name: dl.afpy.org + nginx_domain: dl.afpy.org nginx_certificates: [dl.afpy.org, videos-2015.pycon.fr] nginx_conf: | server diff --git a/pycon.fr.yml b/pycon.fr.yml index d9ff21b..d505601 100644 --- a/pycon.fr.yml +++ b/pycon.fr.yml @@ -17,7 +17,7 @@ include_role: name=nginx vars: nginx_owner: pyconfr - nginx_name: pycon.fr + nginx_domain: pycon.fr nginx_certificates: ['pycon.fr', 'www.pycon.fr'] nginx_path: /var/www/pycon.fr/ nginx_conf: | @@ -59,7 +59,7 @@ - name: Setup PyConFr 2016 include_role: name=nginx vars: - nginx_name: 2016.pycon.fr + nginx_domain: 2016.pycon.fr nginx_certificates: [2016.pycon.fr] nginx_conf: | server @@ -85,7 +85,7 @@ - name: Setup PyConFr 2012 include_role: name=nginx vars: - nginx_name: 2012.pycon.fr + nginx_domain: 2012.pycon.fr nginx_certificates: [2012.pycon.fr] nginx_conf: | server @@ -110,7 +110,7 @@ - name: Setup PyConFr 2011 include_role: name=nginx vars: - nginx_name: 2011.pycon.fr + nginx_domain: 2011.pycon.fr nginx_certificates: [2011.pycon.fr] nginx_conf: | server @@ -135,7 +135,7 @@ - name: Setup PyConFr 2010 include_role: name=nginx vars: - nginx_name: 2010.pycon.fr + nginx_domain: 2010.pycon.fr nginx_certificates: [2010.pycon.fr] nginx_conf: | server @@ -161,7 +161,7 @@ include_role: name=nginx vars: nginx_owner: paullaroid - nginx_name: paullaroid.pycon.fr + nginx_domain: paullaroid.pycon.fr nginx_certificates: [paullaroid.pycon.fr] nginx_path: /var/www/paullaroid.pycon.fr/ nginx_conf: | diff --git a/roles/nginx/README.md b/roles/nginx/README.md index eda8c53..a1f60c4 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -10,7 +10,7 @@ The mandatory variables are: - `admin_email`: For letsencrypt. - `gandi_api_key` ([see doc](https://github.com/obynio/certbot-plugin-gandi/)). - `nginx_certificates`: A list of domain to put in this certificate. -- `nginx_name`: Used for file names and certificate name. +- `nginx_domain`: Used for file names, certificate name, and default server_name if no nginx_conf is given. - `nginx_conf`: The nginx config. Optional variables are: diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index 56a3902..33c77e2 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -4,3 +4,26 @@ ssl_protocols: "TLSv1.2 TLSv1.3" ssl_prefer_server_ciphers: "off" ssl_session_cache: "shared:ssl_session_cache:10m" HSTS_header: 'Strict-Transport-Security "max-age=63072000; always"' +nginx_conf: | + server + { + listen 80; + server_name {{ nginx_domain }}; + access_log /var/log/nginx/{{ nginx_domain }}-access.log; + error_log /var/log/nginx/{{ nginx_domain }}-error.log; + + return 301 https://$host$request_uri; + } + + server + { + listen 443 ssl; + charset utf-8; + server_name {{ nginx_domain }}; + access_log /var/log/nginx/{{ nginx_domain }}-access.log; + error_log /var/log/nginx/{{ nginx_domain }}-error.log; + include snippets/letsencrypt-{{ nginx_domain }}.conf; + + root {{ nginx_path }}; + index index.html; + } diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 1c066c2..ad44a38 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -34,7 +34,7 @@ dest: /root/gandi.ini - name: Generate TLS certificates - command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_name | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini + command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini register: certbot changed_when: '"no action taken." not in certbot.stdout' @@ -63,7 +63,7 @@ - name: Create letsencrypt snippets template: src: letsencrypt.conf.j2 - dest: '/etc/nginx/snippets/letsencrypt-{{ nginx_name }}.conf' + dest: '/etc/nginx/snippets/letsencrypt-{{ nginx_domain }}.conf' - name: User user: @@ -85,14 +85,14 @@ owner: "{{ nginx_owner }}" mode: 0644 path: "~{{ nginx_owner }}/.ssh/authorized_keys" - marker: "" + marker: "" block: "{{ nginx_public_deploy_key }}" when: nginx_owner is defined and nginx_public_deploy_key is defined - name: Configure nginx copy: content: "{{ nginx_conf }}" - dest: "/etc/nginx/conf.d/{{ nginx_name }}.conf" + dest: "/etc/nginx/conf.d/{{ nginx_domain }}.conf" notify: reload nginx - name: WWW directory diff --git a/roles/nginx/templates/letsencrypt.conf.j2 b/roles/nginx/templates/letsencrypt.conf.j2 index 860cbec..e93435f 100644 --- a/roles/nginx/templates/letsencrypt.conf.j2 +++ b/roles/nginx/templates/letsencrypt.conf.j2 @@ -8,8 +8,8 @@ ssl_session_cache {{ ssl_session_cache }}; ssl_session_timeout 1d; ssl_session_tickets off; -ssl_certificate /etc/letsencrypt/live/{{ nginx_name }}/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/{{ nginx_name }}/privkey.pem; +ssl_certificate /etc/letsencrypt/live/{{ nginx_domain }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ nginx_domain }}/privkey.pem; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_stapling on;