www.afpy.org migré.
This commit is contained in:
parent
1d1346dbd1
commit
0faa1cf53f
12
afpy.org.yml
12
afpy.org.yml
|
@ -32,7 +32,7 @@
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
||||||
- name: Setup afpy.org
|
- name: Setup afpy.org
|
||||||
include_role: name=julienpalard.nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: afpy-org
|
nginx_owner: afpy-org
|
||||||
nginx_domain: afpy.org
|
nginx_domain: afpy.org
|
||||||
|
@ -143,7 +143,7 @@
|
||||||
become: true
|
become: true
|
||||||
become_user: afpy-org
|
become_user: afpy-org
|
||||||
pip:
|
pip:
|
||||||
name: /home/afpy-org/src/
|
requirements: /home/afpy-org/src/requirements.txt
|
||||||
virtualenv_command: /usr/bin/python3 -m venv
|
virtualenv_command: /usr/bin/python3 -m venv
|
||||||
virtualenv: "/home/afpy-org/venv/"
|
virtualenv: "/home/afpy-org/venv/"
|
||||||
|
|
||||||
|
@ -183,7 +183,7 @@
|
||||||
- service: name=afpy-org state=started enabled=yes
|
- service: name=afpy-org state=started enabled=yes
|
||||||
|
|
||||||
- name: Redirect planet.afpy.org
|
- name: Redirect planet.afpy.org
|
||||||
include_role: name=julienpalard.nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_domain: planet.afpy.org
|
nginx_domain: planet.afpy.org
|
||||||
nginx_certificates: [planet.afpy.org]
|
nginx_certificates: [planet.afpy.org]
|
||||||
|
@ -208,7 +208,7 @@
|
||||||
}
|
}
|
||||||
|
|
||||||
- name: Setup salt-fr.afpy.org
|
- name: Setup salt-fr.afpy.org
|
||||||
include_role: name=julienpalard.nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: salt-fr-afpy-org
|
nginx_owner: salt-fr-afpy-org
|
||||||
nginx_path: /var/www/salt-fr.afpy.org
|
nginx_path: /var/www/salt-fr.afpy.org
|
||||||
|
@ -217,7 +217,7 @@
|
||||||
nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVrME7+AYhM4n6opE5gVJbWsZHLETucV2wV+kDvnLk3"
|
nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHVrME7+AYhM4n6opE5gVJbWsZHLETucV2wV+kDvnLk3"
|
||||||
|
|
||||||
- name: Setup nantes.afpy.org
|
- name: Setup nantes.afpy.org
|
||||||
include_role: name=julienpalard.nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: nantes-afpy-org
|
nginx_owner: nantes-afpy-org
|
||||||
nginx_path: /var/www/nantes.afpy.org
|
nginx_path: /var/www/nantes.afpy.org
|
||||||
|
@ -226,7 +226,7 @@
|
||||||
nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsky9ccA9SkMbFpaL9yEwLUW6y320kmwoCdGVCsWd3L"
|
nginx_public_deploy_key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGsky9ccA9SkMbFpaL9yEwLUW6y320kmwoCdGVCsWd3L"
|
||||||
|
|
||||||
- name: Setup lists.afpy.org redirection
|
- name: Setup lists.afpy.org redirection
|
||||||
include_role: name=julienpalard.nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_domain: lists.afpy.org
|
nginx_domain: lists.afpy.org
|
||||||
nginx_certificates: [lists.afpy.org]
|
nginx_certificates: [lists.afpy.org]
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: afpyro-afpy-org
|
nginx_owner: afpyro-afpy-org
|
||||||
nginx_name: afpyro.afpy.org
|
nginx_domain: afpyro.afpy.org
|
||||||
nginx_certificates: [afpyro.afpy.org]
|
nginx_certificates: [afpyro.afpy.org]
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: www-data
|
nginx_owner: www-data
|
||||||
nginx_name: autoconfig.afpy.org
|
nginx_domain: autoconfig.afpy.org
|
||||||
nginx_certificates: [autoconfig.afpy.org, autoconfig.pycon.fr]
|
nginx_certificates: [autoconfig.afpy.org, autoconfig.pycon.fr]
|
||||||
nginx_path: /var/www/autoconfig.afpy.org
|
nginx_path: /var/www/autoconfig.afpy.org
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
|
|
2
dl.yml
2
dl.yml
|
@ -63,7 +63,7 @@
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: dl-afpy-org
|
nginx_owner: dl-afpy-org
|
||||||
nginx_name: dl.afpy.org
|
nginx_domain: dl.afpy.org
|
||||||
nginx_certificates: [dl.afpy.org, videos-2015.pycon.fr]
|
nginx_certificates: [dl.afpy.org, videos-2015.pycon.fr]
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
|
|
12
pycon.fr.yml
12
pycon.fr.yml
|
@ -17,7 +17,7 @@
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: pyconfr
|
nginx_owner: pyconfr
|
||||||
nginx_name: pycon.fr
|
nginx_domain: pycon.fr
|
||||||
nginx_certificates: ['pycon.fr', 'www.pycon.fr']
|
nginx_certificates: ['pycon.fr', 'www.pycon.fr']
|
||||||
nginx_path: /var/www/pycon.fr/
|
nginx_path: /var/www/pycon.fr/
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
|
@ -59,7 +59,7 @@
|
||||||
- name: Setup PyConFr 2016
|
- name: Setup PyConFr 2016
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_name: 2016.pycon.fr
|
nginx_domain: 2016.pycon.fr
|
||||||
nginx_certificates: [2016.pycon.fr]
|
nginx_certificates: [2016.pycon.fr]
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
|
@ -85,7 +85,7 @@
|
||||||
- name: Setup PyConFr 2012
|
- name: Setup PyConFr 2012
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_name: 2012.pycon.fr
|
nginx_domain: 2012.pycon.fr
|
||||||
nginx_certificates: [2012.pycon.fr]
|
nginx_certificates: [2012.pycon.fr]
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
|
@ -110,7 +110,7 @@
|
||||||
- name: Setup PyConFr 2011
|
- name: Setup PyConFr 2011
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_name: 2011.pycon.fr
|
nginx_domain: 2011.pycon.fr
|
||||||
nginx_certificates: [2011.pycon.fr]
|
nginx_certificates: [2011.pycon.fr]
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
|
@ -135,7 +135,7 @@
|
||||||
- name: Setup PyConFr 2010
|
- name: Setup PyConFr 2010
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_name: 2010.pycon.fr
|
nginx_domain: 2010.pycon.fr
|
||||||
nginx_certificates: [2010.pycon.fr]
|
nginx_certificates: [2010.pycon.fr]
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
|
@ -161,7 +161,7 @@
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_owner: paullaroid
|
nginx_owner: paullaroid
|
||||||
nginx_name: paullaroid.pycon.fr
|
nginx_domain: paullaroid.pycon.fr
|
||||||
nginx_certificates: [paullaroid.pycon.fr]
|
nginx_certificates: [paullaroid.pycon.fr]
|
||||||
nginx_path: /var/www/paullaroid.pycon.fr/
|
nginx_path: /var/www/paullaroid.pycon.fr/
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
|
|
|
@ -10,7 +10,7 @@ The mandatory variables are:
|
||||||
- `admin_email`: For letsencrypt.
|
- `admin_email`: For letsencrypt.
|
||||||
- `gandi_api_key` ([see doc](https://github.com/obynio/certbot-plugin-gandi/)).
|
- `gandi_api_key` ([see doc](https://github.com/obynio/certbot-plugin-gandi/)).
|
||||||
- `nginx_certificates`: A list of domain to put in this certificate.
|
- `nginx_certificates`: A list of domain to put in this certificate.
|
||||||
- `nginx_name`: Used for file names and certificate name.
|
- `nginx_domain`: Used for file names, certificate name, and default server_name if no nginx_conf is given.
|
||||||
- `nginx_conf`: The nginx config.
|
- `nginx_conf`: The nginx config.
|
||||||
|
|
||||||
Optional variables are:
|
Optional variables are:
|
||||||
|
|
|
@ -4,3 +4,26 @@ ssl_protocols: "TLSv1.2 TLSv1.3"
|
||||||
ssl_prefer_server_ciphers: "off"
|
ssl_prefer_server_ciphers: "off"
|
||||||
ssl_session_cache: "shared:ssl_session_cache:10m"
|
ssl_session_cache: "shared:ssl_session_cache:10m"
|
||||||
HSTS_header: 'Strict-Transport-Security "max-age=63072000; always"'
|
HSTS_header: 'Strict-Transport-Security "max-age=63072000; always"'
|
||||||
|
nginx_conf: |
|
||||||
|
server
|
||||||
|
{
|
||||||
|
listen 80;
|
||||||
|
server_name {{ nginx_domain }};
|
||||||
|
access_log /var/log/nginx/{{ nginx_domain }}-access.log;
|
||||||
|
error_log /var/log/nginx/{{ nginx_domain }}-error.log;
|
||||||
|
|
||||||
|
return 301 https://$host$request_uri;
|
||||||
|
}
|
||||||
|
|
||||||
|
server
|
||||||
|
{
|
||||||
|
listen 443 ssl;
|
||||||
|
charset utf-8;
|
||||||
|
server_name {{ nginx_domain }};
|
||||||
|
access_log /var/log/nginx/{{ nginx_domain }}-access.log;
|
||||||
|
error_log /var/log/nginx/{{ nginx_domain }}-error.log;
|
||||||
|
include snippets/letsencrypt-{{ nginx_domain }}.conf;
|
||||||
|
|
||||||
|
root {{ nginx_path }};
|
||||||
|
index index.html;
|
||||||
|
}
|
||||||
|
|
|
@ -34,7 +34,7 @@
|
||||||
dest: /root/gandi.ini
|
dest: /root/gandi.ini
|
||||||
|
|
||||||
- name: Generate TLS certificates
|
- name: Generate TLS certificates
|
||||||
command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_name | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini
|
command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini
|
||||||
register: certbot
|
register: certbot
|
||||||
changed_when: '"no action taken." not in certbot.stdout'
|
changed_when: '"no action taken." not in certbot.stdout'
|
||||||
|
|
||||||
|
@ -63,7 +63,7 @@
|
||||||
- name: Create letsencrypt snippets
|
- name: Create letsencrypt snippets
|
||||||
template:
|
template:
|
||||||
src: letsencrypt.conf.j2
|
src: letsencrypt.conf.j2
|
||||||
dest: '/etc/nginx/snippets/letsencrypt-{{ nginx_name }}.conf'
|
dest: '/etc/nginx/snippets/letsencrypt-{{ nginx_domain }}.conf'
|
||||||
|
|
||||||
- name: User
|
- name: User
|
||||||
user:
|
user:
|
||||||
|
@ -85,14 +85,14 @@
|
||||||
owner: "{{ nginx_owner }}"
|
owner: "{{ nginx_owner }}"
|
||||||
mode: 0644
|
mode: 0644
|
||||||
path: "~{{ nginx_owner }}/.ssh/authorized_keys"
|
path: "~{{ nginx_owner }}/.ssh/authorized_keys"
|
||||||
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK: Deploy key for {{ nginx_name }} -->"
|
marker: "<!-- {mark} ANSIBLE MANAGED BLOCK: Deploy key for {{ nginx_domain }} -->"
|
||||||
block: "{{ nginx_public_deploy_key }}"
|
block: "{{ nginx_public_deploy_key }}"
|
||||||
when: nginx_owner is defined and nginx_public_deploy_key is defined
|
when: nginx_owner is defined and nginx_public_deploy_key is defined
|
||||||
|
|
||||||
- name: Configure nginx
|
- name: Configure nginx
|
||||||
copy:
|
copy:
|
||||||
content: "{{ nginx_conf }}"
|
content: "{{ nginx_conf }}"
|
||||||
dest: "/etc/nginx/conf.d/{{ nginx_name }}.conf"
|
dest: "/etc/nginx/conf.d/{{ nginx_domain }}.conf"
|
||||||
notify: reload nginx
|
notify: reload nginx
|
||||||
|
|
||||||
- name: WWW directory
|
- name: WWW directory
|
||||||
|
|
|
@ -8,8 +8,8 @@ ssl_session_cache {{ ssl_session_cache }};
|
||||||
ssl_session_timeout 1d;
|
ssl_session_timeout 1d;
|
||||||
ssl_session_tickets off;
|
ssl_session_tickets off;
|
||||||
|
|
||||||
ssl_certificate /etc/letsencrypt/live/{{ nginx_name }}/fullchain.pem;
|
ssl_certificate /etc/letsencrypt/live/{{ nginx_domain }}/fullchain.pem;
|
||||||
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_name }}/privkey.pem;
|
ssl_certificate_key /etc/letsencrypt/live/{{ nginx_domain }}/privkey.pem;
|
||||||
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
ssl_dhparam /etc/ssl/certs/dhparam.pem;
|
||||||
|
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
|
|
Loading…
Reference in New Issue
Block a user