forked from AFPy/infra
nginx role: allow to choose certbot authenticator.
This commit is contained in:
parent
2cf079c0f9
commit
429bb00525
39
ponyconf.yml
39
ponyconf.yml
|
@ -3,7 +3,8 @@
|
||||||
- hosts: ponyconfs
|
- hosts: ponyconfs
|
||||||
vars:
|
vars:
|
||||||
ponyconf_sites:
|
ponyconf_sites:
|
||||||
- 'cfp-2023.pycon.fr'
|
- domain: 'cfp-2023.pycon.fr'
|
||||||
|
authenticator: gandi
|
||||||
ponyconf_user: ponyconf
|
ponyconf_user: ponyconf
|
||||||
ponyconf_home: "/home/{{ ponyconf_user }}"
|
ponyconf_home: "/home/{{ ponyconf_user }}"
|
||||||
ponyconf_secret: !vault |
|
ponyconf_secret: !vault |
|
||||||
|
@ -28,11 +29,11 @@
|
||||||
home: "{{ ponyconf_home }}"
|
home: "{{ ponyconf_home }}"
|
||||||
system: true
|
system: true
|
||||||
|
|
||||||
- name: PonyConf nginx config
|
- name: PonyConf nginx redirection
|
||||||
include_role: name=nginx
|
include_role: name=nginx
|
||||||
vars:
|
vars:
|
||||||
nginx_domain: cfp.pycon.fr
|
nginx_domain: "cfp.pycon.fr"
|
||||||
nginx_certificates: "{{ ponyconf_sites + ['cfp.pycon.fr'] }}"
|
nginx_certificates: ["cfp.pycon.fr"]
|
||||||
nginx_conf: |
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
{
|
{
|
||||||
|
@ -53,23 +54,30 @@
|
||||||
return 301 https://cfp-2023.pycon.fr$request_uri;
|
return 301 https://cfp-2023.pycon.fr$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
{% for ponyconf_site in ponyconf_sites %}
|
- name: PonyConf nginx config
|
||||||
|
include_role: name=nginx
|
||||||
|
loop: "{{ ponyconf_sites }}"
|
||||||
|
vars:
|
||||||
|
certbot_authenticator: "{{ item.authenticator }}"
|
||||||
|
nginx_domain: "{{ item.domain }}"
|
||||||
|
nginx_certificates: ["{{ item.domain }}"]
|
||||||
|
nginx_conf: |
|
||||||
server
|
server
|
||||||
{
|
{
|
||||||
listen [::]:80; listen 80;
|
listen [::]:80; listen 80;
|
||||||
server_name {{ ponyconf_site }};
|
server_name {{ item.domain }};
|
||||||
access_log /var/log/nginx/{{ ponyconf_site }}-access.log;
|
access_log /var/log/nginx/{{ item.domain }}-access.log;
|
||||||
error_log /var/log/nginx/{{ ponyconf_site }}-error.log;
|
error_log /var/log/nginx/{{ item.domain }}-error.log;
|
||||||
return 301 https://{{ ponyconf_site }}$request_uri;
|
return 301 https://{{ item.domain }}$request_uri;
|
||||||
}
|
}
|
||||||
|
|
||||||
server
|
server
|
||||||
{
|
{
|
||||||
listen [::]:443 ssl; listen 443 ssl;
|
listen [::]:443 ssl; listen 443 ssl;
|
||||||
server_name {{ ponyconf_site }};
|
server_name {{ item.domain }};
|
||||||
access_log /var/log/nginx/{{ ponyconf_site }}-access.log;
|
access_log /var/log/nginx/{{ item.domain }}-access.log;
|
||||||
error_log /var/log/nginx/{{ ponyconf_site }}-error.log;
|
error_log /var/log/nginx/{{ item.domain }}-error.log;
|
||||||
include snippets/letsencrypt-cfp.pycon.fr.conf;
|
include snippets/letsencrypt-{{ item.domain }}.conf;
|
||||||
|
|
||||||
location /static/ {
|
location /static/ {
|
||||||
alias {{ ponyconf_home }}/static/;
|
alias {{ ponyconf_home }}/static/;
|
||||||
|
@ -81,7 +89,6 @@
|
||||||
proxy_set_header X-Forwarded-Protocol $scheme;
|
proxy_set_header X-Forwarded-Protocol $scheme;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
{% endfor %}
|
|
||||||
|
|
||||||
- name: Clone PonyConf
|
- name: Clone PonyConf
|
||||||
become: true
|
become: true
|
||||||
|
@ -117,7 +124,7 @@
|
||||||
from ponyconf.settings import *
|
from ponyconf.settings import *
|
||||||
|
|
||||||
SECRET_KEY = "{{ ponyconf_secret }}"
|
SECRET_KEY = "{{ ponyconf_secret }}"
|
||||||
ALLOWED_HOSTS = {{ ponyconf_sites | to_json }}
|
ALLOWED_HOSTS = {{ ponyconf_sites | map(attribute='domain') | to_json }}
|
||||||
|
|
||||||
DEBUG = False
|
DEBUG = False
|
||||||
LOGGING = {
|
LOGGING = {
|
||||||
|
@ -206,7 +213,7 @@
|
||||||
become_user: "{{ ponyconf_user }}"
|
become_user: "{{ ponyconf_user }}"
|
||||||
|
|
||||||
- name: Create sites
|
- name: Create sites
|
||||||
command: "{{ ponyconf_home }}/venv/bin/python manage.py addsite {{ item|quote }}"
|
command: "{{ ponyconf_home }}/venv/bin/python manage.py addsite {{ item.domain|quote }}"
|
||||||
loop: "{{ ponyconf_sites }}"
|
loop: "{{ ponyconf_sites }}"
|
||||||
register: create_site
|
register: create_site
|
||||||
changed_when: '"Created" in create_site.stdout'
|
changed_when: '"Created" in create_site.stdout'
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
ssl_ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384"
|
||||||
ssl_protocols: "TLSv1.2 TLSv1.3"
|
ssl_protocols: "TLSv1.2 TLSv1.3"
|
||||||
|
certbot_authenticator: gandi
|
||||||
ssl_prefer_server_ciphers: "off"
|
ssl_prefer_server_ciphers: "off"
|
||||||
ssl_session_cache: "shared:ssl_session_cache:10m"
|
ssl_session_cache: "shared:ssl_session_cache:10m"
|
||||||
HSTS_header: 'Strict-Transport-Security "max-age=63072000; always"'
|
HSTS_header: 'Strict-Transport-Security "max-age=63072000; always"'
|
||||||
|
|
|
@ -32,11 +32,19 @@
|
||||||
dns_gandi_sharing_id = 146a3b9a-1b93-11ec-804f-00163ea99cff
|
dns_gandi_sharing_id = 146a3b9a-1b93-11ec-804f-00163ea99cff
|
||||||
mode: 0600
|
mode: 0600
|
||||||
dest: /root/gandi.ini
|
dest: /root/gandi.ini
|
||||||
|
when: certbot_authenticator == 'nginx'
|
||||||
|
|
||||||
- name: Generate TLS certificates
|
- name: Generate TLS certificates via Gandi
|
||||||
command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini
|
command: /root/certbot-venv/bin/certbot certonly --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }} --authenticator dns-gandi --dns-gandi-credentials /root/gandi.ini
|
||||||
register: certbot
|
register: certbot
|
||||||
changed_when: '"no action taken." not in certbot.stdout'
|
changed_when: '"no action taken." not in certbot.stdout'
|
||||||
|
when: certbot_authenticator == 'gandi'
|
||||||
|
|
||||||
|
- name: Generate TLS certificates via nginx
|
||||||
|
command: /root/certbot-venv/bin/certbot certonly --nginx --cert-name {{ nginx_domain | quote }} -n --agree-tos -d {{ nginx_certificates | join(",") | quote }} -m {{ admin_email | quote }}
|
||||||
|
register: certbot
|
||||||
|
changed_when: '"no action taken." not in certbot.stdout'
|
||||||
|
when: certbot_authenticator == 'nginx'
|
||||||
|
|
||||||
- name: Setup renewal cron
|
- name: Setup renewal cron
|
||||||
cron:
|
cron:
|
||||||
|
|
Loading…
Reference in New Issue
Block a user