diff --git a/files/nginx.conf b/files/nginx.conf new file mode 100644 index 0000000..5106a13 --- /dev/null +++ b/files/nginx.conf @@ -0,0 +1,72 @@ + +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + server_names_hash_bucket_size 64; + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + include conf.d/*.conf; + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} +} diff --git a/handlers/main.yml b/handlers/main.yml index acb1b3e..c5bb9d5 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,6 @@ --- # handlers file for nginx-ssl +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/tasks/create_cert.yml b/tasks/create_cert.yml new file mode 100644 index 0000000..eff8db9 --- /dev/null +++ b/tasks/create_cert.yml @@ -0,0 +1,30 @@ +# create_cert.yml +--- +- name: Create certificate directory for domain if it doesn't exist + file: + path: /etc/nginx/certs/{{ item.domain }} + state: directory + +- name: check if privkey exists + ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/privkey.pem" ]' + register: result + ignore_errors: true + +- name: Create private key (RSA, 4096 bits) + community.crypto.openssl_privatekey: + path: /etc/nginx/certs/{{ item.domain }}/privkey.pem + when: result is failure + +- name: check if certificate exists + ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/fullchain.pem" ]' + register: result + ignore_errors: true + +- name: Create simple self-signed certificate + community.crypto.x509_certificate: + path: /etc/nginx/certs/{{ item.domain }}/fullchain.pem + privatekey_path: /etc/nginx/certs/{{ item.domain }}/privkey.pem + provider: selfsigned + when: result is failure + notify: restart nginx + diff --git a/tasks/main.yml b/tasks/main.yml index 347f0f3..c9206d7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,4 +3,63 @@ - name: install nginx ansible.builtin.package: name: nginx - state: present \ No newline at end of file + state: present + +- name: deploy nginx config + ansible.builtin.copy: + src: files/nginx.conf + dest: /etc/nginx/nginx.conf + notify: restart nginx + +- name: ensure conf.d exists + ansible.builtin.file: + path: /etc/nginx/conf.d + state: directory + +- name: deploy service config(s) + ansible.builtin.template: + src: templates/server.conf + dest: /etc/nginx/conf.d/{{ item.domain }}.conf + loop: "{{ domains }}" + notify: restart nginx + +- name: check if letsencrypt is set up + ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]' + register: result + ignore_errors: true + +- name: check if letsencrypt is set up + ansible.builtin.command: '[ -d "/etc/nginx/certs/" ]' + register: result2 + ignore_errors: true + +- name: delete folder if exists + ansible.builtin.file: + state: absent + path: /etc/nginx/certs + when: (result is succeeded and result2 is succeeded) or (result is failed and result2 is failed) + +- name: create symlink + ansible.builtin.file: + src: /etc/letsencrypt/live + dest: /etc/nginx/certs + state: link + force: yes + when: result is succeeded + notify: restart nginx + +- name: Create certs directory if it doesn't exist + file: + path: /etc/nginx/certs/ + state: directory + when: result is failed + +- include_tasks: create_cert.yml + when: result is failed + loop: "{{ domains }}" + +- name: ensure nginx is running + service: + name: nginx + state: started + enabled: yes diff --git a/templates/server.conf b/templates/server.conf new file mode 100644 index 0000000..92e9d4b --- /dev/null +++ b/templates/server.conf @@ -0,0 +1,40 @@ +server { + listen 443 ssl; + server_name {{ item.domain }} ; + + resolver 172.16.40.20; + set $backend "http://localhost:{{ item.port }}"; + set $certbot "http://localhost"; + + ssl_certificate /etc/nginx/certs/{{ item.domain }}/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{ item.domain }}/privkey.pem; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + ssl_session_cache shared:SSL:10m; + client_max_body_size 1024m; + location / { + + deny 172.16.41.60; + allow 172.16.0.0/16; + deny all; + + proxy_pass $backend; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } + + error_log /var/log/nginx/{{ item.domain }}_error.log; + access_log /var/log/nginx/{{ item.domain }}_access.log; +} + diff --git a/vars/main.yml b/vars/main.yml index c7d8953..e4d3e1f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,8 @@ --- -# vars file for nginx-ssl +# vars file for nginx-ssl on privtorrents.actcur.com + +domains: + - domain: privtorrents.actcur.com + port: 8112 + +# end of file