From 1a925c6491fb4bfe98491474b0e3d88ce028f517 Mon Sep 17 00:00:00 2001 From: Beth Parker Date: Sat, 5 Oct 2024 23:55:52 -0500 Subject: [PATCH 1/5] updated nginx role --- files/nginx.conf | 76 +++++++++++++++++++++++++++++++++++++++ tasks/create_cert.yml | 33 +++++++++++++++++ tasks/main.yml | 28 ++++++++++++++- templates/server.conf | 38 ++++++++++++++++++++ templates/server.conf.bak | 38 ++++++++++++++++++++ vars/main.yml | 10 +++++- 6 files changed, 221 insertions(+), 2 deletions(-) create mode 100644 files/nginx.conf create mode 100644 tasks/create_cert.yml create mode 100644 templates/server.conf create mode 100644 templates/server.conf.bak diff --git a/files/nginx.conf b/files/nginx.conf new file mode 100644 index 0000000..d3e1d3b --- /dev/null +++ b/files/nginx.conf @@ -0,0 +1,76 @@ + +#user html; +worker_processes 1; + +#error_log logs/error.log; +#error_log logs/error.log notice; +#error_log logs/error.log info; + +#pid logs/nginx.pid; + + +events { + worker_connections 1024; +} + + +http { + server_names_hash_bucket_size 64; + include mime.types; + default_type application/octet-stream; + + #log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + # '$status $body_bytes_sent "$http_referer" ' + # '"$http_user_agent" "$http_x_forwarded_for"'; + + #access_log logs/access.log main; + + sendfile on; + #tcp_nopush on; + + #keepalive_timeout 0; + keepalive_timeout 65; + + #gzip on; + + include conf.d/*.conf; + + # another virtual host using mix of IP-, name-, and port-based configuration + # + #server { + # listen 8000; + # listen somename:8080; + # server_name somename alias another.alias; + + # location / { + # root html; + # index index.html index.htm; + # } + #} + + + # HTTPS server + # + #server { + # listen 443 ssl; + # server_name localhost; + + # ssl_certificate cert.pem; + # ssl_certificate_key cert.key; + + # ssl_session_cache shared:SSL:1m; + # ssl_session_timeout 5m; + + # ssl_ciphers HIGH:!aNULL:!MD5; + # ssl_prefer_server_ciphers on; + + # location / { + # root html; + # index index.html index.htm; + # } + #} +} + +stream { + include tcpconf.d/*.conf +} diff --git a/tasks/create_cert.yml b/tasks/create_cert.yml new file mode 100644 index 0000000..9e738ca --- /dev/null +++ b/tasks/create_cert.yml @@ -0,0 +1,33 @@ +# create_cert.yml +--- +- name: Create certs directory if it doesn't exist + file: + path: /etc/nginx/certs/ + state: directory + +- name: Create certificate directory for domain if it doesn't exist + file: + path: /etc/nginx/certs/{{ item.domain }} + state: directory + +- name: check if privkey exists + ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/privkey.pem" ]' + register: result + ignore_errors: true + +- name: Create private key (RSA, 4096 bits) + community.crypto.openssl_privatekey: + path: /etc/nginx/certs/{{ item.domain }}/privkey.pem + when: result is failure + +- name: check if certificate exists + ansible.builtin.command: '[ -f "/etc/nginx/certs/{{ item.domain }}/fullchain.pem" ]' + register: result + ignore_errors: true + +- name: Create simple self-signed certificate + community.crypto.x509_certificate: + path: /etc/nginx/certs/{{ item.domain }}/fullchain.pem + privatekey_path: /etc/nginx/certs/{{ item.domain }}/privkey.pem + provider: selfsigned + when: result is failure diff --git a/tasks/main.yml b/tasks/main.yml index 347f0f3..c47909e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,4 +3,30 @@ - name: install nginx ansible.builtin.package: name: nginx - state: present \ No newline at end of file + state: present + +- name: deploy nginx config + ansible.builtin.copy: + src: files/nginx.conf + dest: /etc/nginx/nginx.conf + +- name: ensure conf.d exists + ansible.builtin.file: + path: /etc/nginx/conf.d + state: directory + +- name: deploy service config(s) + ansible.builtin.template: + src: templates/server.conf + dest: /etc/nginx/conf.d/{{ item.domain }} + loop: "{{ domains }}" + +- name: check if /etc/nginx/certs exists and is a symlink + ansible.builtin.command: '[ -L "/etc/nginx/certs" ]' + register: result + ignore_errors: true + +- include_tasks: create_cert.yml + when: result is failed + loop: "{{ domains }}" + diff --git a/templates/server.conf b/templates/server.conf new file mode 100644 index 0000000..1759994 --- /dev/null +++ b/templates/server.conf @@ -0,0 +1,38 @@ +server { + listen 443 ssl proxy_protocol; + server_name {{ item.domain }} ; + + resolver 172.16.40.20; + set $backend "http://localhost:{{ item.port }}"; + set $certbot "http://localhost"; + + ssl_certificate /etc/nginx/certs/{{ item.domain }}.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{ item.domain }}.actcur.com/privkey.pem; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + ssl_session_cache shared:SSL:10m; + client_max_body_size 1024m; + location / { + allow 192.168.0.0/16; + deny all; + + proxy_pass $backend; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } + + error_log /var/log/nginx/{{ item.domain }}_error.log; + access_log /var/log/nginx/{{ item.domain }}_access.log; +} + diff --git a/templates/server.conf.bak b/templates/server.conf.bak new file mode 100644 index 0000000..324325b --- /dev/null +++ b/templates/server.conf.bak @@ -0,0 +1,38 @@ +server { + listen 443 ssl proxy_protocol; + server_name {{ item.domain }} ; + + resolver 172.16.40.20; + set $backend "http://localhost:{{ item.port }}"; + set $certbot "http://localhost"; + + ssl_certificate /etc/nginx/certs/{{ item.domain }}.actcur.com/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{ item.domain }}.actcur.com/privkey.pem; + + location /.well-known/acme-challenge/ { + proxy_pass $certbot; + proxy_set_header Host $host; + } + + ssl_session_cache shared:SSL:10m; + client_max_body_size 1024m; + location / { + allow 192.168.0.0/16; + deny all; + + proxy_pass $backend; + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto https; + proxy_set_header X-Forwarded-Port 443; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $remote_addr; + proxy_set_header X-Forwarded-Ssl on; + + # re-write redirects to http as to https, example: /home + proxy_redirect http:// https://; + } + + error_log /var/log/nginx/{{ domain }}_error.log; + access_log /var/log/nginx/{{ domain }}_access.log; +} + diff --git a/vars/main.yml b/vars/main.yml index c7d8953..2cb1fe2 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,2 +1,10 @@ --- -# vars file for nginx-ssl +# vars file for nginx-ssl on privtorrents.actcur.com + +domains: + - domain: privtorrents.actcur.com + port: 8112 + - domain: test.actcur.com + port: 8113 + +# end of file From ec46090afb8e98f9763fd4575250ff2c17da1507 Mon Sep 17 00:00:00 2001 From: Beth Parker Date: Sat, 5 Oct 2024 23:56:18 -0500 Subject: [PATCH 2/5] updated nginx role --- templates/server.conf.bak | 38 -------------------------------------- 1 file changed, 38 deletions(-) delete mode 100644 templates/server.conf.bak diff --git a/templates/server.conf.bak b/templates/server.conf.bak deleted file mode 100644 index 324325b..0000000 --- a/templates/server.conf.bak +++ /dev/null @@ -1,38 +0,0 @@ -server { - listen 443 ssl proxy_protocol; - server_name {{ item.domain }} ; - - resolver 172.16.40.20; - set $backend "http://localhost:{{ item.port }}"; - set $certbot "http://localhost"; - - ssl_certificate /etc/nginx/certs/{{ item.domain }}.actcur.com/fullchain.pem; - ssl_certificate_key /etc/nginx/certs/{{ item.domain }}.actcur.com/privkey.pem; - - location /.well-known/acme-challenge/ { - proxy_pass $certbot; - proxy_set_header Host $host; - } - - ssl_session_cache shared:SSL:10m; - client_max_body_size 1024m; - location / { - allow 192.168.0.0/16; - deny all; - - proxy_pass $backend; - proxy_set_header Host $host; - proxy_set_header X-Forwarded-Proto https; - proxy_set_header X-Forwarded-Port 443; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header X-Forwarded-Ssl on; - - # re-write redirects to http as to https, example: /home - proxy_redirect http:// https://; - } - - error_log /var/log/nginx/{{ domain }}_error.log; - access_log /var/log/nginx/{{ domain }}_access.log; -} - From 558eae2108d8a6ba6a2de9edde9d82270214aea1 Mon Sep 17 00:00:00 2001 From: Beth Parker Date: Sun, 6 Oct 2024 14:18:30 -0500 Subject: [PATCH 3/5] update --- files/nginx.conf | 4 ---- handlers/main.yml | 4 ++++ tasks/create_cert.yml | 7 ++----- tasks/main.yml | 40 ++++++++++++++++++++++++++++++++++++---- templates/server.conf | 10 ++++++---- vars/main.yml | 2 -- 6 files changed, 48 insertions(+), 19 deletions(-) diff --git a/files/nginx.conf b/files/nginx.conf index d3e1d3b..5106a13 100644 --- a/files/nginx.conf +++ b/files/nginx.conf @@ -70,7 +70,3 @@ http { # } #} } - -stream { - include tcpconf.d/*.conf -} diff --git a/handlers/main.yml b/handlers/main.yml index acb1b3e..c5bb9d5 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -1,2 +1,6 @@ --- # handlers file for nginx-ssl +- name: restart nginx + service: + name: nginx + state: restarted diff --git a/tasks/create_cert.yml b/tasks/create_cert.yml index 9e738ca..eff8db9 100644 --- a/tasks/create_cert.yml +++ b/tasks/create_cert.yml @@ -1,10 +1,5 @@ # create_cert.yml --- -- name: Create certs directory if it doesn't exist - file: - path: /etc/nginx/certs/ - state: directory - - name: Create certificate directory for domain if it doesn't exist file: path: /etc/nginx/certs/{{ item.domain }} @@ -31,3 +26,5 @@ privatekey_path: /etc/nginx/certs/{{ item.domain }}/privkey.pem provider: selfsigned when: result is failure + notify: restart nginx + diff --git a/tasks/main.yml b/tasks/main.yml index c47909e..b94d37e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -9,6 +9,7 @@ ansible.builtin.copy: src: files/nginx.conf dest: /etc/nginx/nginx.conf + notify: restart nginx - name: ensure conf.d exists ansible.builtin.file: @@ -18,15 +19,46 @@ - name: deploy service config(s) ansible.builtin.template: src: templates/server.conf - dest: /etc/nginx/conf.d/{{ item.domain }} + dest: /etc/nginx/conf.d/{{ item.domain }}.conf loop: "{{ domains }}" + notify: restart nginx -- name: check if /etc/nginx/certs exists and is a symlink - ansible.builtin.command: '[ -L "/etc/nginx/certs" ]' +- name: check if letsencrypt is set up + ansible.builtin.command: '[ -d "/etc/letsencrypt/" ]' register: result ignore_errors: true +- name: check if letsencrypt is set up + ansible.builtin.command: '[ -d "/etc/nginx/certs/" ]' + register: result2 + ignore_errors: true + +- name: delete folder if exists + ansible.builtin.file: + state: absent + path: /etc/nginx/certs + when: (result is succeeded and result2 is succeeded) or (result is failed and result2 is failed) + +- name: create symlink + ansible.builtin.file: + src: /etc/letsencrypt/live + dest: /etc/nginx/certs + state: link + when: result is succeeded + notify: restart nginx + +- name: Create certs directory if it doesn't exist + file: + path: /etc/nginx/certs/ + state: directory + when: result is failed + - include_tasks: create_cert.yml when: result is failed loop: "{{ domains }}" - + +- name: ensure nginx is running + service: + name: nginx + state: started + enabled: yes diff --git a/templates/server.conf b/templates/server.conf index 1759994..2b36d9b 100644 --- a/templates/server.conf +++ b/templates/server.conf @@ -1,13 +1,13 @@ server { - listen 443 ssl proxy_protocol; + listen 443 ssl; server_name {{ item.domain }} ; resolver 172.16.40.20; set $backend "http://localhost:{{ item.port }}"; set $certbot "http://localhost"; - ssl_certificate /etc/nginx/certs/{{ item.domain }}.actcur.com/fullchain.pem; - ssl_certificate_key /etc/nginx/certs/{{ item.domain }}.actcur.com/privkey.pem; + ssl_certificate /etc/nginx/certs/{{ item.domain }}/fullchain.pem; + ssl_certificate_key /etc/nginx/certs/{{ item.domain }}/privkey.pem; location /.well-known/acme-challenge/ { proxy_pass $certbot; @@ -17,7 +17,9 @@ server { ssl_session_cache shared:SSL:10m; client_max_body_size 1024m; location / { - allow 192.168.0.0/16; + + deny 172.16.41.60 + allow 172.16.0.0/16; deny all; proxy_pass $backend; diff --git a/vars/main.yml b/vars/main.yml index 2cb1fe2..e4d3e1f 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -4,7 +4,5 @@ domains: - domain: privtorrents.actcur.com port: 8112 - - domain: test.actcur.com - port: 8113 # end of file From 0f54dd329c341e8900cbe43e906e82bd3b56b046 Mon Sep 17 00:00:00 2001 From: Beth Date: Mon, 7 Oct 2024 22:34:21 -0500 Subject: [PATCH 4/5] update --- templates/server.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/templates/server.conf b/templates/server.conf index 2b36d9b..92e9d4b 100644 --- a/templates/server.conf +++ b/templates/server.conf @@ -18,7 +18,7 @@ server { client_max_body_size 1024m; location / { - deny 172.16.41.60 + deny 172.16.41.60; allow 172.16.0.0/16; deny all; From 03e37b102a677d4d047dcc0d4ad29cbc0e2b26b4 Mon Sep 17 00:00:00 2001 From: Beth Date: Mon, 7 Oct 2024 22:41:00 -0500 Subject: [PATCH 5/5] use the force luke --- tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/tasks/main.yml b/tasks/main.yml index b94d37e..c9206d7 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -44,6 +44,7 @@ src: /etc/letsencrypt/live dest: /etc/nginx/certs state: link + force: yes when: result is succeeded notify: restart nginx