diff --git a/host_vars/srv01 b/host_vars/srv01 new file mode 100644 index 0000000..57a217e --- /dev/null +++ b/host_vars/srv01 @@ -0,0 +1,2 @@ +nginx_resolver: 192.76.134.90 212.12.50.158 +updates_letsencrypt_local: true diff --git a/host_vars/srv03 b/host_vars/srv03 index 44a1e5f..84f66b3 100644 --- a/host_vars/srv03 +++ b/host_vars/srv03 @@ -1,4 +1,6 @@ -letsencrypt_srv02: true nginx_resolver: 80.252.105.162 80.252.105.194 +updates_letsencrypt_srv02: true +updates_owner: www-data +updates_root: /var/www/updates updates_ssl_certificate: /etc/ssl/certsync/updates.hamburg.freifunk.net.crt updates_ssl_certificate_key: /etc/ssl/certsync/updates.hamburg.freifunk.net.key diff --git a/host_vars/srv04 b/host_vars/srv04 index ce2b151..1d86390 100644 --- a/host_vars/srv04 +++ b/host_vars/srv04 @@ -1,3 +1,3 @@ +letsencrypt_webroot: /var/www/mail letsrenew_email: alexander@hamburg.freifunk.net -letsrenew_webroot: /var/www/mail nginx_resolver: 80.252.105.162 80.252.105.194 diff --git a/roles/letsrenew/defaults/main.yml b/roles/letsrenew/defaults/main.yml index 83a1b3e..6ed18d2 100644 --- a/roles/letsrenew/defaults/main.yml +++ b/roles/letsrenew/defaults/main.yml @@ -1,3 +1,3 @@ --- +letsencrypt_webroot: /var/www/letsencrypt letsrenew_email: "" -letsrenew_webroot: /var/www/letsencrypt diff --git a/roles/letsrenew/tasks/main.yml b/roles/letsrenew/tasks/main.yml index 746500f..1320edc 100644 --- a/roles/letsrenew/tasks/main.yml +++ b/roles/letsrenew/tasks/main.yml @@ -13,7 +13,7 @@ - name: create webroot path file: - path: "{{ letsrenew_webroot }}" + path: "{{ letsencrypt_webroot }}" state: directory - name: create /etc/letsencrypt diff --git a/roles/letsrenew/templates/cli.ini.j2 b/roles/letsrenew/templates/cli.ini.j2 index dff4752..64ca959 100644 --- a/roles/letsrenew/templates/cli.ini.j2 +++ b/roles/letsrenew/templates/cli.ini.j2 @@ -24,4 +24,4 @@ email = backend@hamburg.freifunk.net # Uncomment to use the webroot authenticator. Replace webroot-path with the # path to the public_html / webroot folder being served by your web server. authenticator = webroot -webroot-path = {{ letsrenew_webroot }} +webroot-path = {{ letsencrypt_webroot }} diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml index fa9c519..3640390 100644 --- a/roles/nginx/defaults/main.yml +++ b/roles/nginx/defaults/main.yml @@ -1 +1,2 @@ +letsencrypt_webroot: /var/www/letsencrypt nginx_resolver: 127.0.0.1 [::1] diff --git a/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf b/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf new file mode 100644 index 0000000..60dc5cf --- /dev/null +++ b/roles/nginx/files/etc/nginx/include/letsencrypt_srv01.conf @@ -0,0 +1,5 @@ +location ^~ /.well-known/acme-challenge { + proxy_set_header Host $host; + proxy_set_header X-Forwarded-Proto $scheme; + proxy_pass http://srv01.hamburg.freifunk.net$request_uri; +} diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 1c0a29e..baf15ab 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -22,6 +22,11 @@ notify: restart nginx tags: nginx +- name: template letsencrypt.conf + template: + src: letsencrypt.conf.j2 + dest: /etc/nginx/include/letsencrypt.conf + - name: template nginx.conf template: src: templates/nginx.conf.j2 diff --git a/roles/nginx/templates/letsencrypt.conf.j2 b/roles/nginx/templates/letsencrypt.conf.j2 new file mode 100644 index 0000000..29732db --- /dev/null +++ b/roles/nginx/templates/letsencrypt.conf.j2 @@ -0,0 +1,4 @@ +location ^~ /.well-known/acme-challenge { + root {{ letsencrypt_webroot }}; + try_files $uri $uri/ =404; +} diff --git a/roles/website/updates/defaults/main.yml b/roles/website/updates/defaults/main.yml index 718a0cf..323f020 100644 --- a/roles/website/updates/defaults/main.yml +++ b/roles/website/updates/defaults/main.yml @@ -1,5 +1,7 @@ --- -letsencrypt_srv02: false site: updates -updates_ssl_certificate: /etc/letsencrypt/live/updates.hamburg.freifunk.net/fullchain.pem -updates_ssl_certificate_key: /etc/letsencrypt/live/updates.hamburg.freifunk.net/privkey.pem +updates_letsencrypt_local: false +updates_letsencrypt_srv01: false +updates_letsencrypt_srv02: false +updates_owner: ffupdates +updates_root: /home/ffupdates/updates diff --git a/roles/website/updates/tasks/main.yml b/roles/website/updates/tasks/main.yml index 798c645..5a0ed36 100644 --- a/roles/website/updates/tasks/main.yml +++ b/roles/website/updates/tasks/main.yml @@ -1,4 +1,15 @@ --- +- name: create ffupdates user + user: + name: ffupdates + +- name: create updates root + file: + path: "{{ updates_root }}" + owner: "{{ updates_owner }}" + group: "{{ updates_owner }}" + state: directory + - name: template site template: src: templates/site.j2 diff --git a/roles/website/updates/templates/site.j2 b/roles/website/updates/templates/site.j2 index 84687ac..8bd549e 100644 --- a/roles/website/updates/templates/site.j2 +++ b/roles/website/updates/templates/site.j2 @@ -1,5 +1,6 @@ include /etc/nginx/include/node_hierarchy.conf; +{% if updates_ssl_certificate is defined %} server { listen 443 ssl; listen [::]:443 ssl; @@ -9,7 +10,7 @@ server { ssl_certificate {{ updates_ssl_certificate }}; ssl_certificate_key {{ updates_ssl_certificate_key }}; - root /var/www/updates; + root {{ updates_root }}; if ($ffhh-sued) { rewrite ^/(beta|experimental|stable)/(.*)$ /ffhh-sued/$1/$2; @@ -27,6 +28,7 @@ server { } } +{% endif %} # Kein HTTPS Redirect wg. Paketinstallation auf Routern server { listen 80; @@ -34,7 +36,7 @@ server { server_name updates.hamburg.freifunk.net; - root /var/www/updates; + root {{ updates_root }}; if ($ffhh-sued) { rewrite ^/(beta|experimental|stable)/(.*)$ /ffhh-sued/$1/$2; @@ -43,7 +45,15 @@ server { location / { include /etc/nginx/include/listing.conf; } -{% if letsencrypt_srv02 %} +{% if updates_letsencrypt_local %} + + include /etc/nginx/include/letsencrypt.conf; +{% endif %} +{% if updates_letsencrypt_srv01 %} + + include /etc/nginx/include/letsencrypt_srv01.conf; +{% endif %} +{% if updates_letsencrypt_srv02 %} include /etc/nginx/include/letsencrypt_srv02.conf; {% endif %} @@ -53,9 +63,9 @@ server { listen 80; listen [::]:80; - server_name 1.updates.services.ffhh; + server_name *.updates.services.ffhh; - root /var/www/updates; + root {{ updates_root }}; if ($ffhh-sued) { rewrite ^/(beta|experimental|stable)/(.*)$ /ffhh-sued/$1/$2;