Add configuration fot lets encrypt
This commit is contained in:
parent
ccb512491a
commit
4655cbf3a4
3
Makefile
3
Makefile
@ -1,2 +1,5 @@
|
|||||||
configure:
|
configure:
|
||||||
ansible-playbook --inventory "ansible/hosts_prod" --user=av --ask-become-pass ansible/configuration.yml
|
ansible-playbook --inventory "ansible/hosts_prod" --user=av --ask-become-pass ansible/configuration.yml
|
||||||
|
|
||||||
|
install-roles:
|
||||||
|
ansible-galaxy install -r "ansible/requirements.yml"
|
||||||
|
|||||||
@ -29,9 +29,6 @@
|
|||||||
# nginx settings
|
# nginx settings
|
||||||
|
|
||||||
nginx_remove_default_vhost: true
|
nginx_remove_default_vhost: true
|
||||||
nginx_vhosts:
|
|
||||||
- server_name: notes.anwinged.ru
|
|
||||||
template: "{{ playbook_dir }}/templates/notes.vhost.j2"
|
|
||||||
|
|
||||||
# php settings
|
# php settings
|
||||||
|
|
||||||
@ -49,7 +46,7 @@
|
|||||||
php_webserver_daemon: nginx
|
php_webserver_daemon: nginx
|
||||||
php_enable_php_fpm: true
|
php_enable_php_fpm: true
|
||||||
php_date_timezone: "{{ timezone }}"
|
php_date_timezone: "{{ timezone }}"
|
||||||
php_fpm_listen: /run/php/php{{ php_version }}-fpm.sock
|
php_fpm_listen: /var/run/php{{ php_version }}-fpm.sock
|
||||||
|
|
||||||
# mysql settings
|
# mysql settings
|
||||||
|
|
||||||
@ -61,6 +58,11 @@
|
|||||||
password: "{{ apps.notes.dbpassword }}"
|
password: "{{ apps.notes.dbpassword }}"
|
||||||
priv: "{{ apps.notes.dbname }}.*:ALL"
|
priv: "{{ apps.notes.dbname }}.*:ALL"
|
||||||
|
|
||||||
|
letsencrypt_webroot_path: /var/www/letsencrypt
|
||||||
|
letsencrypt_email: anwinged@ya.ru
|
||||||
|
letsencrypt_cert_domains:
|
||||||
|
- notes.anwinged.ru
|
||||||
|
|
||||||
pre_tasks:
|
pre_tasks:
|
||||||
- name: Ensure that PHP PPA is added.
|
- name: Ensure that PHP PPA is added.
|
||||||
apt_repository: repo=ppa:ondrej/php state=present
|
apt_repository: repo=ppa:ondrej/php state=present
|
||||||
@ -99,13 +101,43 @@
|
|||||||
static_site_name: s2photo
|
static_site_name: s2photo
|
||||||
static_site_domain: s2photo.ru
|
static_site_domain: s2photo.ru
|
||||||
|
|
||||||
post_tasks:
|
tasks:
|
||||||
- name: Create system environment variables.
|
- name: Create system environment variables.
|
||||||
lineinfile:
|
lineinfile:
|
||||||
path: /etc/environment
|
dest: /etc/environment
|
||||||
regexp: '^{{ item.key }}='
|
regexp: '^{{ item.key }}='
|
||||||
line: '{{ item.key }}="{{ item.value }}"'
|
line: '{{ item.key }}="{{ item.value }}"'
|
||||||
with_dict: "{{ app_envs }}"
|
with_dict: "{{ app_envs }}"
|
||||||
|
|
||||||
|
- name: Generate dhparams.
|
||||||
|
shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
|
||||||
|
args:
|
||||||
|
creates: /etc/nginx/dhparams.pem
|
||||||
|
|
||||||
|
- name: Create letsencrypt directory.
|
||||||
|
file:
|
||||||
|
name: /var/www/letsencrypt
|
||||||
|
state: directory
|
||||||
|
|
||||||
|
- name: Copy notes acme server config.
|
||||||
|
template:
|
||||||
|
src: notes-acme.vhost.j2
|
||||||
|
dest: "/etc/nginx/sites-enabled/notes-acme.conf"
|
||||||
|
notify: restart nginx
|
||||||
|
|
||||||
|
- name: Restart nginx.
|
||||||
|
service: name=nginx state=restarted
|
||||||
|
|
||||||
|
- name: Configure Lest Encrypt certificate.
|
||||||
|
include_role:
|
||||||
|
name: thefinn93.ansible-letsencrypt
|
||||||
|
|
||||||
|
- name: Copy notes server config.
|
||||||
|
template:
|
||||||
|
src: notes.vhost.j2
|
||||||
|
dest: "/etc/nginx/sites-enabled/notes.conf"
|
||||||
|
notify: restart nginx
|
||||||
|
|
||||||
- name: 'Create folder for {{ apps.notes.name }}.'
|
- name: 'Create folder for {{ apps.notes.name }}.'
|
||||||
file:
|
file:
|
||||||
path: "{{ apps.notes.www }}"
|
path: "{{ apps.notes.www }}"
|
||||||
|
|||||||
@ -13,3 +13,7 @@
|
|||||||
|
|
||||||
- src: geerlingguy.mysql
|
- src: geerlingguy.mysql
|
||||||
version: 2.8.0
|
version: 2.8.0
|
||||||
|
|
||||||
|
- name: thefinn93.ansible-letsencrypt
|
||||||
|
src: https://github.com/thefinn93/ansible-letsencrypt
|
||||||
|
version: origin/master
|
||||||
|
|||||||
15
ansible/templates/notes-acme.vhost.j2
Normal file
15
ansible/templates/notes-acme.vhost.j2
Normal file
@ -0,0 +1,15 @@
|
|||||||
|
server {
|
||||||
|
listen 80;
|
||||||
|
server_name notes.anwinged.ru;
|
||||||
|
|
||||||
|
# For Lets Encrypt verify
|
||||||
|
# include acme;
|
||||||
|
location /.well-known {
|
||||||
|
root /var/www/letsencrypt;
|
||||||
|
try_files $uri $uri/ =404;
|
||||||
|
}
|
||||||
|
|
||||||
|
location / {
|
||||||
|
rewrite ^ https://$host$request_uri? permanent;
|
||||||
|
}
|
||||||
|
}
|
||||||
@ -1,7 +1,23 @@
|
|||||||
server {
|
server {
|
||||||
|
listen 443 ssl http2 deferred;
|
||||||
server_name notes.anwinged.ru;
|
server_name notes.anwinged.ru;
|
||||||
|
|
||||||
|
ssl on;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/notes.anwinged.ru/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
|
||||||
|
|
||||||
|
ssl_session_cache shared:SSL:50m;
|
||||||
|
ssl_session_timeout 5m;
|
||||||
|
ssl_stapling on;
|
||||||
|
ssl_stapling_verify on;
|
||||||
|
|
||||||
|
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
||||||
|
ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
|
||||||
|
|
||||||
|
ssl_dhparam /etc/nginx/dhparams.pem;
|
||||||
|
ssl_prefer_server_ciphers on;
|
||||||
|
|
||||||
root /var/www/notes/current/web;
|
root /var/www/notes/current/web;
|
||||||
|
|
||||||
location / {
|
location / {
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user