Add configuration fot lets encrypt

2017-08-27 11:31:02 +03:00 · 2017-08-27 11:31:02 +03:00 · 4655cbf3a4
commit 4655cbf3a4
parent ccb512491a
5 changed files with 77 additions and 7 deletions
--- a/3
+++ b/3
@ -1,2 +1,5 @@
 configure:
 	ansible-playbook --inventory "ansible/hosts_prod" --user=av --ask-become-pass ansible/configuration.yml
+
+install-roles:
+	ansible-galaxy install -r "ansible/requirements.yml"
--- a/ansible/configuration.yml
+++ b/ansible/configuration.yml
@ -29,9 +29,6 @@
    # nginx settings

    nginx_remove_default_vhost: true
-    nginx_vhosts:
-      - server_name: notes.anwinged.ru
-        template: "{{ playbook_dir }}/templates/notes.vhost.j2"

    # php settings

@ -49,7 +46,7 @@
    php_webserver_daemon: nginx
    php_enable_php_fpm: true
    php_date_timezone: "{{ timezone }}"
-    php_fpm_listen: /run/php/php{{ php_version }}-fpm.sock
+    php_fpm_listen: /var/run/php{{ php_version }}-fpm.sock

    # mysql settings

@ -61,6 +58,11 @@
        password: "{{ apps.notes.dbpassword }}"
        priv: "{{ apps.notes.dbname }}.*:ALL"

+    letsencrypt_webroot_path: /var/www/letsencrypt
+    letsencrypt_email: anwinged@ya.ru
+    letsencrypt_cert_domains:
+      - notes.anwinged.ru
+
  pre_tasks:
    - name: Ensure that PHP PPA is added.
      apt_repository: repo=ppa:ondrej/php state=present
@ -99,13 +101,43 @@
      static_site_name: s2photo
      static_site_domain: s2photo.ru

-  post_tasks:
+  tasks:
    - name: Create system environment variables.
      lineinfile:
-        path: /etc/environment
+        dest: /etc/environment
        regexp: '^{{ item.key }}='
        line: '{{ item.key }}="{{ item.value }}"'
      with_dict: "{{ app_envs }}"
+
+    - name: Generate dhparams.
+      shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+      args:
+        creates: /etc/nginx/dhparams.pem
+
+    - name: Create letsencrypt directory.
+      file:
+        name: /var/www/letsencrypt
+        state: directory
+
+    - name: Copy notes acme server config.
+      template:
+        src: notes-acme.vhost.j2
+        dest: "/etc/nginx/sites-enabled/notes-acme.conf"
+      notify: restart nginx
+
+    - name: Restart nginx.
+      service: name=nginx state=restarted
+
+    - name: Configure Lest Encrypt certificate.
+      include_role:
+        name: thefinn93.ansible-letsencrypt
+
+    - name: Copy notes server config.
+      template:
+        src: notes.vhost.j2
+        dest: "/etc/nginx/sites-enabled/notes.conf"
+      notify: restart nginx
+
    - name: 'Create folder for {{ apps.notes.name }}.'
      file:
        path: "{{ apps.notes.www }}"
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -13,3 +13,7 @@

 - src: geerlingguy.mysql
  version: 2.8.0
+
+- name: thefinn93.ansible-letsencrypt
+  src: https://github.com/thefinn93/ansible-letsencrypt
+  version: origin/master
--- a/ansible/templates/notes-acme.vhost.j2
+++ b/ansible/templates/notes-acme.vhost.j2
@ -0,0 +1,15 @@
+server {
+    listen 80;
+    server_name notes.anwinged.ru;
+
+    # For Lets Encrypt verify
+    # include acme;
+    location /.well-known {
+        root /var/www/letsencrypt;
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+}
--- a/ansible/templates/notes.vhost.j2
+++ b/ansible/templates/notes.vhost.j2
@ -1,7 +1,23 @@
 server {
-
+    listen 443 ssl http2 deferred;
    server_name notes.anwinged.ru;

+    ssl on;
+    ssl_certificate         /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/notes.anwinged.ru/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
+
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 5m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+    ssl_dhparam /etc/nginx/dhparams.pem;
+    ssl_prefer_server_ciphers on;
+
    root /var/www/notes/current/web;

    location / {