Add configuration fot lets encrypt
This commit is contained in:
		
							
								
								
									
										3
									
								
								Makefile
									
									
									
									
									
								
							
							
						
						
									
										3
									
								
								Makefile
									
									
									
									
									
								
							| @@ -1,2 +1,5 @@ | ||||
| configure: | ||||
| 	ansible-playbook --inventory "ansible/hosts_prod" --user=av --ask-become-pass ansible/configuration.yml | ||||
|  | ||||
| install-roles: | ||||
| 	ansible-galaxy install -r "ansible/requirements.yml" | ||||
|   | ||||
| @@ -29,9 +29,6 @@ | ||||
|     # nginx settings | ||||
|  | ||||
|     nginx_remove_default_vhost: true | ||||
|     nginx_vhosts: | ||||
|       - server_name: notes.anwinged.ru | ||||
|         template: "{{ playbook_dir }}/templates/notes.vhost.j2" | ||||
|  | ||||
|     # php settings | ||||
|  | ||||
| @@ -49,7 +46,7 @@ | ||||
|     php_webserver_daemon: nginx | ||||
|     php_enable_php_fpm: true | ||||
|     php_date_timezone: "{{ timezone }}" | ||||
|     php_fpm_listen: /run/php/php{{ php_version }}-fpm.sock | ||||
|     php_fpm_listen: /var/run/php{{ php_version }}-fpm.sock | ||||
|  | ||||
|     # mysql settings | ||||
|  | ||||
| @@ -61,6 +58,11 @@ | ||||
|         password: "{{ apps.notes.dbpassword }}" | ||||
|         priv: "{{ apps.notes.dbname }}.*:ALL" | ||||
|  | ||||
|     letsencrypt_webroot_path: /var/www/letsencrypt | ||||
|     letsencrypt_email: anwinged@ya.ru | ||||
|     letsencrypt_cert_domains: | ||||
|       - notes.anwinged.ru | ||||
|  | ||||
|   pre_tasks: | ||||
|     - name: Ensure that PHP PPA is added. | ||||
|       apt_repository: repo=ppa:ondrej/php state=present | ||||
| @@ -99,13 +101,43 @@ | ||||
|       static_site_name: s2photo | ||||
|       static_site_domain: s2photo.ru | ||||
|  | ||||
|   post_tasks: | ||||
|   tasks: | ||||
|     - name: Create system environment variables. | ||||
|       lineinfile: | ||||
|         path: /etc/environment | ||||
|         dest: /etc/environment | ||||
|         regexp: '^{{ item.key }}=' | ||||
|         line: '{{ item.key }}="{{ item.value }}"' | ||||
|       with_dict: "{{ app_envs }}" | ||||
|  | ||||
|     - name: Generate dhparams. | ||||
|       shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048 | ||||
|       args: | ||||
|         creates: /etc/nginx/dhparams.pem | ||||
|  | ||||
|     - name: Create letsencrypt directory. | ||||
|       file: | ||||
|         name: /var/www/letsencrypt | ||||
|         state: directory | ||||
|  | ||||
|     - name: Copy notes acme server config. | ||||
|       template: | ||||
|         src: notes-acme.vhost.j2 | ||||
|         dest: "/etc/nginx/sites-enabled/notes-acme.conf" | ||||
|       notify: restart nginx | ||||
|  | ||||
|     - name: Restart nginx. | ||||
|       service: name=nginx state=restarted | ||||
|  | ||||
|     - name: Configure Lest Encrypt certificate. | ||||
|       include_role: | ||||
|         name: thefinn93.ansible-letsencrypt | ||||
|  | ||||
|     - name: Copy notes server config. | ||||
|       template: | ||||
|         src: notes.vhost.j2 | ||||
|         dest: "/etc/nginx/sites-enabled/notes.conf" | ||||
|       notify: restart nginx | ||||
|  | ||||
|     - name: 'Create folder for {{ apps.notes.name }}.' | ||||
|       file: | ||||
|         path: "{{ apps.notes.www }}" | ||||
|   | ||||
| @@ -13,3 +13,7 @@ | ||||
|  | ||||
| - src: geerlingguy.mysql | ||||
|   version: 2.8.0 | ||||
|  | ||||
| - name: thefinn93.ansible-letsencrypt | ||||
|   src: https://github.com/thefinn93/ansible-letsencrypt | ||||
|   version: origin/master | ||||
|   | ||||
							
								
								
									
										15
									
								
								ansible/templates/notes-acme.vhost.j2
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										15
									
								
								ansible/templates/notes-acme.vhost.j2
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,15 @@ | ||||
| server { | ||||
|     listen 80; | ||||
|     server_name notes.anwinged.ru; | ||||
|  | ||||
|     # For Lets Encrypt verify | ||||
|     # include acme; | ||||
|     location /.well-known { | ||||
|         root /var/www/letsencrypt; | ||||
|         try_files $uri $uri/ =404; | ||||
|     } | ||||
|  | ||||
|     location / { | ||||
|         rewrite ^ https://$host$request_uri? permanent; | ||||
|     } | ||||
| } | ||||
| @@ -1,7 +1,23 @@ | ||||
| server { | ||||
|  | ||||
|     listen 443 ssl http2 deferred; | ||||
|     server_name notes.anwinged.ru; | ||||
|  | ||||
|     ssl on; | ||||
|     ssl_certificate         /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem; | ||||
|     ssl_certificate_key     /etc/letsencrypt/live/notes.anwinged.ru/privkey.pem; | ||||
|     ssl_trusted_certificate /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem; | ||||
|  | ||||
|     ssl_session_cache shared:SSL:50m; | ||||
|     ssl_session_timeout 5m; | ||||
|     ssl_stapling on; | ||||
|     ssl_stapling_verify on; | ||||
|  | ||||
|     ssl_protocols TLSv1 TLSv1.1 TLSv1.2; | ||||
|     ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; | ||||
|  | ||||
|     ssl_dhparam /etc/nginx/dhparams.pem; | ||||
|     ssl_prefer_server_ciphers on; | ||||
|  | ||||
|     root /var/www/notes/current/web; | ||||
|  | ||||
|     location / { | ||||
|   | ||||
		Reference in New Issue
	
	Block a user