blob: 5d736a42279c64826401b93d98e22117c5f42302 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
|
---
- name: install package
pkgng:
name: "{{ item }}"
state: present
with_items:
- nginx
- acme-client
- name: (local) ssl/tls - check dhparam existence
become: false
stat:
path: "{{ playbook_dir }}/ssl/dhparam4096.pem"
delegate_to: localhost
register: stat_result
- name: (local) ssl/tls - generate dhparam (4096 bit)
become: false
command: >
openssl dhparam
-out "{{ playbook_dir }}/ssl/dhparam4096.pem" 4096
delegate_to: localhost
when: not stat_result.stat.exists
- name: ssl/tls - copy dhparam
copy:
src: "{{ playbook_dir }}/ssl/dhparam4096.pem"
dest: /usr/local/etc/ssl/dhparam4096.pem
mode: 0444
- name: nginx - copy conf.d/ config directory
copy:
src: conf.d/ # trailing '/' -> directory contents
dest: /usr/local/etc/nginx/conf.d/
- name: nginx - create sites/ directory
file:
path: /usr/local/etc/nginx/sites
state: directory
- name: nginx - generate sites
include_tasks: nginx-gensites.yml
- name: nginx - copy nginx.conf
copy:
src: nginx.conf
dest: /usr/local/etc/nginx/nginx.conf
# XXX: Validation runs aganist a temporary file, thus nginx fails to
# include other config files!
#validate: "nginx -t -c %s"
notify: reload-nginx
- name: nginx - check configuration
command: nginx -t
- name: nginx - enable and start
command: rcenable nginx
- name: newsyslog - nginx log rotation
blockinfile:
path: /etc/newsyslog.conf
marker: '# {mark} ANSIBLE MANAGED - nginx'
block: |
/var/log/nginx/access.log 644 7 * @T00 Z /var/run/nginx.pid
/var/log/nginx/error.log 644 7 * @T00 Z /var/run/nginx.pid
- name: acme - copy scripts
copy:
src: "{{ item }}"
dest: /usr/local/etc/acme/{{ item | basename }}
mode: 0755
with_items:
- acme-client.sh
- deploy.sh
- name: (local) acme - check account private key existence
become: false
stat:
path: "{{ playbook_dir }}/private/acme/privkey.pem"
delegate_to: localhost
register: stat_result
- name: (local) acme - generate account private key (4096 bit)
become: false
command: >
openssl genrsa
-out "{{ playbook_dir }}/private/acme/privkey.pem" 4096
delegate_to: localhost
when: not stat_result.stat.exists
- name: acme - copy account private key
copy:
src: "{{ playbook_dir }}/private/acme/privkey.pem"
dest: /usr/local/etc/acme/privkey.pem
mode: 0400
- name: acme - create domain private directory
file:
path: /usr/local/etc/ssl/acme/private/
state: directory
mode: 0700
# Credit: https://shasawas.wordpress.com/2016/05/23/how-to-loop-over-a-set-of-tasks-in-ansible/
- name: acme - generate and copy domain private keys
include_tasks: acme-domainkey.yml domain={{ item.name }}
with_items: "{{ domains }}"
- name: acme - generate domains.txt
template:
src: domains.txt.j2
dest: /usr/local/etc/acme/domains.txt
- name: acme - create challenge directory
file:
path: /usr/local/www/acme/.well-known/acme-challenge
state: directory
group: www
recurse: true
- name: nginx - force reload
command: rcreload nginx
- name: acme - request domain certificates
command: sh /usr/local/etc/acme/acme-client.sh -e
- name: nginx - re-generate sites
include_tasks: nginx-gensites.yml
notify: reload-nginx
|