Refactor variable names, get SSL ready

This commit is contained in:
Salt 2020-02-05 22:09:35 -06:00
parent 2e28ff2dbc
commit 0a4eb939bd
3 changed files with 39 additions and 23 deletions

View File

@ -10,8 +10,8 @@
acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory" acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_version: 2 acme_version: 2
nextcloud_tarbz2: "https://download.nextcloud.com/server/releases/nextcloud-18.0.0.tar.bz2" nextcloud_tarbz2: "https://download.nextcloud.com/server/releases/nextcloud-18.0.0.tar.bz2"
website_url: "nc.assburgers.club" nextcloud_url: "nc.assburgers.club"
website_root: "/var/www/nextcloud" nextcloud_webroot: "/var/www/nextcloud"
roles: roles:
- nextcloud - nextcloud
- hosts: tag_role_cockpit - hosts: tag_role_cockpit

View File

@ -37,16 +37,16 @@
- name: Configure virtual host - name: Configure virtual host
template: template:
src: apache2-vhost.conf src: apache2-vhost.conf
dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf" dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
- name: Create webroot - name: Create webroot
file: file:
path: "{{ website_root }}" path: "{{ nextcloud_webroot }}"
mode: "0644" mode: "0644"
recurse: yes recurse: yes
state: directory state: directory
- name: Check for existing installation - name: Check for existing installation
stat: stat:
path: "{{ website_root }}/index.html" path: "{{ nextcloud_webroot }}/index.html"
register: stat_webroot_index register: stat_webroot_index
- name: Install Nextcloud - name: Install Nextcloud
block: block:
@ -58,7 +58,7 @@
unarchive: unarchive:
src: /var/www/nextcloud.tar.bz2 src: /var/www/nextcloud.tar.bz2
remote_src: yes remote_src: yes
dest: "{{ website_root }}" dest: "{{ nextcloud_webroot }}"
extra_opts: [--strip-components=1] extra_opts: [--strip-components=1]
- name: Cleanup - name: Cleanup
file: file:
@ -79,24 +79,24 @@
- { dir: "/etc/pki/cert/crt", mode: "0600" } - { dir: "/etc/pki/cert/crt", mode: "0600" }
- { dir: "/etc/pki/cert/csr", mode: "0600" } - { dir: "/etc/pki/cert/csr", mode: "0600" }
- { dir: "/etc/pki/cert/private", mode: "0600" } - { dir: "/etc/pki/cert/private", mode: "0600" }
- { dir: "/etc/pki/cert/challenge/{{ website_url }}", mode: "0600" } - { dir: "/etc/pki/cert/challenge/{{ nextcloud_url }}", mode: "0600" }
- name: Create ACME account key - name: Create ACME account key
openssl_privatekey: openssl_privatekey:
path: "/etc/pki/cert/private/account.key" path: "/etc/pki/cert/private/account.key"
size: 4096 size: 4096
- name: Create certificate key - name: Create certificate key
openssl_privatekey: openssl_privatekey:
path: "/etc/pki/cert/private/{{ website_url }}.key" path: "/etc/pki/cert/private/{{ nextcloud_url }}.key"
size: 4096 size: 4096
- name: Create CSR - name: Create CSR
openssl_csr: openssl_csr:
path: "/etc/pki/cert/csr/{{ website_url }}.csr" path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
common_name: "{{ website_url }}" common_name: "{{ nextcloud_url }}"
privatekey_path: /etc/pki/cert/private/account.key privatekey_path: /etc/pki/cert/private/account.key
email_address: "rehashedsalt@cock.li" email_address: "rehashedsalt@cock.li"
- name: Create well-known directory - name: Create well-known directory
file: file:
path: "{{ website_root }}/.well-known/acme-challenge" path: "{{ nextcloud_webroot }}/.well-known/acme-challenge"
mode: "0644" mode: "0644"
recurse: yes recurse: yes
state: directory state: directory
@ -107,21 +107,21 @@
terms_agreed: yes terms_agreed: yes
account_email: "rehashedsalt@cock.li" account_email: "rehashedsalt@cock.li"
account_key: "/etc/pki/cert/private/account.key" account_key: "/etc/pki/cert/private/account.key"
csr: "/etc/pki/cert/csr/{{ website_url }}.csr" csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt" dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
register: com_challenge register: com_challenge
- name: Fulfill challenge - name: Fulfill challenge
copy: copy:
dest: "{{ website_root }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}" dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}" content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}"
when: com_challenge is changed when: com_challenge is changed
- name: Create certificate - name: Create certificate
acme_certificate: acme_certificate:
account_key: /etc/pki/cert/private/account.key account_key: /etc/pki/cert/private/account.key
csr: "/etc/pki/cert/csr/{{ website_url }}.csr" csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt" dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt"
data: "{{ com_challenge }}" data: "{{ com_challenge }}"
become: yes become: yes

View File

@ -1,6 +1,22 @@
# Configuration for {{ website_url }} # Configuration for {{ nextcloud_url }}
# vim:ft=apache: # vim:ft=apache:
# Ensure we listen on required ports
Listen 80
Listen 443
# Listen for virtual host requests
NameVirtualHost *:443
# Accept connections from non-SNI clients
SSLStrictSNIVHostCheck off
# Website configuration
<VirtualHost *:80> <VirtualHost *:80>
ServerName {{ website_url }} ServerName {{ nextcloud_url }}
DocumentRoot {{ website_root }} DocumentRoot {{ nextcloud_webroot }}
</VirtualHost>
<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/pki/cert/crt/{{ nextcloud_url }}.crt
SSLCertificateKeyFile /etc/pki/cert/private/{{ nextcloud_url }}.key
ServerName {{ nextcloud_url }}
DocumentRoot {{ nexcloud_webroot }}
</VirtualHost> </VirtualHost>