Installs a Let's Encrypt cert

2023-08-10 13:40:27 -04:00 · 2023-08-10 13:40:27 -04:00 · 47de051ab9
parent 68c443acd1
commit 47de051ab9
3 changed files with 290 additions and 8 deletions
--- a/webapps/jitsimeet/defaults/main.yml
+++ b/webapps/jitsimeet/defaults/main.yml
@ -1,9 +1,10 @@
 ---
 # defaults file for main vars

-system_dep: "['gnupg2', 'curl', 'apt-transport-https', 'default-jdk', 'lua5.2', 'lua-unbound']"
+system_dep: "['gnupg2', 'curl', 'apt-transport-https', 'default-jdk', 'lua5.2', 'lua-unbound', 'certbot', 'python3-certbot-nginx']"

 domains: ['bullseye.domaine-fictif.org']
+certbot_admin_email: 'support@evolix.fr'

 jitsi_meet_cert_choice: "Generate a new self-signed certificate (You will later get a chance to obtain a Let's encrypt certificate)"
 jitsi_meet_ssl_cert_path: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
--- a/webapps/jitsimeet/tasks/main.yml
+++ b/webapps/jitsimeet/tasks/main.yml
@ -112,10 +112,61 @@
    name: jicofo
    state: restarted

-#- name: Install Jitsi Meet
-#  ansible.builtin.apt:
-#    name: 
-#       - nginx-full
-#       - python3-certbot-nginx
-#    state: present
-#    install_recommends: no
+- name: Check if SSL certificate is present and register result
+  stat:
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+  register: ssl
+
+- name: Generate certificate only if required (first time)
+  block:
+  - name: Template vhost without SSL for successfull LE challengce
+    template: 
+      src: "vhost.conf.j2"
+      dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
+  - name: Enable temporary nginx vhost for peertube
+    file:
+      src: "/etc/nginx/sites-available/{{ domains |first }}.conf"
+      dest: "/etc/nginx/sites-enabled/{{ domains |first }}.conf"
+      state: link
+  - name: Reload nginx conf
+    service:
+      name: nginx
+      state: reloaded
+  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
+    file: 
+      path: /var/lib/letsencrypt
+      state: directory
+      mode: '0755'
+  - name: Generate certificate with certbot
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
+  when: ssl.stat.exists != true
+
+- name: (Re)check if SSL certificate is present and register result
+  stat:
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+  register: ssl
+
+- name: (Re)template conf file for nginx vhost with SSL
+  template:
+    src: "vhost.conf.j2"
+    dest: "/etc/nginx/sites-available/{{ domains |first }}.conf"
+
+- name: Enable nginx vhost for peertube
+  file:
+    src: "/etc/nginx/sites-available/{{ domains |first }}.conf"
+    dest: "/etc/nginx/sites-enabled/{{ domains |first }}.conf"
+    state: link
+
+- name: Reload nginx conf
+  service:
+    name: nginx
+    state: reloaded
+
+- name: Adjust permissions of files/folders for nginx
+  file:
+    path: "~/"
+    state: directory
+    mode: 'o=rX'
+    recurse: true
+  become_user: "{{ service }}"
+
--- a/webapps/jitsimeet/templates/vhost.conf.j2
+++ b/webapps/jitsimeet/templates/vhost.conf.j2
@ -0,0 +1,230 @@
+{% if ssl.stat.exists %}
+server_names_hash_bucket_size 64;
+
+types {
+# nginx's default mime.types doesn't include a mapping for wasm or wav.
+    application/wasm     wasm;
+    audio/wav            wav;
+}
+upstream prosody {
+    zone upstreams 64K;
+    server 127.0.0.1:5280;
+    keepalive 2;
+}
+upstream jvb1 {
+    zone upstreams 64K;
+    server 127.0.0.1:9090;
+    keepalive 2;
+}
+map $arg_vnode $prosody_node {
+    default prosody;
+    v1 v1;
+    v2 v2;
+    v3 v3;
+    v4 v4;
+    v5 v5;
+    v6 v6;
+    v7 v7;
+    v8 v8;
+}
+
+{% endif %}
+
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ domains | first }};
+
+  # For certbot
+  location ~ /.well-known/acme-challenge {
+    alias /var/lib/letsencrypt/;
+    try_files $uri =404;
+    allow all;
+  }
+  {% if ssl.stat.exists %}
+  location / { return 301 https://$host$request_uri; }
+  {% endif %}
+}
+
+{% if ssl.stat.exists %}
+server {
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
+  server_name {{ domains | first }};
+  
+  access_log /var/log/nginx/{{ service }}.access.log; # reduce I/0 with buffer=10m flush=5m
+  error_log  /var/log/nginx/{{ service }}.error.log;
+
+  # For certbot
+  location ~ /.well-known/acme-challenge {
+    alias /var/lib/letsencrypt/;
+    try_files $uri =404;
+    allow all;
+  }
+
+  # Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
+  ssl_protocols TLSv1.2 TLSv1.3;
+  ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
+  ssl_prefer_server_ciphers off;
+
+  ssl_session_timeout 1d;
+  ssl_session_cache shared:SSL:10m;  # about 40000 sessions
+  ssl_session_tickets off;
+
+  add_header Strict-Transport-Security "max-age=63072000" always;
+  set $prefix "";
+  set $custom_index "";
+  set $config_js_location /etc/jitsi/meet/atlantide-3.evolix.eu-config.js;
+
+  ##
+  # Certificates
+  # you need a certificate to run in production. see https://letsencrypt.org/
+  ##
+  ssl_certificate     /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
+
+  root /usr/share/jitsi-meet;
+
+  # ssi on with javascript for multidomain variables in config.js
+  ssi on;
+  ssi_types application/x-javascript application/javascript;
+
+  index index.html index.htm;
+  error_page 404 /static/404.html;
+
+  gzip on;
+  gzip_types text/plain text/css application/javascript application/json image/x-icon application/octet-stream application/wasm;
+  gzip_vary on;
+  gzip_proxied no-cache no-store private expired auth;
+  gzip_min_length 512;
+
+  include /etc/jitsi/meet/jaas/*.conf;
+
+  location = /config.js {
+      alias $config_js_location;
+  }
+
+  location = /external_api.js {
+      alias /usr/share/jitsi-meet/libs/external_api.min.js;
+  }
+
+  location = /_api/room-info {
+      proxy_pass http://prosody/room-info?prefix=$prefix&$args;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header Host $http_host;
+  }
+
+  location ~ ^/_api/public/(.*)$ {
+      autoindex off;
+      alias /etc/jitsi/meet/public/$1;
+  }
+
+  # ensure all static content can always be found first
+  location ~ ^/(libs|css|static|images|fonts|lang|sounds|.well-known)/(.*)$
+  {
+      add_header 'Access-Control-Allow-Origin' '*';
+      alias /usr/share/jitsi-meet/$1/$2;
+
+      # cache all versioned files
+      if ($arg_v) {
+          expires 1y;
+      }
+  }
+
+  # BOSH
+  location = /http-bind {
+      proxy_pass http://$prosody_node/http-bind?prefix=$prefix&$args;
+      proxy_http_version 1.1;
+      proxy_set_header X-Forwarded-For $remote_addr;
+      proxy_set_header Host $http_host;
+      proxy_set_header Connection "";
+  }
+
+  # xmpp websockets
+  location = /xmpp-websocket {
+      proxy_pass http://$prosody_node/xmpp-websocket?prefix=$prefix&$args;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      proxy_set_header Host $http_host;
+      tcp_nodelay on;
+  }
+
+  # colibri (JVB) websockets for jvb1
+  location ~ ^/colibri-ws/default-id/(.*) {
+      proxy_pass http://jvb1/colibri-ws/default-id/$1$is_args$args;
+      proxy_http_version 1.1;
+      proxy_set_header Upgrade $http_upgrade;
+      proxy_set_header Connection "upgrade";
+      tcp_nodelay on;
+  }
+
+  # load test minimal client, uncomment when used
+  #location ~ ^/_load-test/([^/?&:'"]+)$ {
+  #    rewrite ^/_load-test/(.*)$ /load-test/index.html break;
+  #}
+  #location ~ ^/_load-test/libs/(.*)$ {
+  #    add_header 'Access-Control-Allow-Origin' '*';
+  #    alias /usr/share/jitsi-meet/load-test/libs/$1;
+  #}
+
+  location ~ ^/([^/?&:'"]+)$ {
+      set $roomname "$1";
+      try_files $uri @root_path;
+  }
+
+  location @root_path {
+      rewrite ^/(.*)$ /$custom_index break;
+  }
+
+  location ~ ^/([^/?&:'"]+)/config.js$
+  {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+
+      alias $config_js_location;
+  }
+
+  # Matches /(TENANT)/pwa-worker.js or /(TENANT)/manifest.json to rewrite to / and look for file
+  location ~ ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      rewrite ^/([^/?&:'"]+)/(pwa-worker.js|manifest.json)$ /$2;
+  }
+
+  # BOSH for subdomains
+  location ~ ^/([^/?&:'"]+)/http-bind {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      set $prefix "$1";
+
+      rewrite ^/(.*)$ /http-bind;
+  }
+
+  # websockets for subdomains
+  location ~ ^/([^/?&:'"]+)/xmpp-websocket {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      set $prefix "$1";
+
+      rewrite ^/(.*)$ /xmpp-websocket;
+  }
+
+  location ~ ^/([^/?&:'"]+)/_api/room-info {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      set $prefix "$1";
+
+      rewrite ^/(.*)$ /_api/room-info;
+  }
+
+  # Anything that didn't match above, and isn't a real file, assume it's a room name and redirect to /
+  location ~ ^/([^/?&:'"]+)/(.*)$ {
+      set $subdomain "$1.";
+      set $subdir "$1/";
+      rewrite ^/([^/?&:'"]+)/(.*)$ /$2;
+  }
+}
+
+{% endif %}