diff --git a/webapps/peertube/defaults/main.yml b/webapps/peertube/defaults/main.yml index 431d22b9..a71c8be2 100644 --- a/webapps/peertube/defaults/main.yml +++ b/webapps/peertube/defaults/main.yml @@ -4,6 +4,7 @@ system_dep: "['curl', 'python3-dev', 'python-is-python3', 'python3-psycopg2','ce version: 'v5.1.0' download_url: "https://github.com/Chocobozzz/PeerTube/releases/download/{{ version }}/peertube-{{ version }}.zip" domains: ['example.domain.org'] +certbot_admin_email: 'mgauthier@evolix.ca' service_home: '/var/www/peertube' db_host: 'localhost' db_port: '5432' diff --git a/webapps/peertube/tasks/main.yml b/webapps/peertube/tasks/main.yml index 8e0742df..8a24eebf 100644 --- a/webapps/peertube/tasks/main.yml +++ b/webapps/peertube/tasks/main.yml @@ -9,13 +9,16 @@ - name: Install main system dependencies apt: name: "{{ system_dep }}" + update_cache: yes - name: Upgrade redis-server to the latest version from bullseye-backports apt: name: redis-server state: latest default_release: bullseye-backports - update_cache: yes + +- name: Enable yarn (via corepack) + shell: "corepack enable; yarn set version classic" - name: Add UNIX account user: @@ -92,39 +95,39 @@ enabled: true state: started -#~ - name: Check if SSL certificate is present and register result - #~ stat: - #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" - #~ register: ssl +- name: Check if SSL certificate is present and register result + stat: + path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + register: ssl -#~ - name: Generate certificate only if required (first time) - #~ block: - #~ - name: Template vhost without SSL for successfull LE challengce - #~ template: - #~ src: "vhost.conf.j2" - #~ dest: "/etc/nginx/sites-available/{{ service }}.conf" - #~ - name: Enable temporary nginx vhost for peertube - #~ file: - #~ src: "/etc/nginx/sites-available/{{ service }}.conf" - #~ dest: "/etc/nginx/sites-enabled/{{ service }}.conf" - #~ state: link - #~ - name: Reload nginx conf - #~ service: - #~ name: nginx - #~ state: reloaded - #~ - name: Make sure /var/lib/letsencrypt exists and has correct permissions - #~ file: - #~ path: /var/lib/letsencrypt - #~ state: directory - #~ mode: '0755' - #~ - name: Generate certificate with certbot - #~ shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }} - #~ when: ssl.stat.exists == true +- name: Generate certificate only if required (first time) + block: + - name: Template vhost without SSL for successfull LE challengce + template: + src: "vhost.conf.j2" + dest: "/etc/nginx/sites-available/{{ service }}.conf" + - name: Enable temporary nginx vhost for peertube + file: + src: "/etc/nginx/sites-available/{{ service }}.conf" + dest: "/etc/nginx/sites-enabled/{{ service }}.conf" + state: link + - name: Reload nginx conf + service: + name: nginx + state: reloaded + - name: Make sure /var/lib/letsencrypt exists and has correct permissions + file: + path: /var/lib/letsencrypt + state: directory + mode: '0755' + - name: Generate certificate with certbot + shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }} + when: ssl.stat.exists != true -#~ - name: (Re)check if SSL certificate is present and register result - #~ stat: - #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" - #~ register: ssl +- name: (Re)check if SSL certificate is present and register result + stat: + path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem" + register: ssl - name: (Re)template conf file for nginx vhost with SSL template: @@ -141,3 +144,11 @@ service: name: nginx state: reloaded + +- name: Adjust permissions of files/folders for nginx + file: + path: "~/" + state: directory + mode: 'o=rX' + recurse: true + become_user: "{{ service }}" diff --git a/webapps/peertube/templates/production.yaml.j2 b/webapps/peertube/templates/production.yaml.j2 index 3dec0809..4e2aabeb 100644 --- a/webapps/peertube/templates/production.yaml.j2 +++ b/webapps/peertube/templates/production.yaml.j2 @@ -4,7 +4,7 @@ listen: # Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL) webserver: - https: false + https: true hostname: '{{ domains| first }}' port: 80 diff --git a/webapps/peertube/templates/vhost.conf.j2 b/webapps/peertube/templates/vhost.conf.j2 index c416b9f0..aaf6b8c6 100644 --- a/webapps/peertube/templates/vhost.conf.j2 +++ b/webapps/peertube/templates/vhost.conf.j2 @@ -3,57 +3,62 @@ # STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading. # THIRD PARTY MODULES: None. -#server { -# listen 80; -# listen [::]:80; -# server_name {{ domains | first }}; +server { + listen 80; + listen [::]:80; + server_name {{ domains | first }}; -# location /.well-known/acme-challenge/ { -# default_type "text/plain"; -# root /var/www/certbot; -# } -# location / { return 301 https://$host$request_uri; } -#} + # For certbot + location ~ /.well-known/acme-challenge { + alias /var/lib/letsencrypt/; + try_files $uri =404; + allow all; + } + {% if ssl.stat.exists %} + location / { return 301 https://$host$request_uri; } + {% endif %} +} upstream backend { server {{ pt_host }}; } +{% if ssl.stat.exists %} server { - #listen 443 ssl http2; - #listen [::]:443 ssl http2; - listen 80; - listen [::]:80; + listen 443 ssl http2; + listen [::]:443 ssl http2; server_name {{ domains | first }}; access_log /var/log/nginx/{{ service }}.access.log; # reduce I/0 with buffer=10m flush=5m error_log /var/log/nginx/{{ service }}.error.log; + + # For certbot + location ~ /.well-known/acme-challenge { + alias /var/lib/letsencrypt/; + try_files $uri =404; + allow all; + } ## # Certificates # you need a certificate to run in production. see https://letsencrypt.org/ ## - #ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem; - #ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem; - - location ^~ '/.well-known/acme-challenge' { - default_type "text/plain"; - root /var/www/certbot; - } + ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem; ## # Security hardening (as of Nov 15, 2020) # based on Mozilla Guideline v5.6 ## - #ssl_protocols TLSv1.2 TLSv1.3; - #ssl_prefer_server_ciphers on; - #ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 - #ssl_session_timeout 1d; # defaults to 5m - #ssl_session_cache shared:SSL:10m; # estimated to 40k sessions - #ssl_session_tickets off; - #ssl_stapling on; - #ssl_stapling_verify on; + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 + ssl_session_timeout 1d; # defaults to 5m + ssl_session_cache shared:SSL:10m; # estimated to 40k sessions + ssl_session_tickets off; + ssl_stapling on; + ssl_stapling_verify on; # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; @@ -276,3 +281,5 @@ server { try_files $uri @api; } } + +{% endif %}