For certbot

2023-04-20 14:38:28 -04:00 · 2023-04-20 14:38:28 -04:00 · e96aacc646
parent 0535c40455
commit e96aacc646
4 changed files with 81 additions and 62 deletions
--- a/webapps/peertube/defaults/main.yml
+++ b/webapps/peertube/defaults/main.yml
@ -4,6 +4,7 @@ system_dep: "['curl', 'python3-dev', 'python-is-python3', 'python3-psycopg2','ce
 version: 'v5.1.0'
 download_url: "https://github.com/Chocobozzz/PeerTube/releases/download/{{ version }}/peertube-{{ version }}.zip"
 domains: ['example.domain.org']
 certbot_admin_email: 'mgauthier@evolix.ca'
 service_home: '/var/www/peertube'
 db_host: 'localhost'
 db_port: '5432'
--- a/webapps/peertube/tasks/main.yml
+++ b/webapps/peertube/tasks/main.yml
@ -9,13 +9,16 @@
 - name: Install main system dependencies
  apt:
    name: "{{ system_dep }}"
    update_cache: yes
 - name: Upgrade redis-server to the latest version from bullseye-backports
  apt:
    name: redis-server
    state: latest
    default_release: bullseye-backports
-    update_cache: yes
+
 - name: Enable yarn (via corepack)
  shell: "corepack enable; yarn set version classic"
 - name: Add UNIX account
  user:
@ -92,39 +95,39 @@
    enabled: true
    state: started
-#~ - name: Check if SSL certificate is present and register result
+- name: Check if SSL certificate is present and register result
-  #~ stat:
+  stat:
-    #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
-  #~ register: ssl
+  register: ssl
-#~ - name: Generate certificate only if required (first time)
+- name: Generate certificate only if required (first time)
-  #~ block:
+  block:
-  #~ - name: Template vhost without SSL for successfull LE challengce
+  - name: Template vhost without SSL for successfull LE challengce
-    #~ template: 
+    template: 
-      #~ src: "vhost.conf.j2"
+      src: "vhost.conf.j2"
-      #~ dest: "/etc/nginx/sites-available/{{ service }}.conf"
+      dest: "/etc/nginx/sites-available/{{ service }}.conf"
-  #~ - name: Enable temporary nginx vhost for peertube
+  - name: Enable temporary nginx vhost for peertube
-    #~ file:
+    file:
-      #~ src: "/etc/nginx/sites-available/{{ service }}.conf"
+      src: "/etc/nginx/sites-available/{{ service }}.conf"
-      #~ dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
+      dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
-      #~ state: link
+      state: link
-  #~ - name: Reload nginx conf
+  - name: Reload nginx conf
-    #~ service:
+    service:
-      #~ name: nginx
+      name: nginx
-      #~ state: reloaded
+      state: reloaded
-  #~ - name: Make sure /var/lib/letsencrypt exists and has correct permissions
+  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
-    #~ file: 
+    file: 
-      #~ path: /var/lib/letsencrypt
+      path: /var/lib/letsencrypt
-      #~ state: directory
+      state: directory
-      #~ mode: '0755'
+      mode: '0755'
-  #~ - name: Generate certificate with certbot
+  - name: Generate certificate with certbot
-    #~ shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
-  #~ when: ssl.stat.exists == true
+  when: ssl.stat.exists != true
-#~ - name: (Re)check if SSL certificate is present and register result
+- name: (Re)check if SSL certificate is present and register result
-  #~ stat:
+  stat:
-    #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
-  #~ register: ssl
+  register: ssl
 - name: (Re)template conf file for nginx vhost with SSL
  template:
@ -141,3 +144,11 @@
  service:
    name: nginx
    state: reloaded
 - name: Adjust permissions of files/folders for nginx
  file:
    path: "~/"
    state: directory
    mode: 'o=rX'
    recurse: true
  become_user: "{{ service }}"
--- a/webapps/peertube/templates/production.yaml.j2
+++ b/webapps/peertube/templates/production.yaml.j2
@ -4,7 +4,7 @@ listen:
 # Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
 webserver:
-  https: false
+  https: true
  hostname: '{{ domains| first }}'
  port: 80
--- a/webapps/peertube/templates/vhost.conf.j2
+++ b/webapps/peertube/templates/vhost.conf.j2
@ -3,57 +3,62 @@
 # STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading.
 # THIRD PARTY MODULES:   None.
-#server {
+server {
-#  listen 80;
+  listen 80;
-#  listen [::]:80;
+  listen [::]:80;
-#  server_name {{ domains | first }};
+  server_name {{ domains | first }};
-#  location /.well-known/acme-challenge/ {
+  # For certbot
-#    default_type "text/plain";
+  location ~ /.well-known/acme-challenge {
-#    root /var/www/certbot;
+    alias /var/lib/letsencrypt/;
-#  }
+    try_files $uri =404;
-#  location / { return 301 https://$host$request_uri; }
+    allow all;
-#}
+  }
  {% if ssl.stat.exists %}
  location / { return 301 https://$host$request_uri; }
  {% endif %}
 }
 upstream backend {
  server {{ pt_host }};
 }
 {% if ssl.stat.exists %}
 server {
-  #listen 443 ssl http2;
+  listen 443 ssl http2;
-  #listen [::]:443 ssl http2;
+  listen [::]:443 ssl http2;
  listen 80;
  listen [::]:80;
  server_name {{ domains | first }};
  access_log /var/log/nginx/{{ service }}.access.log; # reduce I/0 with buffer=10m flush=5m
  error_log  /var/log/nginx/{{ service }}.error.log;
  # For certbot
  location ~ /.well-known/acme-challenge {
    alias /var/lib/letsencrypt/;
    try_files $uri =404;
    allow all;
  }
  ##
  # Certificates
  # you need a certificate to run in production. see https://letsencrypt.org/
  ##
-  #ssl_certificate     /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
+  ssl_certificate     /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
-  #ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
  location ^~ '/.well-known/acme-challenge' {
    default_type "text/plain";
    root /var/www/certbot;
  }
  ##
  # Security hardening (as of Nov 15, 2020)
  # based on Mozilla Guideline v5.6
  ##
-  #ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_protocols             TLSv1.2 TLSv1.3;
-  #ssl_prefer_server_ciphers on;
+  ssl_prefer_server_ciphers on;
-  #ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
+  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
-  #ssl_session_timeout       1d; # defaults to 5m
+  ssl_session_timeout       1d; # defaults to 5m
-  #ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
+  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
-  #ssl_session_tickets       off;
+  ssl_session_tickets       off;
-  #ssl_stapling              on;
+  ssl_stapling              on;
-  #ssl_stapling_verify       on;
+  ssl_stapling_verify       on;
  # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
  #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
@ -276,3 +281,5 @@ server {
    try_files $uri @api;
  }
 }
 {% endif %}