From ec7938a9628a01c7e5ef31e5a030c7aeffaf633e Mon Sep 17 00:00:00 2001 From: Mathieu Gauthier-Pilote Date: Wed, 3 May 2023 14:12:59 -0400 Subject: [PATCH] Now installs a LE SSL cert via certbot by default --- webapps/etherpad/defaults/main.yml | 1 + webapps/etherpad/tasks/main.yml | 21 +++++++++++++++--- .../etherpad/templates/letsencrypt.conf.j2 | 5 +++++ webapps/etherpad/templates/ssl.conf.j2 | 22 +++++++++++++++++++ webapps/etherpad/templates/vhost.conf.j2 | 15 +++++++------ 5 files changed, 54 insertions(+), 10 deletions(-) create mode 100644 webapps/etherpad/templates/letsencrypt.conf.j2 create mode 100644 webapps/etherpad/templates/ssl.conf.j2 diff --git a/webapps/etherpad/defaults/main.yml b/webapps/etherpad/defaults/main.yml index bc91dc1d..d1ca5240 100644 --- a/webapps/etherpad/defaults/main.yml +++ b/webapps/etherpad/defaults/main.yml @@ -7,6 +7,7 @@ node_version: 'node_18.x' node_port: '9001' service: 'example' domains: ['example.domain.org'] +certbot_admin_email: 'mgauthier@evolix.ca' db_host: 'localhost' db_port: '/run/mysqld/mysqld.sock' diff --git a/webapps/etherpad/tasks/main.yml b/webapps/etherpad/tasks/main.yml index 1cf325be..769d8d6f 100644 --- a/webapps/etherpad/tasks/main.yml +++ b/webapps/etherpad/tasks/main.yml @@ -4,6 +4,7 @@ - name: Install main system dependencies apt: name: "{{ system_dep }}" + update_cache: yes - name: Add UNIX account user: @@ -66,7 +67,12 @@ - name: Start service service: name: "{{ service }}.service" - state: started + state: restarted + +- name: Template nginx snippet for Let's Encrypt/Certbot + template: + src: "letsencrypt.conf.j2" + dest: "/etc/nginx/snippets/letsencrypt.conf" - name: Check if SSL certificate is present and register result stat: @@ -94,8 +100,17 @@ state: directory mode: '0755' - name: Generate certificate with certbot - shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }} - when: ssl.stat.exists == false + shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }} + - name: Create the ssl dir if needed + file: + path: /etc/nginx/ssl + state: directory + mode: '0750' + - name: Template ssl bloc for nginx vhost + template: + src: "ssl.conf.j2" + dest: "/etc/nginx/ssl/{{ domains |first }}.conf" + when: ssl.stat.exists != true - name: (Re)check if SSL certificate is present and register result stat: diff --git a/webapps/etherpad/templates/letsencrypt.conf.j2 b/webapps/etherpad/templates/letsencrypt.conf.j2 new file mode 100644 index 00000000..6b33847e --- /dev/null +++ b/webapps/etherpad/templates/letsencrypt.conf.j2 @@ -0,0 +1,5 @@ +location ~ /.well-known/acme-challenge { + alias /var/lib/letsencrypt/; + try_files $uri =404; + allow all; +} diff --git a/webapps/etherpad/templates/ssl.conf.j2 b/webapps/etherpad/templates/ssl.conf.j2 new file mode 100644 index 00000000..86194389 --- /dev/null +++ b/webapps/etherpad/templates/ssl.conf.j2 @@ -0,0 +1,22 @@ +## +# Certificates +# you need a certificate to run in production. see https://letsencrypt.org/ +## +ssl_certificate /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem; + +## +# Security hardening (as of Nov 15, 2020) +# based on Mozilla Guideline v5.6 +## + +ssl_protocols TLSv1.2 TLSv1.3; +ssl_prefer_server_ciphers on; +ssl_ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4 +ssl_session_timeout 1d; # defaults to 5m +ssl_session_cache shared:SSL:10m; # estimated to 40k sessions +ssl_session_tickets off; +ssl_stapling on; +ssl_stapling_verify on; +# HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives +#add_header Strict-Transport-Security "max-age=63072000; includeSubDomains"; diff --git a/webapps/etherpad/templates/vhost.conf.j2 b/webapps/etherpad/templates/vhost.conf.j2 index 8c67a16f..46cf21f7 100644 --- a/webapps/etherpad/templates/vhost.conf.j2 +++ b/webapps/etherpad/templates/vhost.conf.j2 @@ -8,8 +8,8 @@ server { listen [::]:80; server_name {{ domains |first }}; - # For Let's Encrypt - location /.well-known/acme-challenge/ { allow all; } + # For certbot + include /etc/nginx/snippets/letsencrypt.conf; {% if ssl.stat.exists %} location / { return 301 https://$host$request_uri; } @@ -20,13 +20,14 @@ server { server { listen 443 ssl http2; listen [::]:443 ssl http2; + server_name {{ domains |first }}; - # For Let's Encrypt - location /.well-known/acme-challenge/ { allow all; } - ssl_certificate /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ domains |first }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ domains |first }}/chain.pem; + access_log /var/log/nginx/{{ service }}.access.log; + error_log /var/log/nginx/{{ service }}.error.log; + + include /etc/nginx/snippets/letsencrypt.conf; + include /etc/nginx/ssl/{{ domains | first }}.conf; location / { proxy_pass http://127.0.0.1:{{ node_port }};