Merge branch pr-evoacme into unstable
This commit is contained in:
commit
fd7b8ffc9a
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
ssl_key_dir: /etc/ssl/private
|
evoacme_ssl_key_dir: /etc/ssl/private
|
||||||
ssl_key_size: 2048
|
evoacme_ssl_key_size: 2048
|
||||||
dhparam_size: 2048
|
evoacme_dhparam_size: 2048
|
||||||
acme_dir: /var/lib/letsencrypt
|
evoacme_acme_dir: /var/lib/letsencrypt
|
||||||
csr_dir: /etc/ssl/requests
|
evoacme_csr_dir: /etc/ssl/requests
|
||||||
crt_dir: /etc/letsencrypt
|
evoacme_crt_dir: /etc/letsencrypt
|
||||||
log_dir: /var/log/evoacme
|
evoacme_log_dir: /var/log/evoacme
|
||||||
ssl_minday: 15
|
evoacme_ssl_minday: 15
|
||||||
ssl_ct: 'FR'
|
evoacme_ssl_ct: 'FR'
|
||||||
ssl_state: 'France'
|
evoacme_ssl_state: 'France'
|
||||||
ssl_loc: 'Marseille'
|
evoacme_ssl_loc: 'Marseille'
|
||||||
ssl_org: 'Evolix'
|
evoacme_ssl_org: 'Evolix'
|
||||||
ssl_ou: 'Security'
|
evoacme_ssl_ou: 'Security'
|
||||||
ssl_email: 'security@evolix.net'
|
evoacme_ssl_email: 'security@evolix.net'
|
||||||
|
|
|
@ -1,11 +1,11 @@
|
||||||
- name: newaliases
|
- name: newaliases
|
||||||
shell: newaliases
|
command: newaliases
|
||||||
|
|
||||||
- name: Test Apache conf
|
- name: Test Apache conf
|
||||||
shell: apache2ctl -t
|
shell: apache2ctl -t
|
||||||
notify: "Reload Apache conf"
|
notify: "Reload Apache conf"
|
||||||
|
|
||||||
- name: Reload Apache conf
|
- name: reload apache2
|
||||||
service:
|
service:
|
||||||
name=apache2
|
name: apache2
|
||||||
state=reloaded
|
state: reloaded
|
||||||
|
|
|
@ -10,12 +10,12 @@
|
||||||
group: acme
|
group: acme
|
||||||
state: present
|
state: present
|
||||||
createhome: no
|
createhome: no
|
||||||
home: "{{ crt_dir }}"
|
home: "{{ evoacme_crt_dir }}"
|
||||||
shell: /bin/false
|
shell: /bin/false
|
||||||
|
|
||||||
- name: Fix crt dir's right
|
- name: Fix crt dir's right
|
||||||
file:
|
file:
|
||||||
path: "{{ crt_dir }}"
|
path: "{{ evoacme_crt_dir }}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
owner: acme
|
owner: acme
|
||||||
group: acme
|
group: acme
|
||||||
|
@ -23,7 +23,7 @@
|
||||||
|
|
||||||
- name: Fix log dir's right
|
- name: Fix log dir's right
|
||||||
file:
|
file:
|
||||||
path: "{{ log_dir }}"
|
path: "{{ evoacme_log_dir }}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
owner: acme
|
owner: acme
|
||||||
group: acme
|
group: acme
|
||||||
|
@ -31,7 +31,7 @@
|
||||||
|
|
||||||
- name: Fix challenge dir's right
|
- name: Fix challenge dir's right
|
||||||
file:
|
file:
|
||||||
path: "{{ acme_dir }}"
|
path: "{{ evoacme_acme_dir }}"
|
||||||
mode: 0755
|
mode: 0755
|
||||||
owner: acme
|
owner: acme
|
||||||
group: acme
|
group: acme
|
||||||
|
|
|
@ -5,7 +5,8 @@
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0644
|
mode: 0644
|
||||||
notify: "Test Apache conf"
|
validate: apache2ctl -t
|
||||||
|
notify: reload apache2
|
||||||
|
|
||||||
- name: Enable acme challenge conf
|
- name: Enable acme challenge conf
|
||||||
file:
|
file:
|
||||||
|
@ -14,4 +15,5 @@
|
||||||
state: link
|
state: link
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
notify: "Test Apache conf"
|
validate: apache2ctl -t
|
||||||
|
notify: reload apache2
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Set certbot release to Debian stable
|
- name: Set certbot release to Debian stable
|
||||||
set_fact: release="stable"
|
set_fact:
|
||||||
|
evoacme_certbot_release: stable
|
||||||
when:
|
when:
|
||||||
- ansible_distribution is defined
|
- ansible_distribution is defined
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
|
@ -8,7 +9,8 @@
|
||||||
- ansible_distribution_major_version|int > 8
|
- ansible_distribution_major_version|int > 8
|
||||||
|
|
||||||
- name: Set certbot relase to jessie-backports
|
- name: Set certbot relase to jessie-backports
|
||||||
set_fact: release="jessie-backports"
|
set_fact:
|
||||||
|
evoacme_certbot_release: jessie-backports
|
||||||
when:
|
when:
|
||||||
- ansible_distribution is defined
|
- ansible_distribution is defined
|
||||||
- ansible_distribution == "Debian"
|
- ansible_distribution == "Debian"
|
||||||
|
@ -21,13 +23,13 @@
|
||||||
dest: /etc/apt/sources.list
|
dest: /etc/apt/sources.list
|
||||||
line: 'deb http://mirror.evolix.org/debian jessie-backports main'
|
line: 'deb http://mirror.evolix.org/debian jessie-backports main'
|
||||||
state: present
|
state: present
|
||||||
when: release == "jessie-backports"
|
when: evoacme_certbot_release == "jessie-backports"
|
||||||
|
|
||||||
- name: Install certbot with apt
|
- name: Install certbot with apt
|
||||||
apt:
|
apt:
|
||||||
name: certbot
|
name: certbot
|
||||||
state: latest
|
state: latest
|
||||||
default_release: "{{release}}"
|
default_release: "{{ evoacme_certbot_release }}"
|
||||||
update_cache: yes
|
update_cache: yes
|
||||||
|
|
||||||
- name: Mount /usr in rw
|
- name: Mount /usr in rw
|
||||||
|
@ -57,7 +59,9 @@
|
||||||
- name: Install certbot symlink for source install
|
- name: Install certbot symlink for source install
|
||||||
copy:
|
copy:
|
||||||
dest: /usr/local/bin/certbot
|
dest: /usr/local/bin/certbot
|
||||||
content: '#!/bin/sh\nsudo /opt/certbot/certbot-auto $@'
|
content: |
|
||||||
|
#!/bin/sh
|
||||||
|
sudo /opt/certbot/certbot-auto $@
|
||||||
mode: 0755
|
mode: 0755
|
||||||
|
|
||||||
- name: Add sudo right for source install
|
- name: Add sudo right for source install
|
||||||
|
|
|
@ -5,7 +5,7 @@
|
||||||
option: "{{ item.name }}"
|
option: "{{ item.name }}"
|
||||||
value: "{{ item.var }}"
|
value: "{{ item.var }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { name: 'default_bits', var: "{{ ssl_key_size }}" }
|
- { name: 'default_bits', var: "{{ evoacme_ssl_key_size }}" }
|
||||||
- { name: 'encrypt_key', var: 'yes' }
|
- { name: 'encrypt_key', var: 'yes' }
|
||||||
- { name: 'distinguished_name', var: 'req_dn' }
|
- { name: 'distinguished_name', var: 'req_dn' }
|
||||||
- { name: 'prompt', var: 'no' }
|
- { name: 'prompt', var: 'no' }
|
||||||
|
@ -17,12 +17,12 @@
|
||||||
option: "{{ item.name }}"
|
option: "{{ item.name }}"
|
||||||
value: "{{ item.var }}"
|
value: "{{ item.var }}"
|
||||||
with_items:
|
with_items:
|
||||||
- { name: 'C', var: "{{ ssl_ct }}" }
|
- { name: 'C', var: "{{ evoacme_ssl_ct }}" }
|
||||||
- { name: 'ST', var: "{{ ssl_state }}" }
|
- { name: 'ST', var: "{{ evoacme_ssl_state }}" }
|
||||||
- { name: 'L', var: "{{ ssl_loc }}" }
|
- { name: 'L', var: "{{ evoacme_ssl_loc }}" }
|
||||||
- { name: 'O', var: "{{ ssl_org }}" }
|
- { name: 'O', var: "{{ evoacme_ssl_org }}" }
|
||||||
- { name: 'OU', var: "{{ ssl_ou }}" }
|
- { name: 'OU', var: "{{ evoacme_ssl_ou }}" }
|
||||||
- { name: 'emailAddress', var: "{{ ssl_email }}" }
|
- { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" }
|
||||||
|
|
||||||
- name: Copy new evoacme conf
|
- name: Copy new evoacme conf
|
||||||
template:
|
template:
|
||||||
|
|
|
@ -1,3 +1,4 @@
|
||||||
- name: Generate DH paramaters
|
- name: Generate DH paramaters
|
||||||
shell: openssl dhparam -rand - {{dhparam_size}} -out /etc/ssl/dhparam.pem
|
command: openssl dhparam -rand - {{ evoacme_dhparam_size }} -out /etc/ssl/dhparam.pem
|
||||||
creates=/etc/ssl/dhparam.pem
|
args:
|
||||||
|
creates: /etc/ssl/dhparam.pem
|
||||||
|
|
|
@ -1,12 +1,19 @@
|
||||||
---
|
---
|
||||||
- include: tasks/certbot.yml
|
- include: tasks/certbot.yml
|
||||||
|
|
||||||
- include: tasks/acme.yml
|
- include: tasks/acme.yml
|
||||||
|
|
||||||
- include: tasks/conf.yml
|
- include: tasks/conf.yml
|
||||||
|
|
||||||
- include: tasks/scripts.yml
|
- include: tasks/scripts.yml
|
||||||
|
|
||||||
- include: tasks/webserver.yml
|
- include: tasks/webserver.yml
|
||||||
|
|
||||||
- include: tasks/apache.yml
|
- include: tasks/apache.yml
|
||||||
when: sta.stat.isreg is defined and sta.stat.isreg == True
|
when: sta.stat.isreg is defined and sta.stat.isreg
|
||||||
|
|
||||||
- include: tasks/nginx.yml
|
- include: tasks/nginx.yml
|
||||||
when: stn.stat.isreg is defined and stn.stat.isreg == True
|
when: stn.stat.isreg is defined and stn.stat.isreg
|
||||||
|
|
||||||
- include: tasks/dhparam.yml
|
- include: tasks/dhparam.yml
|
||||||
when: stn.stat.isreg is defined and stn.stat.isreg == True
|
when: stn.stat.isreg is defined and stn.stat.isreg
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
---
|
---
|
||||||
- name: Create CSR dir
|
- name: Create CSR dir
|
||||||
file:
|
file:
|
||||||
path: "{{ csr_dir }}"
|
path: "{{ evoacme_csr_dir }}"
|
||||||
state: directory
|
state: directory
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
|
|
|
@ -1,8 +1,10 @@
|
||||||
---
|
---
|
||||||
- name: Determine Nginx presence
|
- name: Determine Nginx presence
|
||||||
stat: path=/etc/nginx/nginx.conf
|
stat:
|
||||||
|
path: /etc/nginx/nginx.conf
|
||||||
register: stn
|
register: stn
|
||||||
|
|
||||||
- name: Determine Apache presence
|
- name: Determine Apache presence
|
||||||
stat: path=/etc/apache2/apache2.conf
|
stat:
|
||||||
|
path: /etc/apache2/apache2.conf
|
||||||
register: sta
|
register: sta
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
|
SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
|
||||||
Alias /.well-known/acme-challenge {{ acme_dir }}/.well-known/acme-challenge
|
Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge
|
||||||
<Directory "{{ acme_dir }}/.well-known/acme-challenge">
|
<Directory "{{ evoacme_acme_dir }}/.well-known/acme-challenge">
|
||||||
Options -Indexes
|
Options -Indexes
|
||||||
Allow from all
|
Allow from all
|
||||||
Require all granted
|
Require all granted
|
||||||
|
|
|
@ -1,8 +1,8 @@
|
||||||
### File generated by Ansible ###
|
### File generated by Ansible ###
|
||||||
|
|
||||||
SSL_KEY_DIR={{ssl_key_dir}}
|
SSL_KEY_DIR={{ evoacme_ssl_key_dir }}
|
||||||
ACME_DIR={{acme_dir}}
|
ACME_DIR={{ evoacme_acme_dir }}
|
||||||
CSR_DIR={{csr_dir}}
|
CSR_DIR={{ evoacme_csr_dir }}
|
||||||
CRT_DIR={{crt_dir}}
|
CRT_DIR={{ evoacme_crt_dir }}
|
||||||
LOG_DIR={{log_dir}}
|
LOG_DIR={{ evoacme_log_dir }}
|
||||||
SSL_MINDAY={{ssl_minday}}
|
SSL_MINDAY={{ evoacme_ssl_minday }}
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
location /.well-known/acme-challenge {
|
location /.well-known/acme-challenge {
|
||||||
alias {{ acme_dir }}/.well-known/acme-challenge;
|
alias {{ evoacme_acme_dir }}/.well-known/acme-challenge;
|
||||||
try_files $uri =404;
|
try_files $uri =404;
|
||||||
}
|
}
|
||||||
|
|
Loading…
Reference in a new issue