forked from evolix/ansible-roles
Merge branch pr-evoacme into unstable
This commit is contained in:
commit
fd7b8ffc9a
|
@ -1,15 +1,15 @@
|
|||
---
|
||||
ssl_key_dir: /etc/ssl/private
|
||||
ssl_key_size: 2048
|
||||
dhparam_size: 2048
|
||||
acme_dir: /var/lib/letsencrypt
|
||||
csr_dir: /etc/ssl/requests
|
||||
crt_dir: /etc/letsencrypt
|
||||
log_dir: /var/log/evoacme
|
||||
ssl_minday: 15
|
||||
ssl_ct: 'FR'
|
||||
ssl_state: 'France'
|
||||
ssl_loc: 'Marseille'
|
||||
ssl_org: 'Evolix'
|
||||
ssl_ou: 'Security'
|
||||
ssl_email: 'security@evolix.net'
|
||||
evoacme_ssl_key_dir: /etc/ssl/private
|
||||
evoacme_ssl_key_size: 2048
|
||||
evoacme_dhparam_size: 2048
|
||||
evoacme_acme_dir: /var/lib/letsencrypt
|
||||
evoacme_csr_dir: /etc/ssl/requests
|
||||
evoacme_crt_dir: /etc/letsencrypt
|
||||
evoacme_log_dir: /var/log/evoacme
|
||||
evoacme_ssl_minday: 15
|
||||
evoacme_ssl_ct: 'FR'
|
||||
evoacme_ssl_state: 'France'
|
||||
evoacme_ssl_loc: 'Marseille'
|
||||
evoacme_ssl_org: 'Evolix'
|
||||
evoacme_ssl_ou: 'Security'
|
||||
evoacme_ssl_email: 'security@evolix.net'
|
||||
|
|
|
@ -1,11 +1,11 @@
|
|||
- name: newaliases
|
||||
shell: newaliases
|
||||
command: newaliases
|
||||
|
||||
- name: Test Apache conf
|
||||
shell: apache2ctl -t
|
||||
notify: "Reload Apache conf"
|
||||
|
||||
- name: Reload Apache conf
|
||||
- name: reload apache2
|
||||
service:
|
||||
name=apache2
|
||||
state=reloaded
|
||||
name: apache2
|
||||
state: reloaded
|
||||
|
|
|
@ -10,12 +10,12 @@
|
|||
group: acme
|
||||
state: present
|
||||
createhome: no
|
||||
home: "{{ crt_dir }}"
|
||||
home: "{{ evoacme_crt_dir }}"
|
||||
shell: /bin/false
|
||||
|
||||
- name: Fix crt dir's right
|
||||
file:
|
||||
path: "{{ crt_dir }}"
|
||||
path: "{{ evoacme_crt_dir }}"
|
||||
mode: 0755
|
||||
owner: acme
|
||||
group: acme
|
||||
|
@ -23,7 +23,7 @@
|
|||
|
||||
- name: Fix log dir's right
|
||||
file:
|
||||
path: "{{ log_dir }}"
|
||||
path: "{{ evoacme_log_dir }}"
|
||||
mode: 0755
|
||||
owner: acme
|
||||
group: acme
|
||||
|
@ -31,7 +31,7 @@
|
|||
|
||||
- name: Fix challenge dir's right
|
||||
file:
|
||||
path: "{{ acme_dir }}"
|
||||
path: "{{ evoacme_acme_dir }}"
|
||||
mode: 0755
|
||||
owner: acme
|
||||
group: acme
|
||||
|
|
|
@ -5,7 +5,8 @@
|
|||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
notify: "Test Apache conf"
|
||||
validate: apache2ctl -t
|
||||
notify: reload apache2
|
||||
|
||||
- name: Enable acme challenge conf
|
||||
file:
|
||||
|
@ -14,4 +15,5 @@
|
|||
state: link
|
||||
owner: root
|
||||
group: root
|
||||
notify: "Test Apache conf"
|
||||
validate: apache2ctl -t
|
||||
notify: reload apache2
|
||||
|
|
|
@ -1,6 +1,7 @@
|
|||
---
|
||||
- name: Set certbot release to Debian stable
|
||||
set_fact: release="stable"
|
||||
set_fact:
|
||||
evoacme_certbot_release: stable
|
||||
when:
|
||||
- ansible_distribution is defined
|
||||
- ansible_distribution == "Debian"
|
||||
|
@ -8,7 +9,8 @@
|
|||
- ansible_distribution_major_version|int > 8
|
||||
|
||||
- name: Set certbot relase to jessie-backports
|
||||
set_fact: release="jessie-backports"
|
||||
set_fact:
|
||||
evoacme_certbot_release: jessie-backports
|
||||
when:
|
||||
- ansible_distribution is defined
|
||||
- ansible_distribution == "Debian"
|
||||
|
@ -21,13 +23,13 @@
|
|||
dest: /etc/apt/sources.list
|
||||
line: 'deb http://mirror.evolix.org/debian jessie-backports main'
|
||||
state: present
|
||||
when: release == "jessie-backports"
|
||||
when: evoacme_certbot_release == "jessie-backports"
|
||||
|
||||
- name: Install certbot with apt
|
||||
apt:
|
||||
name: certbot
|
||||
state: latest
|
||||
default_release: "{{release}}"
|
||||
default_release: "{{ evoacme_certbot_release }}"
|
||||
update_cache: yes
|
||||
|
||||
- name: Mount /usr in rw
|
||||
|
@ -57,7 +59,9 @@
|
|||
- name: Install certbot symlink for source install
|
||||
copy:
|
||||
dest: /usr/local/bin/certbot
|
||||
content: '#!/bin/sh\nsudo /opt/certbot/certbot-auto $@'
|
||||
content: |
|
||||
#!/bin/sh
|
||||
sudo /opt/certbot/certbot-auto $@
|
||||
mode: 0755
|
||||
|
||||
- name: Add sudo right for source install
|
||||
|
|
|
@ -5,7 +5,7 @@
|
|||
option: "{{ item.name }}"
|
||||
value: "{{ item.var }}"
|
||||
with_items:
|
||||
- { name: 'default_bits', var: "{{ ssl_key_size }}" }
|
||||
- { name: 'default_bits', var: "{{ evoacme_ssl_key_size }}" }
|
||||
- { name: 'encrypt_key', var: 'yes' }
|
||||
- { name: 'distinguished_name', var: 'req_dn' }
|
||||
- { name: 'prompt', var: 'no' }
|
||||
|
@ -17,12 +17,12 @@
|
|||
option: "{{ item.name }}"
|
||||
value: "{{ item.var }}"
|
||||
with_items:
|
||||
- { name: 'C', var: "{{ ssl_ct }}" }
|
||||
- { name: 'ST', var: "{{ ssl_state }}" }
|
||||
- { name: 'L', var: "{{ ssl_loc }}" }
|
||||
- { name: 'O', var: "{{ ssl_org }}" }
|
||||
- { name: 'OU', var: "{{ ssl_ou }}" }
|
||||
- { name: 'emailAddress', var: "{{ ssl_email }}" }
|
||||
- { name: 'C', var: "{{ evoacme_ssl_ct }}" }
|
||||
- { name: 'ST', var: "{{ evoacme_ssl_state }}" }
|
||||
- { name: 'L', var: "{{ evoacme_ssl_loc }}" }
|
||||
- { name: 'O', var: "{{ evoacme_ssl_org }}" }
|
||||
- { name: 'OU', var: "{{ evoacme_ssl_ou }}" }
|
||||
- { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" }
|
||||
|
||||
- name: Copy new evoacme conf
|
||||
template:
|
||||
|
|
|
@ -1,3 +1,4 @@
|
|||
- name: Generate DH paramaters
|
||||
shell: openssl dhparam -rand - {{dhparam_size}} -out /etc/ssl/dhparam.pem
|
||||
creates=/etc/ssl/dhparam.pem
|
||||
command: openssl dhparam -rand - {{ evoacme_dhparam_size }} -out /etc/ssl/dhparam.pem
|
||||
args:
|
||||
creates: /etc/ssl/dhparam.pem
|
||||
|
|
|
@ -1,12 +1,19 @@
|
|||
---
|
||||
- include: tasks/certbot.yml
|
||||
|
||||
- include: tasks/acme.yml
|
||||
|
||||
- include: tasks/conf.yml
|
||||
|
||||
- include: tasks/scripts.yml
|
||||
|
||||
- include: tasks/webserver.yml
|
||||
|
||||
- include: tasks/apache.yml
|
||||
when: sta.stat.isreg is defined and sta.stat.isreg == True
|
||||
when: sta.stat.isreg is defined and sta.stat.isreg
|
||||
|
||||
- include: tasks/nginx.yml
|
||||
when: stn.stat.isreg is defined and stn.stat.isreg == True
|
||||
when: stn.stat.isreg is defined and stn.stat.isreg
|
||||
|
||||
- include: tasks/dhparam.yml
|
||||
when: stn.stat.isreg is defined and stn.stat.isreg == True
|
||||
when: stn.stat.isreg is defined and stn.stat.isreg
|
||||
|
|
|
@ -1,7 +1,7 @@
|
|||
---
|
||||
- name: Create CSR dir
|
||||
file:
|
||||
path: "{{ csr_dir }}"
|
||||
path: "{{ evoacme_csr_dir }}"
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
|
|
|
@ -1,8 +1,10 @@
|
|||
---
|
||||
- name: Determine Nginx presence
|
||||
stat: path=/etc/nginx/nginx.conf
|
||||
stat:
|
||||
path: /etc/nginx/nginx.conf
|
||||
register: stn
|
||||
|
||||
- name: Determine Apache presence
|
||||
stat: path=/etc/apache2/apache2.conf
|
||||
stat:
|
||||
path: /etc/apache2/apache2.conf
|
||||
register: sta
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk
|
||||
Alias /.well-known/acme-challenge {{ acme_dir }}/.well-known/acme-challenge
|
||||
<Directory "{{ acme_dir }}/.well-known/acme-challenge">
|
||||
Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge
|
||||
<Directory "{{ evoacme_acme_dir }}/.well-known/acme-challenge">
|
||||
Options -Indexes
|
||||
Allow from all
|
||||
Require all granted
|
||||
|
|
|
@ -1,8 +1,8 @@
|
|||
### File generated by Ansible ###
|
||||
|
||||
SSL_KEY_DIR={{ssl_key_dir}}
|
||||
ACME_DIR={{acme_dir}}
|
||||
CSR_DIR={{csr_dir}}
|
||||
CRT_DIR={{crt_dir}}
|
||||
LOG_DIR={{log_dir}}
|
||||
SSL_MINDAY={{ssl_minday}}
|
||||
SSL_KEY_DIR={{ evoacme_ssl_key_dir }}
|
||||
ACME_DIR={{ evoacme_acme_dir }}
|
||||
CSR_DIR={{ evoacme_csr_dir }}
|
||||
CRT_DIR={{ evoacme_crt_dir }}
|
||||
LOG_DIR={{ evoacme_log_dir }}
|
||||
SSL_MINDAY={{ evoacme_ssl_minday }}
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
location /.well-known/acme-challenge {
|
||||
alias {{ acme_dir }}/.well-known/acme-challenge;
|
||||
alias {{ evoacme_acme_dir }}/.well-known/acme-challenge;
|
||||
try_files $uri =404;
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue