Improve SSL handling #25

Merged
lukas merged 8 commits from feat/better-ssl into main 2021-05-14 21:58:12 +00:00
2 changed files with 45 additions and 21 deletions
Showing only changes of commit f1f28a80f1 - Show all commits

View File

@ -1,11 +1,17 @@
# If self_signed = true, in nginx/files: generate root CA (if regenereate_root_ca = true),
# and sign a wildcard certificate. Copy certificates to /etc/ssl/.
- name: ensure directories exist - name: ensure directories exist
file: file:
path: "{{ item }}" path: "{{ item }}"
state: directory state: directory
mode: '0755' mode: '0755'
loop: loop:
- "{{ nginx_confd_folder }}" - "{{ data_folder }}/nginx"
- name: generate and install self-signed certs - "{{ data_folder }}/nginx/conf.d"
- "{{ data_folder }}/nginx/sites-enabled"
- "{{ data_folder }}/nginx/sites-available"
- "{{ data_folder }}/nginx/snippets"
- name: generate self-signed certs
import_tasks: self-signed.yml import_tasks: self-signed.yml
when: self_signed when: self_signed
- name: create nginx bridge network - name: create nginx bridge network
@ -14,6 +20,18 @@
attachable: true attachable: true
internal: true internal: true
state: present state: present
- name: copy nginx.conf
template:
src: nginx.conf.j2
dest: "{{ data_folder }}/nginx/nginx.conf"
mode: '0755'
- name: copy snippets
template:
src: "{{ item }}"
dest: "{{ data_folder }}/nginx/snippets/{{ item | basename | regex_replace('.j2$', '') }}"
mode: '0755'
with_fileglob:
- "../templates/snippets/*.conf"
- name: run container - name: run container
docker_container: docker_container:
name: 'nginx' name: 'nginx'
@ -22,10 +40,13 @@
- name: bridge - name: bridge
- name: nginx-internal - name: nginx-internal
volumes: volumes:
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
- "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/nginx/{{ base_domain }}.key" - "{{ data_folder }}/nginx/sites-available:/etc/nginx/sites-available"
- "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/nginx/{{ base_domain }}.crt" - "{{ data_folder }}/nginx/sites-enabled:/etc/nginx/sites-enabled"
- "{{ nginx_confd_folder }}:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/snippets:/etc/nginx/snippets"
- "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/ssl/{{ base_domain }}.key"
- "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/ssl/{{ base_domain }}.crt"
ports: ports:
- "80:80" - "80:80"
- "443:443" - "443:443"

View File

@ -4,34 +4,37 @@
-new \ -new \
-nodes \ -nodes \
-newkey rsa:2048 \ -newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/rootca.key" \ -keyout "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
-out "{{ data_folder }}/nginx/rootca.pem" \ -out "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
-sha256 \ -sha256 \
-days 3650 \ -days 3650 \
-subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}" -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
when: generate_cert.root
- name: generate wildcard csr - name: generate wildcard csr
command: openssl req \ command: openssl req \
-new \ -new \
-nodes \ -nodes \
-newkey rsa:2048 \ -newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \ -keyout "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.key" \
-out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}" -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
when: generate_cert.wildcard
- name: sign wildcard csr with root ca - name: sign wildcard csr with root ca
command: openssl x509 \ command: openssl x509 \
-req \ -req \
-in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ -in "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
-CA "{{ data_folder }}/nginx/rootca.pem" \ -CA "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
-CAkey "{{ data_folder }}/nginx/rootca.key" \ -CAkey "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
-CAcreateserial \ -CAcreateserial \
-out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \ -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.crt" \
-days 3650 \ -days 3650 \
-sha256 -sha256
- name: install root ca when: generate_cert.wildcard
command: trust anchor "{{ data_folder }}/nginx/rootca.pem" - name: copy wildcard certificate and key
become: yes copy:
- name: copy .conf file src: "{{ item }}"
template: dest: "{{ data_folder }}/nginx/{{ item }}"
src: nginx.conf.j2 mode: '0700'
dest: "{{ data_folder }}/nginx/nginx.conf" loop:
mode: '0755' - "{{ base_domain }}.crt"
- "{{ base_domain }}.key"