Improve SSL handling #25
|
@ -1,11 +1,17 @@
|
||||||
|
# If self_signed = true, in nginx/files: generate root CA (if regenereate_root_ca = true),
|
||||||
|
# and sign a wildcard certificate. Copy certificates to /etc/ssl/.
|
||||||
- name: ensure directories exist
|
- name: ensure directories exist
|
||||||
file:
|
file:
|
||||||
path: "{{ item }}"
|
path: "{{ item }}"
|
||||||
state: directory
|
state: directory
|
||||||
mode: '0755'
|
mode: '0755'
|
||||||
loop:
|
loop:
|
||||||
- "{{ nginx_confd_folder }}"
|
- "{{ data_folder }}/nginx"
|
||||||
- name: generate and install self-signed certs
|
- "{{ data_folder }}/nginx/conf.d"
|
||||||
|
- "{{ data_folder }}/nginx/sites-enabled"
|
||||||
|
- "{{ data_folder }}/nginx/sites-available"
|
||||||
|
- "{{ data_folder }}/nginx/snippets"
|
||||||
|
- name: generate self-signed certs
|
||||||
import_tasks: self-signed.yml
|
import_tasks: self-signed.yml
|
||||||
when: self_signed
|
when: self_signed
|
||||||
- name: create nginx bridge network
|
- name: create nginx bridge network
|
||||||
|
@ -14,6 +20,18 @@
|
||||||
attachable: true
|
attachable: true
|
||||||
internal: true
|
internal: true
|
||||||
state: present
|
state: present
|
||||||
|
- name: copy nginx.conf
|
||||||
|
template:
|
||||||
|
src: nginx.conf.j2
|
||||||
|
dest: "{{ data_folder }}/nginx/nginx.conf"
|
||||||
|
mode: '0755'
|
||||||
|
- name: copy snippets
|
||||||
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: "{{ data_folder }}/nginx/snippets/{{ item | basename | regex_replace('.j2$', '') }}"
|
||||||
|
mode: '0755'
|
||||||
|
with_fileglob:
|
||||||
|
- "../templates/snippets/*.conf"
|
||||||
- name: run container
|
- name: run container
|
||||||
docker_container:
|
docker_container:
|
||||||
name: 'nginx'
|
name: 'nginx'
|
||||||
|
@ -22,10 +40,13 @@
|
||||||
- name: bridge
|
- name: bridge
|
||||||
- name: nginx-internal
|
- name: nginx-internal
|
||||||
volumes:
|
volumes:
|
||||||
|
- "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d"
|
||||||
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
|
- "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf"
|
||||||
- "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/nginx/{{ base_domain }}.key"
|
- "{{ data_folder }}/nginx/sites-available:/etc/nginx/sites-available"
|
||||||
- "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/nginx/{{ base_domain }}.crt"
|
- "{{ data_folder }}/nginx/sites-enabled:/etc/nginx/sites-enabled"
|
||||||
- "{{ nginx_confd_folder }}:/etc/nginx/conf.d"
|
- "{{ data_folder }}/nginx/snippets:/etc/nginx/snippets"
|
||||||
|
- "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/ssl/{{ base_domain }}.key"
|
||||||
|
- "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/ssl/{{ base_domain }}.crt"
|
||||||
ports:
|
ports:
|
||||||
- "80:80"
|
- "80:80"
|
||||||
- "443:443"
|
- "443:443"
|
||||||
|
|
|
@ -4,34 +4,37 @@
|
||||||
-new \
|
-new \
|
||||||
-nodes \
|
-nodes \
|
||||||
-newkey rsa:2048 \
|
-newkey rsa:2048 \
|
||||||
-keyout "{{ data_folder }}/nginx/rootca.key" \
|
-keyout "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
|
||||||
-out "{{ data_folder }}/nginx/rootca.pem" \
|
-out "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
|
||||||
-sha256 \
|
-sha256 \
|
||||||
-days 3650 \
|
-days 3650 \
|
||||||
-subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
|
-subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
|
||||||
|
when: generate_cert.root
|
||||||
- name: generate wildcard csr
|
- name: generate wildcard csr
|
||||||
command: openssl req \
|
command: openssl req \
|
||||||
-new \
|
-new \
|
||||||
-nodes \
|
-nodes \
|
||||||
-newkey rsa:2048 \
|
-newkey rsa:2048 \
|
||||||
-keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \
|
-keyout "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.key" \
|
||||||
-out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
|
-out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
|
||||||
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
|
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
|
||||||
|
when: generate_cert.wildcard
|
||||||
- name: sign wildcard csr with root ca
|
- name: sign wildcard csr with root ca
|
||||||
command: openssl x509 \
|
command: openssl x509 \
|
||||||
-req \
|
-req \
|
||||||
-in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
|
-in "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
|
||||||
-CA "{{ data_folder }}/nginx/rootca.pem" \
|
-CA "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
|
||||||
-CAkey "{{ data_folder }}/nginx/rootca.key" \
|
-CAkey "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
|
||||||
-CAcreateserial \
|
-CAcreateserial \
|
||||||
-out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \
|
-out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.crt" \
|
||||||
-days 3650 \
|
-days 3650 \
|
||||||
-sha256
|
-sha256
|
||||||
- name: install root ca
|
when: generate_cert.wildcard
|
||||||
command: trust anchor "{{ data_folder }}/nginx/rootca.pem"
|
- name: copy wildcard certificate and key
|
||||||
become: yes
|
copy:
|
||||||
- name: copy .conf file
|
src: "{{ item }}"
|
||||||
template:
|
dest: "{{ data_folder }}/nginx/{{ item }}"
|
||||||
src: nginx.conf.j2
|
mode: '0700'
|
||||||
dest: "{{ data_folder }}/nginx/nginx.conf"
|
loop:
|
||||||
mode: '0755'
|
- "{{ base_domain }}.crt"
|
||||||
|
- "{{ base_domain }}.key"
|
Loading…
Reference in New Issue