commit 7c915015c4f574d18e795da96e9bace32479a237 parent d76233ffb1a6ab9f634ad7e277830ddfee7979dd Author: Paco Esteban <paco@e1e0.net> Date: Mon, 6 Jan 2020 16:58:08 +0100 new role httpd Diffstat:
| A | roles/httpd/defaults/main.yml | | | 34 | ++++++++++++++++++++++++++++++++++ |
| A | roles/httpd/handlers/main.yml | | | 5 | +++++ |
| A | roles/httpd/tasks/main.yml | | | 102 | +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ |
| A | roles/httpd/templates/acme-client.conf.j2 | | | 21 | +++++++++++++++++++++ |
| A | roles/httpd/templates/httpd.conf.j2 | | | 39 | +++++++++++++++++++++++++++++++++++++++ |
| A | roles/httpd/templates/https-host.conf.j2 | | | 31 | +++++++++++++++++++++++++++++++ |
| A | roles/httpd/templates/renew_cert.sh.j2 | | | 10 | ++++++++++ |
7 files changed, 242 insertions(+), 0 deletions(-)
diff --git a/roles/httpd/defaults/main.yml b/roles/httpd/defaults/main.yml @@ -0,0 +1,34 @@ +--- +httpd_ext_addr: "vio0" +httpd_prefork: 2 + +http_servers: + - server_name: "default" + #no_logging: true + root: "/htdocs/null" + locations: + - name: "/.well-known/acme-challenge/*" + options: + - "root \"/acme\"" + - "request strip 2" + - name: "/*" + options: + - "block return 301 \"https://$HTTP_HOST$REQUEST_URI\"" + +https_servers: [] +# http_servers: +# - server_name: "default" +# server_aliases: +# - alias1 +# - alias2 +# server_owner: "paco" +# #no_logging: true +# root: "/htdocs/null" +# locations: +# - name: "/.well-known/acme-challenge/*" +# options: +# - "root \"/acme\"" +# - "request strip 2" +# - name: "/*" +# options: +# - "block return 301 \"https://$HTTP_HOST$REQUEST_URI\"" diff --git a/roles/httpd/handlers/main.yml b/roles/httpd/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: restart httpd + service: + name: httpd + state: restarted diff --git a/roles/httpd/tasks/main.yml b/roles/httpd/tasks/main.yml @@ -0,0 +1,102 @@ +--- +- name: Assert that at least one certificate exist + stat: + path: "/etc/ssl/letsencrypt/{{ https_servers[0].server_name }}/cert.pem" + register: ssl_certificate_check + +- name: Set main http service + template: + src: templates/httpd.conf.j2 + dest: /etc/httpd.conf + owner: root + group: wheel + mode: 0640 + notify: + - restart httpd + +- name: start and enable httpd + service: + name: httpd + state: started + enabled: yes + +- name: Create acme client config + template: + src: templates/acme-client.conf.j2 + dest: /etc/acme-client.conf + owner: root + group: wheel + mode: 0644 + +- name: Create acme client main folder + file: + path: "/etc/ssl/letsencrypt" + state: directory + owner: root + group: wheel + mode: 0755 + +- name: Create acme client folder structure + file: + path: "/etc/ssl/letsencrypt/{{ item.server_name }}" + state: directory + owner: root + group: wheel + mode: 0755 + with_items: "{{ https_servers }}" + +- name: Call acme client for each domain + command: "/usr/sbin/acme-client -v {{ item.server_name }}" + args: + creates: "/etc/ssl/letsencrypt/{{ item.server_name }}/cert.pem" + notify: + - restart httpd + ignore_errors: yes + with_items: "{{ https_servers }}" + +- name: Create renew script + template: + src: templates/renew_cert.sh.j2 + dest: /usr/local/bin/renew_cert.sh + owner: root + group: wheel + mode: 0755 + +- name: renew script cron task + lineinfile: + path: /etc/daily.local + state: present + create: yes + line: /usr/local/bin/renew_cert.sh + owner: root + group: wheel + mode: 0444 + +- name: Create vhosts folder structure + file: + path: "/var/www{{ item.root }}" + state: directory + recurse: yes + owner: "{{ item.server_owner }}" + group: wheel + mode: 0755 + with_items: "{{ https_servers }}" + +- name: Create https services main folder + file: + path: "/etc/httpd.d" + state: directory + owner: root + group: wheel + mode: 0755 + +- name: Set https services + template: + src: templates/https-host.conf.j2 + dest: "/etc/httpd.d/{{ item.server_name }}.conf" + owner: root + group: wheel + mode: 0640 + notify: + - restart httpd + with_items: "{{ https_servers }}" diff --git a/roles/httpd/templates/acme-client.conf.j2 b/roles/httpd/templates/acme-client.conf.j2 @@ -0,0 +1,21 @@ +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +authority letsencrypt-staging { + api url "https://acme-staging.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-staging-privkey.pem" +} + +{% for server in https_servers %} +domain {{ server.server_name }} { +{% if server.server_aliases|length > 0 %} + alternative names { {% for server_alias in server.server_aliases -%} {{ server_alias }} {% endfor %} } +{% endif %} + domain key "/etc/ssl/letsencrypt/{{ server.server_name }}/privkey.pem" + domain certificate "/etc/ssl/letsencrypt/{{ server.server_name }}/cert.pem" + domain full chain certificate "/etc/ssl/letsencrypt/{{ server.server_name }}/fullchain.pem" + sign with letsencrypt +} +{% endfor %} diff --git a/roles/httpd/templates/httpd.conf.j2 b/roles/httpd/templates/httpd.conf.j2 @@ -0,0 +1,39 @@ +# {{ ansible_managed }} +prefork {{ httpd_prefork }} + +{% for server in http_servers %} +server "{{ server.server_name }}" { + listen on {{ httpd_ext_addr }} port 80 +{% if server.no_logging is defined %} + no log +{% else %} + log { + access "{{ server.server_name }}.access.log" + error "{{ server.server_name }}.error.log" + style combined + } +{% endif %} + +{% for location in server.locations %} + location "{{ location.name }}" { +{% for opt in location.options %} + {{ opt }} +{% endfor %} + } +{% endfor %} + + root "{{ server.root }}" +} +{% endfor %} + +{% if ssl_certificate_check.stat.exists == true %} +{% for server in https_servers %} +include "/etc/httpd.d/{{ server.server_name }}.conf" +{% endfor %} +{% else %} +# No SSL config yet +{% endif %} + +types { + include "/usr/share/misc/mime.types" +} diff --git a/roles/httpd/templates/https-host.conf.j2 b/roles/httpd/templates/https-host.conf.j2 @@ -0,0 +1,31 @@ +server "{{ item.server_name }}" { + listen on {{ httpd_ext_addr }} tls port 443 + +{% for server_alias in item.server_aliases %} + alias {{ server_alias }} +{% endfor %} + + tls { + certificate "/etc/ssl/letsencrypt/{{ item.server_name }}/fullchain.pem" + key "/etc/ssl/letsencrypt/{{ item.server_name }}/privkey.pem" + } +{% if item.no_logging is defined %} + no log +{% else %} + log { + access "{{ item.server_name }}.access.log" + error "{{ item.server_name }}.error.log" + style combined + } +{% endif %} + +{% for location in item.locations %} + location "{{ location.name }}" { +{% for opt in location.options %} + {{ opt }} +{% endfor %} + } +{% endfor %} + + root "{{ item.root }}" +} diff --git a/roles/httpd/templates/renew_cert.sh.j2 b/roles/httpd/templates/renew_cert.sh.j2 @@ -0,0 +1,10 @@ +#!/bin/sh + +{% for server in https_servers %} +/usr/sbin/acme-client -v {{ server.server_name }} +{% endfor %} + +if [ $? -eq 0 ] +then + /usr/sbin/rcctl restart httpd +fi