182 lines
4.7 KiB
YAML
182 lines
4.7 KiB
YAML
---
|
|
|
|
- name: Install Nginx and certbot
|
|
ansible.builtin.apt:
|
|
name:
|
|
- nginx
|
|
- libnginx-mod-stream
|
|
- certbot
|
|
- python3-dnspython
|
|
- python3-certbot-dns-cloudflare
|
|
state: present
|
|
|
|
- name: Allow ports 80 and 443
|
|
loop:
|
|
- 80
|
|
- 443
|
|
community.general.ufw:
|
|
rule: allow
|
|
to_port: '{{ item }}'
|
|
|
|
- name: Check for existence of certificates
|
|
ansible.builtin.stat:
|
|
path: /etc/letsencrypt/live/{{ item }}/fullchain.pem
|
|
loop: '{{ [cert_domains | default([]), wildcard_domains | default([]) ] | flatten }}'
|
|
register: cert_check
|
|
|
|
- name: Deploy cloudflare secret
|
|
ansible.builtin.template:
|
|
src: certbot_secrets.j2
|
|
dest: /etc/letsencrypt/secrets
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
# Only run this when it is defined
|
|
when: cloudflare_api_token is defined and not cloudflare_api_token == ""
|
|
|
|
- name: Verify cloudflare secret exists
|
|
# This is so the above conditional works; we only need to specify the API token on first run or when it changes; that said, if the variable
|
|
# is undefined and we haven't deployed the secret before, that's a problem.
|
|
ansible.builtin.stat:
|
|
path: /etc/letsencrypt/secrets
|
|
register: check_secret
|
|
failed_when: not check_secret.stat.exists
|
|
|
|
- name: Request acmedns challenges for uncertified domains
|
|
ansible.builtin.command:
|
|
argv:
|
|
- certbot
|
|
- certonly
|
|
- '--dns-cloudflare'
|
|
- '--non-interactive'
|
|
- '--agree-tos'
|
|
- '-m'
|
|
- 'sysadmins@ezri.dev'
|
|
- '--dns-cloudflare-propagation-seconds'
|
|
- '30'
|
|
- '--dns-cloudflare-credentials'
|
|
- '/etc/letsencrypt/secrets'
|
|
- '-d'
|
|
- '{{ item }}'
|
|
loop: '{{ cert_domains | default([]) }}'
|
|
loop_control:
|
|
index_var: idx
|
|
when: not cert_check.results[idx].stat.exists
|
|
|
|
- name: Request acmedns challenges for uncertified wildcard domains
|
|
ansible.builtin.command:
|
|
argv:
|
|
- certbot
|
|
- certonly
|
|
- '--dns-cloudflare'
|
|
- '--non-interactive'
|
|
- '--agree-tos'
|
|
- '-m'
|
|
- 'sysadmins@ezri.dev'
|
|
- '--dns-cloudflare-propagation-seconds'
|
|
- '30'
|
|
- '--dns-cloudflare-credentials'
|
|
- '/etc/letsencrypt/secrets'
|
|
- '-d'
|
|
- '*.{{ item }}'
|
|
loop: '{{ wildcard_domains | default([]) }}'
|
|
loop_control:
|
|
index_var: idx
|
|
when: not cert_check.results[idx + ((cert_domains | default([])) | length)].stat.exists
|
|
|
|
- name: Create config directories
|
|
loop:
|
|
- /etc/nginx
|
|
- /etc/nginx/sites-available
|
|
- /etc/nginx/sites-enabled
|
|
- /etc/nginx/streams-available
|
|
- /etc/nginx/streams-enabled
|
|
ansible.builtin.file:
|
|
state: directory
|
|
dest: '{{ item }}'
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
- name: Deploy base config file
|
|
ansible.builtin.copy:
|
|
src: nginx.conf
|
|
dest: /etc/nginx/nginx.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload nginx
|
|
|
|
- name: Deploy site configurations
|
|
loop: '{{ sites_available }}'
|
|
ansible.builtin.template:
|
|
src: site.j2
|
|
dest: /etc/nginx/sites-available/{{ item.fqdn }}.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload nginx
|
|
|
|
- name: Enable site configurations
|
|
loop: '{{ sites_available }}'
|
|
when: item.enabled
|
|
ansible.builtin.file:
|
|
src: ../sites-available/{{ item.fqdn }}.conf
|
|
dest: /etc/nginx/sites-enabled/{{ item.fqdn }}.conf
|
|
state: link
|
|
owner: root
|
|
group: root
|
|
notify: Reload nginx
|
|
|
|
- name: Disable site configurations
|
|
loop: '{{ sites_available }}'
|
|
when: not item.enabled
|
|
ansible.builtin.file:
|
|
dest: /etc/nginx/sites-enabled/{{ item.fqdn }}.conf
|
|
state: absent
|
|
notify: Reload nginx
|
|
|
|
- name: Deploy stream configurations
|
|
loop: '{{ streams_available }}'
|
|
when: streams_available is defined
|
|
ansible.builtin.template:
|
|
src: stream.j2
|
|
dest: /etc/nginx/streams-available/{{ item.fqdn }}.conf
|
|
owner: root
|
|
group: root
|
|
mode: "0644"
|
|
notify: Reload nginx
|
|
|
|
- name: Enable stream configurations
|
|
loop: '{{ streams_available | default([]) }}'
|
|
when: item.enabled
|
|
ansible.builtin.file:
|
|
src: ../streams-available/{{ item.fqdn }}.conf
|
|
dest: /etc/nginx/streams-enabled/{{ item.fqdn }}.conf
|
|
state: link
|
|
owner: root
|
|
group: root
|
|
notify: Reload nginx
|
|
|
|
- name: Disable stream configurations
|
|
loop: '{{ streams_available | default([]) }}'
|
|
when: not item.enabled
|
|
ansible.builtin.file:
|
|
dest: /etc/nginx/streams-enabled/{{ item.fqdn }}.conf
|
|
state: absent
|
|
notify: Reload nginx
|
|
|
|
- name: Allow connections to enabled streams
|
|
loop: '{{ streams_available }}'
|
|
when: streams_available is defined
|
|
community.general.ufw:
|
|
rule: allow
|
|
to_port: '{{ item.listen_port }}'
|
|
delete: '{{ not item.enabled }}'
|
|
|
|
- name: Enable nginx
|
|
ansible.builtin.systemd_service:
|
|
name: nginx
|
|
enabled: yes
|
|
state: started
|