ansible-roles/common
1
0
Fork 0
Code Issues 2 Releases Activity

Add "tasks/certbot.yml"

Browse source
This commit is contained in:
Alex Kotov 2020-01-14 15:55:56 +05:00
parent e693ffeb34
commit 2bebad039b
Signed by: kotovalexarian
GPG key ID: 553C0EBBEB5D5F08
9 changed files with 1962 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
defaults/main.yml
View file

@ -1,4 +1,11 @@
--- ---
common__certbot__run: true
common__certbot__email: 'user@example.com'
common__certbot__cert_name: 'example.com'
common__certbot__cert_domains: ['example.com', 'www.example.com']
common__certbot__post_hook: 'systemctl is-active nginx.service || systemctl start nginx.service'
common__certbot__pre_hook: 'systemctl is-active nginx.service && systemctl stop nginx.service'
common__nginx__remove_default: true common__nginx__remove_default: true
common__nginx__upstreams: [] common__nginx__upstreams: []
common__nginx__sites: [] common__nginx__sites: []

1858
files/certbot/certbot Normal file
View file

File diff suppressed because it is too large Load diff

13
files/certbot/options-ssl-nginx.conf Normal file
View file

@ -0,0 +1,13 @@
# This file contains important security parameters. If you modify this file
# manually, Certbot will be unable to automatically provide future security
# updates. Instead, Certbot will print and log an error message with a path to
# the up-to-date file that you will need to refer to when manually updating
# this file.
ssl_session_cache shared:le_nginx_SSL:1m;
ssl_session_timeout 1440m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS";

2
molecule/default/playbook.yml
View file

@ -7,3 +7,5 @@
roles: roles:
- role: common - role: common
become: true become: true
vars:
common__certbot__run: false

20
molecule/default/tests/test_default.py
View file

@ -54,3 +54,23 @@ def test_iptables_config(host, version):
def test_nginx_default_removed(host): def test_nginx_default_removed(host):
assert host.file('/etc/nginx/sites-available/default').exists assert host.file('/etc/nginx/sites-available/default').exists
assert not host.file('/etc/nginx/sites-enabled/default').exists assert not host.file('/etc/nginx/sites-enabled/default').exists
def test_certbot_cli_config(host):
f = host.file('/etc/letsencrypt/cli.ini')
assert f.exists
assert f.is_file
assert f.user == 'root'
assert f.group == 'root'
assert f.mode == 0o644
def test_certbot_nginx_config(host):
f = host.file('/etc/letsencrypt/options-ssl-nginx.conf')
assert f.exists
assert f.is_file
assert f.user == 'root'
assert f.group == 'root'
assert f.mode == 0o644

40
tasks/certbot.yml Normal file
View file

@ -0,0 +1,40 @@
---
- name: Install Certbot
copy:
src: files/certbot/certbot
dest: /usr/local/bin/certbot
mode: 'u=rwx,g=rx,o=rx'
owner: root
group: root
- name: Create directory for Let's Encrypt configuration
file:
state: directory
path: '{{ common__certbot__conf_dir }}'
mode: 'u=rwx,g=rx,o=rx'
owner: root
group: root
- name: Install Let's Encrypt config
template:
src: templates/certbot/cli.ini
dest: '{{ common__certbot__conf_cli }}'
mode: 'u=rw,g=r,o=r'
owner: root
group: root
- name: Install Nginx SSL options
copy:
src: files/certbot/options-ssl-nginx.conf
dest: '{{ common__certbot__conf_nginx }}'
mode: 'u=rw,g=r,o=r'
owner: root
group: root
- name: Obtain Let's Encrypt certificate
command: 'certbot certonly'
register: common__certbot__result
when: common__certbot__run
changed_when: >-
common__certbot__result.stdout is
not search('Certificate not yet due for renewal; no action taken.')

1
tasks/main.yml
View file

@ -5,4 +5,5 @@
- include_tasks: usability.yml - include_tasks: usability.yml
- include_tasks: ssh.yml - include_tasks: ssh.yml
- include_tasks: iptables.yml - include_tasks: iptables.yml
- include_tasks: certbot.yml
- include_tasks: nginx.yml - include_tasks: nginx.yml

17
templates/certbot/cli.ini Normal file
View file

@ -0,0 +1,17 @@
# see https://certbot.eff.org/docs/using.html#certbot-command-line-options
agree-tos = true
cert-name = {{ common__certbot__cert_name }}
domains = {{ common__certbot__cert_domains | join(',') }}
email = {{ common__certbot__email }}
max-log-backups = 0
no-eff-email = true
non-interactive = true
{% if common__certbot__post_hook %}
post-hook = {{ common__certbot__post_hook }}
{% endif %}
{% if common__certbot__pre_hook %}
pre-hook = {{ common__certbot__pre_hook }}
{% endif %}
redirect = true
rsa-key-size = 4096
standalone = true

4
vars/main.yml
View file

@ -1,4 +1,8 @@
--- ---
common__certbot__conf_dir: '/etc/letsencrypt'
common__certbot__conf_cli: '{{ common__certbot__conf_dir }}/cli.ini'
common__certbot__conf_nginx: '{{ common__certbot__conf_dir }}/options-ssl-nginx.conf'
common__iptables__conf_dir: '/etc/iptables' common__iptables__conf_dir: '/etc/iptables'
common__iptables__conf_ipv4: '{{ common__iptables__conf_dir }}/rules.v4' common__iptables__conf_ipv4: '{{ common__iptables__conf_dir }}/rules.v4'
common__iptables__conf_ipv6: '{{ common__iptables__conf_dir }}/rules.v6' common__iptables__conf_ipv6: '{{ common__iptables__conf_dir }}/rules.v6'