Compare commits
10 Commits
Author | SHA1 | Date |
---|---|---|
Alex Kotov | ac34d5ace8 | |
Alex Kotov | 9281ffc13e | |
Alex Kotov | cbf3ef3828 | |
Alex Kotov | a853379753 | |
Alex Kotov | afdafefedf | |
Alex Kotov | 385bfcf577 | |
Alex Kotov | aef9f25799 | |
Alex Kotov | 5fa758cce8 | |
Alex Kotov | d6e5d0dbf1 | |
Alex Kotov | a70574dd4c |
|
@ -1,10 +1,3 @@
|
|||
---
|
||||
common__basics__unnecessary_packages: false
|
||||
common__basics__additional_packages: []
|
||||
|
||||
common__certbot__state: install
|
||||
common__certbot__run: true
|
||||
common__certbot__email: 'user@example.com'
|
||||
common__certbot__cert_name: 'example.com'
|
||||
common__certbot__cert_domains: ['example.com', 'www.example.com']
|
||||
common__certbot__post_hook: null
|
||||
common__certbot__pre_hook: null
|
||||
|
|
|
@ -17,8 +17,11 @@ galaxy_info:
|
|||
versions:
|
||||
- stretch # Debian 9 Stretch
|
||||
- buster # Debian 10 Buster
|
||||
- bullseye # Debian 11 Bullseye
|
||||
- bookworm # Debian 12 Bookworm
|
||||
- name: Ubuntu
|
||||
versions:
|
||||
- xenial # Ubuntu 16.04 LTS Xenial Xerus
|
||||
- bionic # Ubuntu 18.04 LTS Bionic Beaver
|
||||
- focal # Ubuntu 20.04 LTS Focal Fossa
|
||||
- jammy # Ubuntu 22.04 LTS Jammy Jellyfish
|
||||
|
|
|
@ -10,14 +10,26 @@
|
|||
- gnupg
|
||||
- gnupg2
|
||||
- gzip
|
||||
- htop
|
||||
- net-tools
|
||||
- pkg-config
|
||||
- procps
|
||||
- psmisc
|
||||
- software-properties-common
|
||||
- unzip
|
||||
- wget
|
||||
- zip
|
||||
|
||||
- name: Install unnecessary packages
|
||||
when: common__basics__unnecessary_packages | bool
|
||||
apt:
|
||||
name:
|
||||
- cowsay
|
||||
- figlet
|
||||
- lolcat
|
||||
- neofetch
|
||||
- toilet
|
||||
|
||||
- name: Install additional packages
|
||||
apt:
|
||||
name: '{{ common__basics__additional_packages }}'
|
||||
|
|
|
@ -1,86 +0,0 @@
|
|||
---
|
||||
- name: Create Let's Encrypt system group
|
||||
group:
|
||||
name: '{{ common__certbot__group }}'
|
||||
system: true
|
||||
|
||||
- name: Install Certbot
|
||||
apt:
|
||||
name: certbot
|
||||
|
||||
- name: Create directories for Let's Encrypt configuration
|
||||
file:
|
||||
state: directory
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rwx,go=rx'
|
||||
owner: root
|
||||
group: root
|
||||
with_items:
|
||||
- '{{ common__certbot__conf_dir }}'
|
||||
- '{{ common__certbot__archive_dir }}'
|
||||
- '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
|
||||
- '{{ common__certbot__live_dir }}'
|
||||
- '{{ common__certbot__live_dir }}/{{ common__certbot__cert_name }}'
|
||||
|
||||
- name: Install Let's Encrypt config
|
||||
template:
|
||||
src: templates/certbot/cli.ini
|
||||
dest: '{{ common__certbot__conf_cli }}'
|
||||
mode: 'u=rw,go=r'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Install Nginx SSL options
|
||||
template:
|
||||
src: templates/certbot/options-ssl-nginx.conf
|
||||
dest: '{{ common__certbot__conf_nginx }}'
|
||||
mode: 'u=rw,go=r'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: Obtain Let's Encrypt certificate
|
||||
command: 'certbot certonly'
|
||||
register: common__certbot__result
|
||||
when: common__certbot__run|bool
|
||||
changed_when: >-
|
||||
common__certbot__result.stdout is
|
||||
not search('Certificate not yet due for renewal; no action taken.')
|
||||
|
||||
- name: Find Let's Encrypt certificates and chains
|
||||
register: certs_and_chains
|
||||
find:
|
||||
paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
|
||||
patterns:
|
||||
- 'cert*.pem'
|
||||
- 'chain*.pem'
|
||||
- 'fullchain*.pem'
|
||||
|
||||
- name: Find Let's Encrypt private keys
|
||||
register: privkeys
|
||||
find:
|
||||
paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}'
|
||||
patterns: 'privkey*.pem'
|
||||
|
||||
- name: Display Let's Encrypt certificates and chains
|
||||
debug:
|
||||
msg: "{{ certs_and_chains.files | map(attribute='path') | list }}"
|
||||
|
||||
- name: Display Let's Encrypt private keys
|
||||
debug:
|
||||
msg: "{{ privkeys.files | map(attribute='path') | list }}"
|
||||
|
||||
- name: Change group of Let's Encrypt certificates and chains
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rw,go=r'
|
||||
owner: root
|
||||
group: root
|
||||
with_items: "{{ certs_and_chains.files | map(attribute='path') | list }}"
|
||||
|
||||
- name: Change group of Let's Encrypt private keys
|
||||
file:
|
||||
path: '{{ item }}'
|
||||
mode: 'u=rw,g=r,o='
|
||||
owner: root
|
||||
group: '{{ common__certbot__group }}'
|
||||
with_items: "{{ privkeys.files | map(attribute='path') | list }}"
|
|
@ -1,11 +0,0 @@
|
|||
---
|
||||
- name: Purge Certbot
|
||||
apt:
|
||||
name: certbot
|
||||
state: absent
|
||||
purge: true
|
||||
|
||||
- name: Delete Certbot configuration
|
||||
file:
|
||||
state: absent
|
||||
path: '{{ common__certbot__conf_dir }}'
|
|
@ -1,6 +0,0 @@
|
|||
---
|
||||
- name: Uninstall Certbot
|
||||
apt:
|
||||
name: certbot
|
||||
state: absent
|
||||
purge: false
|
|
@ -3,17 +3,3 @@
|
|||
- include_tasks: usability.yml
|
||||
- include_tasks: ssh.yml
|
||||
- meta: flush_handlers
|
||||
|
||||
- fail:
|
||||
msg: 'Invalid `common__certbot__state`: {{ common__certbot__state }}'
|
||||
when: (common__certbot__state != None) and
|
||||
(common__certbot__state != 'purge') and
|
||||
(common__certbot__state != 'remove') and
|
||||
(common__certbot__state != 'install')
|
||||
- include_tasks: certbot/purge.yml
|
||||
when: common__certbot__state == 'purge'
|
||||
- include_tasks: certbot/remove.yml
|
||||
when: common__certbot__state == 'remove'
|
||||
- include_tasks: certbot/install.yml
|
||||
when: common__certbot__state == 'install'
|
||||
- meta: flush_handlers
|
||||
|
|
|
@ -27,6 +27,6 @@
|
|||
- regexp: '^#?X11Forwarding '
|
||||
line: 'X11Forwarding no'
|
||||
- regexp: '^#?TCPKeepAlive '
|
||||
line: 'TCPKeepAlive no'
|
||||
line: 'TCPKeepAlive yes'
|
||||
- regexp: '^#?UseDNS '
|
||||
line: 'UseDNS no'
|
||||
|
|
|
@ -1,17 +0,0 @@
|
|||
# see https://certbot.eff.org/docs/using.html#certbot-command-line-options
|
||||
agree-tos = true
|
||||
cert-name = {{ common__certbot__cert_name }}
|
||||
domains = {{ common__certbot__cert_domains | join(',') }}
|
||||
email = {{ common__certbot__email }}
|
||||
max-log-backups = 0
|
||||
no-eff-email = true
|
||||
non-interactive = true
|
||||
{% if common__certbot__post_hook %}
|
||||
post-hook = {{ common__certbot__post_hook }}
|
||||
{% endif %}
|
||||
{% if common__certbot__pre_hook %}
|
||||
pre-hook = {{ common__certbot__pre_hook }}
|
||||
{% endif %}
|
||||
redirect = true
|
||||
rsa-key-size = 4096
|
||||
standalone = true
|
|
@ -1,14 +0,0 @@
|
|||
# This file contains important security parameters. If you modify this file
|
||||
# manually, Certbot will be unable to automatically provide future security
|
||||
# updates. Instead, Certbot will print and log an error message with a path to
|
||||
# the up-to-date file that you will need to refer to when manually updating
|
||||
# this file.
|
||||
|
||||
ssl_session_cache shared:le_nginx_SSL:10m;
|
||||
ssl_session_timeout 1440m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_ciphers "{{ common__certbot__nginx_ssl_ciphers | join(':') }}";
|
|
@ -1,17 +0,0 @@
|
|||
---
|
||||
common__certbot__group: 'letsencrypt'
|
||||
common__certbot__conf_dir: '/etc/letsencrypt'
|
||||
common__certbot__conf_cli: '{{ common__certbot__conf_dir }}/cli.ini'
|
||||
common__certbot__conf_nginx: '{{ common__certbot__conf_dir }}/options-ssl-nginx.conf'
|
||||
common__certbot__archive_dir: '{{ common__certbot__conf_dir }}/archive'
|
||||
common__certbot__live_dir: '{{ common__certbot__conf_dir }}/live'
|
||||
|
||||
common__certbot__nginx_ssl_ciphers:
|
||||
- 'ECDHE-ECDSA-AES128-GCM-SHA256'
|
||||
- 'ECDHE-RSA-AES128-GCM-SHA256'
|
||||
- 'ECDHE-ECDSA-AES256-GCM-SHA384'
|
||||
- 'ECDHE-RSA-AES256-GCM-SHA384'
|
||||
- 'ECDHE-ECDSA-CHACHA20-POLY1305'
|
||||
- 'ECDHE-RSA-CHACHA20-POLY1305'
|
||||
- 'DHE-RSA-AES128-GCM-SHA256'
|
||||
- 'DHE-RSA-AES256-GCM-SHA384'
|
Loading…
Reference in New Issue