diff --git a/inventory/host_vars/jabber.yml b/inventory/host_vars/jabber.yml index 71dc45c..9cad1aa 100644 --- a/inventory/host_vars/jabber.yml +++ b/inventory/host_vars/jabber.yml @@ -1,6 +1,7 @@ --- web_hostname: - host: libertus.eu + acme_reload_cmd: "systemctl restart prosody.service" - host: upload.libertus.eu - host: xmpp.libertus.eu diff --git a/inventory/host_vars/ks3370405.yml b/inventory/host_vars/ks3370405.yml index 7206014..c5ec593 100644 --- a/inventory/host_vars/ks3370405.yml +++ b/inventory/host_vars/ks3370405.yml @@ -2,6 +2,7 @@ web_hostname: - host: mail-relay.mateu.be + acme_reload_cmd: "systemctl restart postfix.service" allowed_smtp_ips: "{{ [global_public_ip_address] + ['80.67.179.200'] }}" diff --git a/inventory/host_vars/mail.yml b/inventory/host_vars/mail.yml index d0cb333..817fdc1 100644 --- a/inventory/host_vars/mail.yml +++ b/inventory/host_vars/mail.yml @@ -1,4 +1,6 @@ --- web_hostname: - host: imap.libertus.eu + acme_reload_cmd: "systemctl restart dovecot.service" - host: smtp.libertus.eu + acme_reload_cmd: "systemctl restart postfix.service" diff --git a/inventory/host_vars/web1.yml b/inventory/host_vars/web1.yml index 1ef4aa3..e8f0c91 100644 --- a/inventory/host_vars/web1.yml +++ b/inventory/host_vars/web1.yml @@ -14,7 +14,9 @@ web_hostname: - host: mail.libertus.eu type: roundcube - host: perso.nintendojo.fr + acme_unmanaged: true - host: perso.libertus.eu + acme_unmanaged: true - host: r.mateu.be - host: ff.libertus.eu type: firefly3 diff --git a/inventory/host_vars/web2.yml b/inventory/host_vars/web2.yml index 63b273d..99bd9f1 100644 --- a/inventory/host_vars/web2.yml +++ b/inventory/host_vars/web2.yml @@ -3,10 +3,12 @@ php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'cu web_hostname: - host: nintendojo.fr + acme_unmanaged: true - host: www.nintendojo.fr - host: forum.nintendojo.fr type: phpbb - host: nintendojofr.com + acme_unmanaged: true - host: www.nintendojofr.com type: retrodojo - host: forum.nintendojofr.com diff --git a/roles/nginx/tasks/acme.yml b/roles/nginx/tasks/acme.yml new file mode 100644 index 0000000..f61449b --- /dev/null +++ b/roles/nginx/tasks/acme.yml @@ -0,0 +1,28 @@ +--- + +- name: Issue certificate + ansible.builtin.command: + cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\"" + creates: "/etc/x509/{{ host.host }}*" + environment: + LE_WORKING_DIR: "/etc/x509" + +- name: Check if ecc dir + ansible.builtin.stat: + path: "/etc/x509/{{ host.host }}_ecc" + register: _nginx_x509_ecc_dir + +- name: Move dir if exists + when: _nginx_x509_ecc_dir.stat.exists + block: + - name: Copy ecc dir + ansible.builtin.copy: + remote_src: true + src: "/etc/x509/{{ host.host }}_ecc/" + dest: "/etc/x509/{{ host.host }}" + mode: "{{ _nginx_x509_ecc_dir.stat.mode }}" + + - name: Remove ecc dir + ansible.builtin.file: + path: "/etc/x509/{{ host.host }}_ecc/" + state: absent diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index e94d40c..c794f1f 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -41,5 +41,14 @@ mode: 'u+rwx,g+rs,o-rwx' state: directory +- name: Flush handlers + ansible.builtin.meta: flush_handlers + +- name: Include acme auto cert + ansible.builtin.include_tasks: acme.yml + loop: "{{ web_hostname | rejectattr('acme_unmanaged', 'defined') }}" + loop_control: + loop_var: "host" + - name: Include vhosts ansible.builtin.include_tasks: vhosts.yml diff --git a/roles/nsd/templates/zones/giteu.be.zone.j2 b/roles/nsd/templates/zones/giteu.be.zone.j2 index cb84312..4e5248a 100644 --- a/roles/nsd/templates/zones/giteu.be.zone.j2 +++ b/roles/nsd/templates/zones/giteu.be.zone.j2 @@ -13,7 +13,7 @@ $TTL 86400 {% endfor %} $ORIGIN {{ item.name }}. -@ IN CAA 0 issue ";" +@ IN CAA 0 issue "letsencrypt.org" @ IN MX 0 . @ IN TXT "v=spf1 -all" @ IN TXT "spf2.0/mfrom -all"