slfhst/ansible
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

♻: manage san for certificate/domain/sni routing #9

Merged
clement.veret merged 1 commits from web_hostname_san into main 2025-04-11 17:12:43 +02:00
Conversation 0 Commits 1 Files Changed 14 +53 -51
14 changed files with 53 additions and 51 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
inventory/host_vars/web1.yml
View File

@@ -13,11 +13,10 @@ web_hostname:
type: bac type: bac
- host: mail.libertus.eu - host: mail.libertus.eu
type: roundcube type: roundcube
- host: perso.nintendojo.fr
acme_unmanaged: true
- host: perso.libertus.eu
acme_unmanaged: true
- host: r.mateu.be - host: r.mateu.be
san:
- perso.libertus.eu
- perso.nintendojo.fr
- host: ff.libertus.eu - host: ff.libertus.eu
type: firefly3 type: firefly3
- host: koi.libertus.eu - host: koi.libertus.eu

8
inventory/host_vars/web2.yml
View File

@@ -2,16 +2,16 @@
php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick'] php_modules: ['opcache', 'mysql', 'mbstring', 'gd', 'intl', 'xml', 'bcmath', 'curl', 'imagick']
web_hostname: web_hostname:
- host: nintendojo.fr
acme_unmanaged: true
- host: www.nintendojo.fr - host: www.nintendojo.fr
type: wordpress type: wordpress
san:
- nintendojo.fr
- host: forum.nintendojo.fr - host: forum.nintendojo.fr
type: phpbb type: phpbb
- host: nintendojofr.com
acme_unmanaged: true
- host: www.nintendojofr.com - host: www.nintendojofr.com
type: retrodojo type: retrodojo
san:
- nintendojofr.com
- host: forum.nintendojofr.com - host: forum.nintendojofr.com
mariadb_root_pass: !vault | mariadb_root_pass: !vault |

39
roles/haproxy/templates/haproxy.cfg.j2
View File

@@ -42,10 +42,19 @@ frontend http
acl letsencrypt path_beg /.well-known/acme-challenge acl letsencrypt path_beg /.well-known/acme-challenge
redirect scheme https code 301 if !letsencrypt redirect scheme https code 301 if !letsencrypt
{% for server in haproxy_backend_servers %} {% for server in haproxy_backend_servers %}
{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %} {% for hostname in (
## {{ hostname.host }} configuration (hostvars[server].web_hostname
acl host_{{ hostname.host }} hdr(host) -i {{ hostname.host }} | map(attribute='host'))
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname.host }} +
(hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} hdr(host) -i {{ hostname }}
use_backend http_{{ hostvars[server].ansible_host }} if letsencrypt host_{{ hostname }}
{% endfor %} {% endfor %}
{% endfor %} {% endfor %}
@@ -57,14 +66,24 @@ frontend https
tcp-request inspect-delay 3s tcp-request inspect-delay 3s
tcp-request content accept if { req.ssl_hello_type 1 } tcp-request content accept if { req.ssl_hello_type 1 }
{% for server in haproxy_backend_servers %} {% for server in haproxy_backend_servers %}
{% for hostname in hostvars[server]['web_hostname'] | sort(attribute='host') %} {% for hostname in (
## {{ hostname.host }} configuration (hostvars[server].web_hostname
acl host_{{ hostname.host }} req.ssl_sni -i {{ hostname.host }} | map(attribute='host'))
{% if hostname.allowlistv4 is defined %} +
acl network_allowed_{{ hostname.host }} src {% for addrv4 in hostname.allowlistv4 %}{{ addrv4 }}{% endfor %} (hostvars[server].web_hostname
| selectattr('san', 'defined')
| map(attribute='san')
| flatten)
) | sort
%}
## {{ hostname }} configuration
acl host_{{ hostname }} req.ssl_sni -i {{ hostname }}
{% set host = (hostvars[server].web_hostname | selectattr('host', '==', hostname))[0] %}
{% if host.allowlistv4 is defined %}
acl network_allowed_{{ hostname }} src {% for addrv4 in host.allowlistv4 %}{{ addrv4 }}{% endfor %}
{% endif %} {% endif %}
use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname.host }}{% if hostname.allowlistv4 is defined %} network_allowed_{{ hostname.host }}{% endif %} use_backend https_{{ hostvars[server].ansible_host }} if host_{{ hostname }}{% if host.allowlistv4 is defined %} network_allowed_{{ hostname }}{% endif %}
{% endfor %} {% endfor %}

2
roles/nginx/tasks/acme.yml
View File

@@ -2,7 +2,7 @@
- name: Issue certificate - name: Issue certificate
ansible.builtin.command: ansible.builtin.command:
cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\"" cmd: "/etc/x509/acme.sh --issue --domain {{ host.host }} {{ ['--domain'] | product(host.san | default([])) | map('join', ' ') | join(' ') }} --webroot {{ nginx_letsencrypt_dir }} --reloadcmd \"{{ acme_reload_cmd | default('systemctl reload nginx.service') }}\""
creates: "/etc/x509/{{ host.host }}*" creates: "/etc/x509/{{ host.host }}*"
environment: environment:
LE_WORKING_DIR: "/etc/x509" LE_WORKING_DIR: "/etc/x509"

2
roles/nginx/tasks/main.yml
View File

@@ -46,7 +46,7 @@
- name: Include acme auto cert - name: Include acme auto cert
ansible.builtin.include_tasks: acme.yml ansible.builtin.include_tasks: acme.yml
loop: "{{ web_hostname | rejectattr('acme_unmanaged', 'defined') }}" loop: "{{ web_hostname }}"
loop_control: loop_control:
loop_var: "host" loop_var: "host"

2
roles/nginx/templates/header.conf.j2
View File

@@ -3,7 +3,7 @@
ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer; ssl_certificate /etc/x509/{{ item.host }}/fullchain.cer;
ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key; ssl_certificate_key /etc/x509/{{ item.host }}/{{ item.host }}.key;
server_name {{ item.host }}; server_name {{ item.host }}{{ ' ' ~ item.san | join(' ') if item.san is defined }};
access_log /var/log/nginx/{{ item.host }}.access.log combined; access_log /var/log/nginx/{{ item.host }}.access.log combined;
access_log syslog:server=unix:/dev/log combined; access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/{{ item.host }}.error.log; error_log /var/log/nginx/{{ item.host }}.error.log;

0
roles/nginx/templates/vhosts/nintendojo.fr.conf.j2
View File

0
roles/nginx/templates/vhosts/nintendojofr.com.conf.j2
View File

0
roles/nginx/templates/vhosts/perso.libertus.eu.conf.j2
View File

0
roles/nginx/templates/vhosts/perso.nintendojo.fr.conf.j2
View File

12
roles/nginx/templates/vhosts/r.mateu.be.conf.j2
View File

@@ -1,15 +1,5 @@
server { server {
listen *:443 ssl http2; {% include './templates/header.conf.j2' %}
listen [::]:443 ssl http2;
server_name r.mateu.be perso.nintendojo.fr perso.libertus.eu;
access_log /var/log/nginx/r.mateu.be.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/r.mateu.be.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/r.mateu.be/fullchain.cer;
ssl_certificate_key /etc/x509/r.mateu.be/r.mateu.be.key;
root /srv/www-data/r.mateu.be/; root /srv/www-data/r.mateu.be/;
location / { location / {

10
roles/nginx/templates/vhosts/www.nintendojo.fr.conf.j2
View File

@@ -7,15 +7,7 @@ fastcgi_cache_path
max_size=250m; max_size=250m;
server { server {
listen *:443 ssl http2; {% include './templates/header.conf.j2' %}
listen [::]:443 ssl http2;
server_name nintendojo.fr www.nintendojo.fr;
access_log /var/log/nginx/nintendojo.fr.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojo.fr.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.nintendojo.fr/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojo.fr/www.nintendojo.fr.key;
root /var/www/www.nintendojo.fr/; root /var/www/www.nintendojo.fr/;
index index.html index.htm index.php; index index.html index.htm index.php;

10
roles/nginx/templates/vhosts/www.nintendojofr.com.conf.j2
View File

@@ -1,13 +1,5 @@
server { server {
listen *:443 ssl http2; {% include './templates/header.conf.j2' %}
listen [::]:443 ssl http2;
server_name www.nintendojofr.com nintendojofr.com;
access_log /var/log/nginx/nintendojofr.com.access.log combined;
access_log syslog:server=unix:/dev/log combined;
error_log /var/log/nginx/nintendojofr.com.error.log;
error_log syslog:server=unix:/dev/log;
ssl_certificate /etc/x509/www.nintendojofr.com/fullchain.cer;
ssl_certificate_key /etc/x509/www.nintendojofr.com/www.nintendojofr.com.key;
root /var/www/www.nintendojofr.com/; root /var/www/www.nintendojofr.com/;
index index.html index.htm index.php; index index.html index.htm index.php;

12
roles/nsd/tasks/zones.yml
View File

@@ -11,7 +11,17 @@
dns_serial: "{{ ansible_date_time.epoch }}" dns_serial: "{{ ansible_date_time.epoch }}"
web_hostname_block: |- web_hostname_block: |-
{% for webserver in groups['webservers'] | sort -%} {% for webserver in groups['webservers'] | sort -%}
{% for web_hostname in (hostvars[webserver]['web_hostname'] | selectattr('host', 'match', '.*' ~ item.name) | map(attribute='host') | sort) -%} {% for web_hostname in (
(hostvars[webserver]['web_hostname']
| selectattr('host', 'match', '.*' ~ item.name)
| map(attribute='host')
+
(hostvars[webserver]['web_hostname']
| selectattr('san', 'defined')
| map(attribute='san')
| flatten
| select('match', '.*' ~ item.name)))
| sort) -%}
{% if web_hostname is match("(\S+\.){2}") %} {% if web_hostname is match("(\S+\.){2}") %}
{{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }} IN CNAME {{ hostvars[webserver].ansible_host }}. {{ web_hostname | regex_replace('\.' ~ item.name ~ '$', '') }} IN CNAME {{ hostvars[webserver].ansible_host }}.
{% else %} {% else %}