From 481a2218ab45f43b4a8f89619a3da3e72f8ca8a0 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Tue, 18 Dec 2018 09:32:58 +0100
Subject: [PATCH] Simplify usage of acmetool with nginx
---
acmetool/defaults/main.yml | 2 +-
acmetool/tasks/main.yml | 4 +---
acmetool/templates/reload-config.j2 | 6 +-----
webserver/templates/sites/hostnamerewrite.conf | 6 ++----
webserver/templates/sites/iprewrite.conf | 4 +---
webserver/templates/sites/mediawiki.conf | 2 +-
webserver/templates/sites/tlsproxy.conf | 6 ++----
webserver/templates/sites/webapp.conf | 2 +-
webserver/templates/ssl-certificate | 3 +++
9 files changed, 13 insertions(+), 22 deletions(-)
create mode 100644 webserver/templates/ssl-certificate
diff --git a/acmetool/defaults/main.yml b/acmetool/defaults/main.yml
index dc1fb52..30bd4da 100644
--- a/acmetool/defaults/main.yml
+++ b/acmetool/defaults/main.yml
@@ -6,4 +6,4 @@ acmetool_key_type: rsa
acmetool_rsa_key_size: 4096
acmetool_mail: "{{ adminaddr }}"
-acmetool_enable_proxy: true
+acmetool_services: ["nginx-proxy"]
diff --git a/acmetool/tasks/main.yml b/acmetool/tasks/main.yml
index bda2e5d..441729b 100644
--- a/acmetool/tasks/main.yml
+++ b/acmetool/tasks/main.yml
@@ -29,7 +29,7 @@
- name: initially configure acmetool
# yamllint disable-line rule:line-length
command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
- when: not acmetool_status.stdout|search(acmetool_endpoint)
+ when: not acmetool_status.stdout is search(acmetool_endpoint)
tags:
- acmetool
- config
@@ -54,7 +54,6 @@
mode: '0755'
notify:
- reload systemd service files
- when: acmetool_enable_proxy
tags:
- acmetool
- services
@@ -68,7 +67,6 @@
mode: '0644'
notify:
- reload systemd service files
- when: acmetool_enable_proxy
tags:
- acmetool
- services
diff --git a/acmetool/templates/reload-config.j2 b/acmetool/templates/reload-config.j2
index 2dbb69e..3271bdf 100644
--- a/acmetool/templates/reload-config.j2
+++ b/acmetool/templates/reload-config.j2
@@ -1,5 +1 @@
-{% if acmetool_enable_proxy %}
-SERVICES="nginx-proxy"
-{% else %}
-SERVICES="nginx"
-{% endif %}
+SERVICES="{{acmetool_services|join(" ")}}"
diff --git a/webserver/templates/sites/hostnamerewrite.conf b/webserver/templates/sites/hostnamerewrite.conf
index a095c04..f9863fc 100644
--- a/webserver/templates/sites/hostnamerewrite.conf
+++ b/webserver/templates/sites/hostnamerewrite.conf
@@ -3,11 +3,9 @@ server {
listen 443 ssl;
server_name {{server.forward_hostnames.hostnames|default(server.forward_hostnames)|join(" ")}};
- ssl_certificate {{server.certificate}};
- ssl_trusted_certificate {{server.certificate}};
- ssl_certificate_key {{server.private_key}};
+ {% include "ssl-certificate" %}
-{% if server.include_acme is defined and server.include_acme %}
+{% if server.include_acme|default(true) %}
include /etc/nginx/snippets/acmetool.conf;
location / {
diff --git a/webserver/templates/sites/iprewrite.conf b/webserver/templates/sites/iprewrite.conf
index d6ec14f..e94b3c6 100644
--- a/webserver/templates/sites/iprewrite.conf
+++ b/webserver/templates/sites/iprewrite.conf
@@ -3,9 +3,7 @@ server {
listen 443 ssl;
server_name {{ansible_all_ipv4_addresses|join(" ")}};
- ssl_certificate {{server.certificate}};
- ssl_trusted_certificate {{server.certificate}};
- ssl_certificate_key {{server.private_key}};
+ {% include "ssl-certificate" %}
return 301 https://{{server.server_name}}$request_uri;
}
diff --git a/webserver/templates/sites/mediawiki.conf b/webserver/templates/sites/mediawiki.conf
index 8e21742..3aff898 100644
--- a/webserver/templates/sites/mediawiki.conf
+++ b/webserver/templates/sites/mediawiki.conf
@@ -13,7 +13,7 @@ server {
index {{server.indices|join(" ")}};
{% endif %}
- {% if server.include_acme is defined and server.include_acme %}
+ {% if server.include_acme|default(true) %}
include /etc/nginx/snippets/acmetool.conf;
{% endif -%}
diff --git a/webserver/templates/sites/tlsproxy.conf b/webserver/templates/sites/tlsproxy.conf
index 25e2c1b..9652553 100644
--- a/webserver/templates/sites/tlsproxy.conf
+++ b/webserver/templates/sites/tlsproxy.conf
@@ -2,7 +2,7 @@ server {
listen {% if server.no_ssl is undefined or not server.no_ssl %}443 ssl{% else %}80{% endif %};
server_name {{server.server_names|default([server.server_name])|join(" ")}};
- {% if server.include_acme is defined and server.include_acme %}
+ {% if server.include_acme|default(true) %}
include /etc/nginx/snippets/acmetool.conf;
{% endif -%}
@@ -11,9 +11,7 @@ server {
{% endif %}
{% if server.no_ssl is undefined or not server.no_ssl %}
- ssl_certificate {{server.certificate}};
- ssl_trusted_certificate {{server.certificate}};
- ssl_certificate_key {{server.private_key}};
+ {% include "ssl-certificate" %}
{% endif %}
{% if server.cipher_strength is defined -%}
ssl_ciphers '{{ciphers[server.cipher_strength]}}';
diff --git a/webserver/templates/sites/webapp.conf b/webserver/templates/sites/webapp.conf
index 3e8e13e..cb916f5 100644
--- a/webserver/templates/sites/webapp.conf
+++ b/webserver/templates/sites/webapp.conf
@@ -17,7 +17,7 @@ server {
{% endfor %}
{% endif %}
- {% if server.include_acme is defined and server.include_acme %}
+ {% if server.include_acme|default(true) %}
include /etc/nginx/snippets/acmetool.conf;
{% endif -%}
diff --git a/webserver/templates/ssl-certificate b/webserver/templates/ssl-certificate
new file mode 100644
index 0000000..4b81ce5
--- /dev/null
+++ b/webserver/templates/ssl-certificate
@@ -0,0 +1,3 @@
+ ssl_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
+ ssl_trusted_certificate {{server.certificate|default("/var/lib/acme/live/" + server.server_name + "/fullchain")}};
+ ssl_certificate_key {{server.private_key|default("/var/lib/acme/live/" + server.server_name + "/privkey")}};
--
GitLab