From 5b08c3fb96e54e0ae8ae1d650658b27dcdfd78de Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 8 Aug 2023 00:42:56 +0200 Subject: make acmetool cert role more generic (WIP - needs more testing) --- roles/gitolite/http/templates/nginx-vhost.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'roles/gitolite') diff --git a/roles/gitolite/http/templates/nginx-vhost.conf.j2 b/roles/gitolite/http/templates/nginx-vhost.conf.j2 index add7a719..3386d956 100644 --- a/roles/gitolite/http/templates/nginx-vhost.conf.j2 +++ b/roles/gitolite/http/templates/nginx-vhost.conf.j2 @@ -23,8 +23,8 @@ server { include snippets/acmetool.conf; include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ gitolite_instances[gitolite_instance].http.hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ gitolite_instances[gitolite_instance].http.hostnames[0] }}/privkey; + ssl_certificate {{ x509_certificate_path_fullchain }}; + ssl_certificate_key {{ x509_certificate_path_key }}; include snippets/hsts.conf; location = / { -- cgit v1.2.3 From bc98352d3e331003db625be96139b3c1f95f63b2 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 9 Aug 2023 14:38:23 +0200 Subject: nginx/vhost: major change in certifcate/tls handling (WIP) --- chaos-at-home/ch-http-proxy.yml | 13 ++++++++----- chaos-at-home/ch-mimas.yml | 3 ++- chaos-at-home/ch-pan.yml | 3 ++- chaos-at-home/r3-0x10.yml | 3 ++- dan/sk-testvm.yml | 13 +++++++++---- inventory/group_vars/all/vars.yml | 2 ++ roles/apps/bluespice/tasks/main.yml | 3 ++- roles/apps/collabora/code/tasks/main.yml | 3 ++- .../collabora/code/templates/nginx-vhost.conf.j2 | 4 ++-- roles/apps/coturn/tasks/main.yml | 9 ++++++++- roles/apps/etherpad-lite/tasks/main.yml | 3 ++- .../etherpad-lite/templates/nginx-vhost.conf.j2 | 4 ++-- roles/apps/jitsi/meet/tasks/main.yml | 3 ++- roles/apps/keycloak/tasks/main.yml | 3 ++- roles/apps/mumble/tasks/main.yml | 6 ++++++ roles/apps/nextcloud/tasks/main.yml | 3 ++- roles/apps/onlyoffice/tasks/main.yml | 3 ++- roles/apps/pigallery2/tasks/main.yml | 3 ++- roles/apps/wikijs/tasks/main.yml | 3 ++- roles/elevate/liquidtruth/tasks/main.yml | 3 ++- roles/elevate/media/tasks/nextcloud-app.yml | 3 ++- roles/gitolite/http/tasks/main.yml | 3 ++- roles/gitolite/http/templates/nginx-vhost.conf.j2 | 4 ++-- roles/monitoring/landingpage/defaults/main.yml | 3 ++- roles/monitoring/landingpage/tasks/main.yml | 3 ++- .../prometheus/exporter/base/tasks/main.yml | 10 +++++++--- roles/nginx/vhost/defaults/main.yml | 8 ++++++-- roles/nginx/vhost/tasks/main.yml | 21 +++++++++++---------- roles/nginx/vhost/templates/generic.conf.j2 | 10 ++++++++-- roles/x509/acmetool/cert/finalize/defaults/main.yml | 3 +++ roles/x509/acmetool/cert/finalize/tasks/main.yml | 2 +- roles/x509/acmetool/cert/prepare/defaults/main.yml | 2 ++ spreadspace/glt-stream.yml | 3 ++- spreadspace/sgg-icecast.yml | 6 ++++-- 34 files changed, 117 insertions(+), 54 deletions(-) create mode 100644 roles/x509/acmetool/cert/prepare/defaults/main.yml (limited to 'roles/gitolite') diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index 67e3521a..24fd6f92 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -47,7 +47,8 @@ default: yes name: web template: generic - acme: yes + tls: + certificate_provider: acmetool hostnames: - web.chaos-at-home.org locations: @@ -112,7 +113,8 @@ nginx_vhost: name: passwd template: generic - acme: yes + tls: + certificate_provider: acmetool hostnames: - passwd.chaos-at-home.org locations: @@ -179,7 +181,8 @@ nginx_vhost: name: webmail template: generic - acme: yes + tls: + certificate_provider: acmetool hostnames: - webmail.chaos-at-home.org locations: @@ -204,7 +207,8 @@ nginx_vhost: name: webdav template: generic - acme: yes + tls: + certificate_provider: acmetool hostnames: - webdav.chaos-at-home.org locations: @@ -228,7 +232,6 @@ vars: nginx_vhost: name: imap - acme: no content: | server { listen 80; diff --git a/chaos-at-home/ch-mimas.yml b/chaos-at-home/ch-mimas.yml index 2743644c..d486023b 100644 --- a/chaos-at-home/ch-mimas.yml +++ b/chaos-at-home/ch-mimas.yml @@ -44,7 +44,8 @@ nginx_vhost: name: pub template: generic - acme: yes + tls: + certificate_provider: "{{ acme_client }}" hostnames: - pub.chaos-at-home.org locations: diff --git a/chaos-at-home/ch-pan.yml b/chaos-at-home/ch-pan.yml index 56a4f30a..eea3f287 100644 --- a/chaos-at-home/ch-pan.yml +++ b/chaos-at-home/ch-pan.yml @@ -43,7 +43,8 @@ template: generic hostnames: - dyn.schaaas.at - acme: yes + tls: + certificate_provider: "{{ acme_client }}" extra_directives: | access_log /var/log/nginx/dyn-schaaas_access.log; error_log /var/log/nginx/dyn-schaaas_error.log; diff --git a/chaos-at-home/r3-0x10.yml b/chaos-at-home/r3-0x10.yml index c613f373..5e30abec 100644 --- a/chaos-at-home/r3-0x10.yml +++ b/chaos-at-home/r3-0x10.yml @@ -33,7 +33,8 @@ default: yes name: 0x10 template: generic - acme: yes + tls: + certificate_provider: "{{ acme_client }}" hostnames: - 0x10.r3.at - 0x10.realraum.at diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml index 658b5ac4..c7aaf754 100644 --- a/dan/sk-testvm.yml +++ b/dan/sk-testvm.yml @@ -10,9 +10,10 @@ - name: Payload Setup hosts: sk-testvm + vars: + acme_client: acmetool roles: - #- role: x509/acmetool/base - #- role: x509/uacme/base + - role: "x509/{{ acme_client }}/base" - role: nginx/base post_tasks: - name: make sure document root directories exist @@ -44,7 +45,9 @@ default: yes name: nosuchsite template: generic - #acme: yes + tls: + certificate_provider: "{{ acme_client }}" + hsts: no hostnames: - testvm.elev8.at locations: @@ -75,7 +78,9 @@ nginx_vhost: name: test template: generic - #acme: yes + tls: + certificate_provider: "{{ acme_client }}" + hsts: no hostnames: - test.spreadspace.org - test.spreadspace.com diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml index f72f71ef..09eba1cf 100644 --- a/inventory/group_vars/all/vars.yml +++ b/inventory/group_vars/all/vars.yml @@ -129,3 +129,5 @@ acme_directory_server: "{{ acme_directory_server_le_staging_v2 }}" ## at least acmetool can't be used to change this after the account has been created (aka after the first run) ## and it's not recommended to keep this empty so we don't define it here to force the user to define it # acme_account_email: + +acme_client: acmetool diff --git a/roles/apps/bluespice/tasks/main.yml b/roles/apps/bluespice/tasks/main.yml index 899d1e1d..49ef2418 100644 --- a/roles/apps/bluespice/tasks/main.yml +++ b/roles/apps/bluespice/tasks/main.yml @@ -49,7 +49,8 @@ nginx_vhost: name: "bluespice-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/collabora/code/tasks/main.yml b/roles/apps/collabora/code/tasks/main.yml index db28bb65..8f4acc76 100644 --- a/roles/apps/collabora/code/tasks/main.yml +++ b/roles/apps/collabora/code/tasks/main.yml @@ -53,7 +53,8 @@ nginx_vhost: name: "collabora-code-{{ item.key }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" include_role: diff --git a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 index 04358976..8dd67fb7 100644 --- a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 +++ b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 @@ -3,7 +3,7 @@ server { listen [::]:80; server_name {{ item.value.hostname }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; location / { return 301 https://$host$request_uri; @@ -15,7 +15,7 @@ server { listen [::]:443 ssl http2; server_name {{ item.value.hostname }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; include snippets/tls.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 42ccd2b3..bab53d99 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: check if acme_client is set to acmetool + assert: + msg: "this role currently only works with acmetool" + that: + - acme_client == "acmetool" + - name: add group for coturn group: name: coturn @@ -64,7 +70,8 @@ nginx_vhost: name: "coturn-{{ coturn_realm }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true + tls: + certificate_provider: acmetool hostnames: "{{ coturn_hostnames }}" include_role: name: nginx/vhost diff --git a/roles/apps/etherpad-lite/tasks/main.yml b/roles/apps/etherpad-lite/tasks/main.yml index 072a6c09..495a0387 100644 --- a/roles/apps/etherpad-lite/tasks/main.yml +++ b/roles/apps/etherpad-lite/tasks/main.yml @@ -114,7 +114,8 @@ nginx_vhost: name: "etherpad-lite-{{ item.key }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ item.value.hostnames }}" include_role: name: nginx/vhost diff --git a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 index 0ac9d0f0..c572a7eb 100644 --- a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 +++ b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 @@ -3,7 +3,7 @@ server { listen [::]:80; server_name {{ item.value.hostnames | join(' ') }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; location / { return 301 https://$host$request_uri; @@ -15,7 +15,7 @@ server { listen [::]:443 ssl http2; server_name {{ item.value.hostnames | join(' ') }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; include snippets/tls.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml index eff8232b..1d55fc78 100644 --- a/roles/apps/jitsi/meet/tasks/main.yml +++ b/roles/apps/jitsi/meet/tasks/main.yml @@ -151,7 +151,8 @@ nginx_vhost: name: "jitsi-meet-{{ jitsi_meet_inst_name }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ jitsi_meet_hostname }}" locations: "{{ nginx_vhost_locations_base | combine(nginx_vhost_locations_streamui) }}" diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml index 68806458..c3e93666 100644 --- a/roles/apps/keycloak/tasks/main.yml +++ b/roles/apps/keycloak/tasks/main.yml @@ -96,7 +96,8 @@ nginx_vhost: name: "keycloak-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml index 33331dca..92659b66 100644 --- a/roles/apps/mumble/tasks/main.yml +++ b/roles/apps/mumble/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: check if acme_client is set to acmetool + assert: + msg: "this role currently only works with acmetool" + that: + - acme_client == "acmetool" + - name: add group for mumble group: name: mumble diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml index 29ab9c39..c9a9061c 100644 --- a/roles/apps/nextcloud/tasks/main.yml +++ b/roles/apps/nextcloud/tasks/main.yml @@ -160,7 +160,8 @@ nginx_vhost: name: "nextcloud-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ item.value.hostnames }}" locations: '/': diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml index 957d8afe..960e811b 100644 --- a/roles/apps/onlyoffice/tasks/main.yml +++ b/roles/apps/onlyoffice/tasks/main.yml @@ -140,7 +140,8 @@ nginx_vhost: name: "onlyoffice-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/pigallery2/tasks/main.yml b/roles/apps/pigallery2/tasks/main.yml index b8b0166d..2a758da1 100644 --- a/roles/apps/pigallery2/tasks/main.yml +++ b/roles/apps/pigallery2/tasks/main.yml @@ -67,7 +67,8 @@ nginx_vhost: name: "pigallery2-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/wikijs/tasks/main.yml b/roles/apps/wikijs/tasks/main.yml index e2b03d24..10b0aa54 100644 --- a/roles/apps/wikijs/tasks/main.yml +++ b/roles/apps/wikijs/tasks/main.yml @@ -73,7 +73,8 @@ nginx_vhost: name: "wikijs-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/elevate/liquidtruth/tasks/main.yml b/roles/elevate/liquidtruth/tasks/main.yml index 837d2fd0..aa73adb5 100644 --- a/roles/elevate/liquidtruth/tasks/main.yml +++ b/roles/elevate/liquidtruth/tasks/main.yml @@ -18,7 +18,8 @@ nginx_vhost: name: liquidtruth template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ liquidtruth_hostnames }}" locations: '/': diff --git a/roles/elevate/media/tasks/nextcloud-app.yml b/roles/elevate/media/tasks/nextcloud-app.yml index 2e533ec6..42a351e4 100644 --- a/roles/elevate/media/tasks/nextcloud-app.yml +++ b/roles/elevate/media/tasks/nextcloud-app.yml @@ -102,7 +102,8 @@ nginx_vhost: name: "nextcloud-{{ elevate_media_nextcloud_instance_name }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ elevate_media_nextcloud_instance.hostnames }}" locations: '/': diff --git a/roles/gitolite/http/tasks/main.yml b/roles/gitolite/http/tasks/main.yml index a3055902..1006283a 100644 --- a/roles/gitolite/http/tasks/main.yml +++ b/roles/gitolite/http/tasks/main.yml @@ -54,7 +54,8 @@ vars: nginx_vhost: name: "gitolite-{{ gitolite_instance }}" - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ gitolite_instances[gitolite_instance].http.hostnames }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" include_role: diff --git a/roles/gitolite/http/templates/nginx-vhost.conf.j2 b/roles/gitolite/http/templates/nginx-vhost.conf.j2 index 3386d956..f656d48f 100644 --- a/roles/gitolite/http/templates/nginx-vhost.conf.j2 +++ b/roles/gitolite/http/templates/nginx-vhost.conf.j2 @@ -6,7 +6,7 @@ access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; location / { return 301 https://$host$request_uri; @@ -21,7 +21,7 @@ server { access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; include snippets/tls.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; diff --git a/roles/monitoring/landingpage/defaults/main.yml b/roles/monitoring/landingpage/defaults/main.yml index ad2a3895..88e1b133 100644 --- a/roles/monitoring/landingpage/defaults/main.yml +++ b/roles/monitoring/landingpage/defaults/main.yml @@ -2,6 +2,7 @@ # monitoring_landingpage_hostnames: # - "mon.example.com" -monitoring_landingpage_acme: no +# monitoring_landingpage_tls: +# certificate_provider: "{{ acme_client }}" #monitoring_landingpage_title: "Example Monitoring Host" diff --git a/roles/monitoring/landingpage/tasks/main.yml b/roles/monitoring/landingpage/tasks/main.yml index 3158770b..225cab10 100644 --- a/roles/monitoring/landingpage/tasks/main.yml +++ b/roles/monitoring/landingpage/tasks/main.yml @@ -15,7 +15,8 @@ name: landingpage template: generic hostnames: "{{ monitoring_landingpage_hostnames }}" - acme: "{{ monitoring_landingpage_acme }}" + ### make tls settings optional? + #tls: "{{ monitoring_landingpage_tls }}" locations: '/': root: /var/www/landingpage diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml index c69c6e05..3cedc042 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml @@ -21,10 +21,14 @@ - name: create TLS certificate and key import_tasks: tls.yml +- name: render nginx-vhost config template + set_fact: + prometheus_exporter_nginx_vhost_content: "{{ lookup('template', 'nginx-vhost.j2') }}" + - name: configure nginx vhost - import_role: - name: nginx/vhost vars: nginx_vhost: name: prometheus-exporter - content: "{{ lookup('template', 'nginx-vhost.j2') }}" + content: "{{ prometheus_exporter_nginx_vhost_content }}" + import_role: + name: nginx/vhost diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index b80a5442..5984e623 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -3,7 +3,8 @@ # default: yes # name: example # template: generic -# acme: yes +# tls: +# certificate_provider: acmetool # hostnames: # - example.com # - www.example.com @@ -26,7 +27,10 @@ # nginx_vhost: # name: mixed-static-and-proxy # template: generic -# acme: yes +# tls: +# variant: legacy +# hsts: false +# certificate_provider: acmetool # hostnames: # - static.example.com # extra_directives: |- diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml index 424c86a0..c5e68732 100644 --- a/roles/nginx/vhost/tasks/main.yml +++ b/roles/nginx/vhost/tasks/main.yml @@ -1,11 +1,12 @@ --- - name: ensure certificate exists (fake it, until you make it) - when: "'acme' in nginx_vhost and nginx_vhost.acme" - import_role: - name: x509/acmetool/cert/prepare + when: "'tls' in nginx_vhost" + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare" + public: true vars: - acmetool_cert_name: "{{ nginx_vhost.name }}" - acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_name: "{{ nginx_vhost.name }}" + x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" - name: install nginx configs from template when: "'template' in nginx_vhost" @@ -31,14 +32,14 @@ notify: reload nginx - name: generate acme certificate - when: "'acme' in nginx_vhost and nginx_vhost.acme" + when: "'tls' in nginx_vhost" block: - name: make sure nginx config has been (re)loaded meta: flush_handlers - name: actually request the certificate - import_role: - name: x509/acmetool/cert/finalize + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize" vars: - acmetool_cert_name: "{{ nginx_vhost.name }}" - acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_name: "{{ nginx_vhost.name }}" + x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 index 5c7576e7..434fa679 100644 --- a/roles/nginx/vhost/templates/generic.conf.j2 +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -3,9 +3,11 @@ server { listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; -{% if 'acme' in nginx_vhost and nginx_vhost.acme %} +{% if 'tls' in nginx_vhost %} +{% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; +{% endif %} location / { return 301 https://$host$request_uri; } @@ -16,11 +18,15 @@ server { listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; +{% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; - include snippets/tls{% if 'tls_variant' in nginx_vhost %}-{{ nginx_vhost.tls_variant }}{% endif %}.conf; +{% endif %} + include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; +{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %} include snippets/hsts.conf; +{% endif %} {% endif %} {% if 'extra_directives' in nginx_vhost %} diff --git a/roles/x509/acmetool/cert/finalize/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml index ab0afaa3..b9a80136 100644 --- a/roles/x509/acmetool/cert/finalize/defaults/main.yml +++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml @@ -1,2 +1,5 @@ --- +acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}" +acmetool_cert_name: "{{ x509_certificate_name | default(acmetool_cert_hostnames[0]) }}" + acmetool_reconcile_disabled: false diff --git a/roles/x509/acmetool/cert/finalize/tasks/main.yml b/roles/x509/acmetool/cert/finalize/tasks/main.yml index 91bf5157..abb2d4cb 100644 --- a/roles/x509/acmetool/cert/finalize/tasks/main.yml +++ b/roles/x509/acmetool/cert/finalize/tasks/main.yml @@ -6,5 +6,5 @@ names: "{{ acmetool_cert_hostnames }}" copy: content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}" - dest: "/var/lib/acme/desired/{{ acmetool_cert_name | default(acmetool_cert_hostnames[0]) }}" + dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}" notify: reconcile acmetool diff --git a/roles/x509/acmetool/cert/prepare/defaults/main.yml b/roles/x509/acmetool/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..d4eb7c86 --- /dev/null +++ b/roles/x509/acmetool/cert/prepare/defaults/main.yml @@ -0,0 +1,2 @@ +--- +acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}" diff --git a/spreadspace/glt-stream.yml b/spreadspace/glt-stream.yml index 145f8671..063baba8 100644 --- a/spreadspace/glt-stream.yml +++ b/spreadspace/glt-stream.yml @@ -29,7 +29,8 @@ default: yes name: stream template: generic - acme: yes + tls: + certificate_provider: "{{ acme_client }}" hostnames: - stream.linuxtage.at extra_directives: |- diff --git a/spreadspace/sgg-icecast.yml b/spreadspace/sgg-icecast.yml index bfe67bde..69dbc883 100644 --- a/spreadspace/sgg-icecast.yml +++ b/spreadspace/sgg-icecast.yml @@ -32,7 +32,8 @@ default: yes name: radio template: generic - acme: yes + tls: + certificate_provider: "{{ acme_client }}" hostnames: - radiogloria.at - www.radiogloria.at @@ -48,7 +49,8 @@ nginx_vhost: name: radio-stream template: generic - acme: yes + tls: + certificate_provider: "{{ acme_client }}" hostnames: - live.radiogloria.at locations: -- cgit v1.2.3 From a3ab64f6a262e3bd0da4435729c2e6f9013aad5d Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 14 Aug 2023 22:11:11 +0200 Subject: gitolite/http: use generic template for vhost --- roles/gitolite/http/tasks/main.yml | 49 ++++++++++++++- roles/gitolite/http/templates/nginx-vhost.conf.j2 | 72 ----------------------- roles/nginx/vhost/defaults/main.yml | 11 ++++ roles/nginx/vhost/templates/generic.conf.j2 | 22 +++++++ 4 files changed, 81 insertions(+), 73 deletions(-) delete mode 100644 roles/gitolite/http/templates/nginx-vhost.conf.j2 (limited to 'roles/gitolite') diff --git a/roles/gitolite/http/tasks/main.yml b/roles/gitolite/http/tasks/main.yml index 1006283a..fdc86d66 100644 --- a/roles/gitolite/http/tasks/main.yml +++ b/roles/gitolite/http/tasks/main.yml @@ -50,13 +50,60 @@ src: "{{ gitolite_instances[gitolite_instance].http.logo }}" dest: "/usr/local/share/cgit/{{ gitolite_instance }}.png" + - name: compute nginx location directive for logo + set_fact: + nginx_locations_logo: + '= /logo.png': + alias: "/usr/local/share/cgit/{{ gitolite_instance }}.png" + +- name: compute nginx locations directives + set_fact: + nginx_locations_base: + '= /': + return: "303 /cgit/" + '/cgit-css/': + alias: "/usr/share/cgit/" + nginx_locations_main: + '/cgit/': + custom: |- + include fastcgi_params; + fastcgi_split_path_info ^(/cgit)(.*)$; + + fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; + fastcgi_param PATH_INFO $fastcgi_path_info; + fastcgi_param QUERY_STRING $args; + fastcgi_param HTTP_HOST $server_name; + fastcgi_param CGIT_CONFIG {{ gitolite_base_path }}/{{ gitolite_instance }}/cgitrc; + + fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; + +- name: compute nginx location directive for git_backend + when: "'enable_git_backend' in gitolite_instances[gitolite_instance].http and gitolite_instances[gitolite_instance].http.enable_git_backend" + set_fact: + nginx_locations_git_backend: + '~ ^.*/git-receive-pack$': + return: "403" + '~ ^.*/(HEAD|info/refs|objects/(info/.*|[0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))|git-upload-pack)$': + custom: |- + include fastcgi_params; + + fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; + fastcgi_param PATH_INFO $uri; + fastcgi_param GIT_PROJECT_ROOT {{ gitolite_base_path }}/{{ gitolite_instance }}/repositories; + + fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; + - name: install nginx vhost vars: nginx_vhost: name: "gitolite-{{ gitolite_instance }}" + template: generic tls: certificate_provider: "{{ acme_client }}" hostnames: "{{ gitolite_instances[gitolite_instance].http.hostnames }}" - content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" + logs: + access: "/var/log/nginx/git-{{ gitolite_instance }}_access.log" + error: "/var/log/nginx/git-{{ gitolite_instance }}_error.log" + locations: "{{ nginx_locations_base | combine(nginx_locations_logo | default({})) | combine(nginx_locations_main) | combine(nginx_locations_git_backend | default({})) }}" include_role: name: nginx/vhost diff --git a/roles/gitolite/http/templates/nginx-vhost.conf.j2 b/roles/gitolite/http/templates/nginx-vhost.conf.j2 deleted file mode 100644 index f656d48f..00000000 --- a/roles/gitolite/http/templates/nginx-vhost.conf.j2 +++ /dev/null @@ -1,72 +0,0 @@ - server { - listen 80; - listen [::]:80; - server_name {{ gitolite_instances[gitolite_instance].http.hostnames | join(' ') }}; - - access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; - error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - - include snippets/{{ acme_client }}.conf; - - location / { - return 301 https://$host$request_uri; - } -} - -server { - listen 443 ssl http2; - listen [::]:443 ssl http2; - server_name {{ gitolite_instances[gitolite_instance].http.hostnames | join(' ') }}; - - access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; - error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - - include snippets/{{ acme_client }}.conf; - include snippets/tls.conf; - ssl_certificate {{ x509_certificate_path_fullchain }}; - ssl_certificate_key {{ x509_certificate_path_key }}; - include snippets/hsts.conf; - - location = / { - return 303 /cgit/; - } - - location /cgit-css/ { - alias /usr/share/cgit/; - } -{% if 'logo' in gitolite_instances[gitolite_instance].http %} - - location = /logo.png { - alias /usr/local/share/cgit/{{ gitolite_instance }}.png; - } -{% endif %} - - location /cgit/ { - include fastcgi_params; - fastcgi_split_path_info ^(/cgit)(.*)$; - - fastcgi_param SCRIPT_FILENAME /usr/lib/cgit/cgit.cgi; - fastcgi_param PATH_INFO $fastcgi_path_info; - fastcgi_param QUERY_STRING $args; - fastcgi_param HTTP_HOST $server_name; - fastcgi_param CGIT_CONFIG {{ gitolite_base_path }}/{{ gitolite_instance }}/cgitrc; - - fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; - } -{% if 'enable_git_backend' in gitolite_instances[gitolite_instance].http and gitolite_instances[gitolite_instance].http.enable_git_backend %} - - location ~ ^.*/git-receive-pack$ { - return 403; - } - - location ~ ^.*/(HEAD|info/refs|objects/(info/.*|[0-9a-f]+/[0-9a-f]+|pack/pack-[0-9a-f]+.(pack|idx))|git-upload-pack)$ { - include fastcgi_params; - - fastcgi_param SCRIPT_FILENAME /usr/lib/git-core/git-http-backend; - fastcgi_param PATH_INFO $uri; - fastcgi_param GIT_PROJECT_ROOT {{ gitolite_base_path }}/{{ gitolite_instance }}/repositories; - - fastcgi_pass unix:/run/fcgiwrap/gitolite-{{ gitolite_instance }}.sock; - } -{% endif %} -} diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index 5984e623..1447fb14 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -8,6 +8,9 @@ # hostnames: # - example.com # - www.example.com +# logs: +# access: /var/log/nginx/example_access.log +# error: /var/log/nginx/example_error.log # extra_directives: |- # add_header X-Example-Header "foo"; # locations: @@ -45,8 +48,16 @@ # add_header X-Example-Header "foo"; # '/subdir/': # alias: /srv/www/foo +# '/private/': +# return: "403" # '/foo/': # proxy_pass: http://127.0.0.1:1234 +# '/custom/': +# custom: |- +# include fastcgi_params; +# fastcgi_param SCRIPT_FILENAME /usr/lib/cgi/foo +# fastcgi_param PATH_INFO $uri; +# fastcgi_pass unix:/run/fcgiwrap/foo.sock; # nginx_vhost: # name: other-example diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 index 434fa679..f87d029d 100644 --- a/roles/nginx/vhost/templates/generic.conf.j2 +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -3,6 +3,15 @@ server { listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; +{% if 'logs' in nginx_vhost %} +{% if 'access' in nginx_vhost.logs %} + access_log {{ nginx_vhost.logs.access }}; +{% endif %} +{% if 'error' in nginx_vhost.logs %} + error_log {{ nginx_vhost.logs.error }}; +{% endif %} + +{% endif %} {% if 'tls' in nginx_vhost %} {% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; @@ -18,6 +27,15 @@ server { listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; +{% if 'logs' in nginx_vhost %} +{% if 'access' in nginx_vhost.logs %} + access_log {{ nginx_vhost.logs.access }}; +{% endif %} +{% if 'error' in nginx_vhost.logs %} + error_log {{ nginx_vhost.logs.error }}; +{% endif %} + +{% endif %} {% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; {% endif %} @@ -55,6 +73,10 @@ server { proxy_ssl_{{ prop }} {{ location.proxy_ssl[prop] }}; {% endfor %} {% endif %} +{% elif 'return' in location %} + return {{ location.return }}; +{% elif 'custom' in location %} + {{ location.custom | indent(8) }} {% else %} {% if 'root' in location %} root {{ location.root }}; -- cgit v1.2.3 From b277d5f0ae14ba33afaf139c7cc9ad2212564c2e Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Tue, 22 Aug 2023 19:38:47 +0200 Subject: some more cleanup for acme specific variables --- chaos-at-home/ch-mimas.yml | 2 +- chaos-at-home/ch-pan.yml | 2 +- chaos-at-home/r3-0x10.yml | 2 +- inventory/group_vars/all/vars.yml | 2 -- inventory/host_vars/ch-mimas.yml | 2 ++ inventory/host_vars/ele-coturn.yml | 8 +++++++- inventory/host_vars/ele-jitsi.yml | 3 +++ inventory/host_vars/ele-lt.yml | 1 + inventory/host_vars/ele-media.yml | 1 + inventory/host_vars/glt-coturn.yml | 9 ++++++++- inventory/host_vars/glt-meet1.yml | 2 ++ inventory/host_vars/glt-meet2.yml | 2 ++ inventory/host_vars/sk-cloudio/coturn.yml | 4 +++- inventory/host_vars/sk-cloudio/vars.yml | 1 + inventory/host_vars/sk-tomnext-nc.yml | 1 + roles/apps/coturn/defaults/main.yml | 2 +- roles/gitolite/base/defaults/main.yml | 2 ++ roles/gitolite/http/tasks/main.yml | 3 +-- spreadspace/glt-stream.yml | 2 +- spreadspace/sgg-icecast.yml | 4 ++-- 20 files changed, 41 insertions(+), 14 deletions(-) (limited to 'roles/gitolite') diff --git a/chaos-at-home/ch-mimas.yml b/chaos-at-home/ch-mimas.yml index d486023b..fec7b0e5 100644 --- a/chaos-at-home/ch-mimas.yml +++ b/chaos-at-home/ch-mimas.yml @@ -45,7 +45,7 @@ name: pub template: generic tls: - certificate_provider: "{{ acme_client }}" + certificate_provider: acmetool hostnames: - pub.chaos-at-home.org locations: diff --git a/chaos-at-home/ch-pan.yml b/chaos-at-home/ch-pan.yml index b4106680..bccd9ca5 100644 --- a/chaos-at-home/ch-pan.yml +++ b/chaos-at-home/ch-pan.yml @@ -44,7 +44,7 @@ hostnames: - dyn.schaaas.at tls: - certificate_provider: "{{ acme_client }}" + certificate_provider: acmetool logs: access: /var/log/nginx/dyn-schaaas_access.log error: /var/log/nginx/dyn-schaaas_error.log diff --git a/chaos-at-home/r3-0x10.yml b/chaos-at-home/r3-0x10.yml index 5e30abec..267bc596 100644 --- a/chaos-at-home/r3-0x10.yml +++ b/chaos-at-home/r3-0x10.yml @@ -34,7 +34,7 @@ name: 0x10 template: generic tls: - certificate_provider: "{{ acme_client }}" + certificate_provider: acmetool hostnames: - 0x10.r3.at - 0x10.realraum.at diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml index 09eba1cf..f72f71ef 100644 --- a/inventory/group_vars/all/vars.yml +++ b/inventory/group_vars/all/vars.yml @@ -129,5 +129,3 @@ acme_directory_server: "{{ acme_directory_server_le_staging_v2 }}" ## at least acmetool can't be used to change this after the account has been created (aka after the first run) ## and it's not recommended to keep this empty so we don't define it here to force the user to define it # acme_account_email: - -acme_client: acmetool diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml index fc3e6aae..710e4961 100644 --- a/inventory/host_vars/ch-mimas.yml +++ b/inventory/host_vars/ch-mimas.yml @@ -159,6 +159,8 @@ gitolite_instances: - git.spreadspace.com - git.spreadspace.net - git.spreadspace.systems + tls: + certificate_provider: acmetool enable_git_backend: yes title: spreadspace description: spreadspace GIT Repoistories diff --git a/inventory/host_vars/ele-coturn.yml b/inventory/host_vars/ele-coturn.yml index ad865e1c..ebfbe2aa 100644 --- a/inventory/host_vars/ele-coturn.yml +++ b/inventory/host_vars/ele-coturn.yml @@ -24,6 +24,7 @@ spreadspace_apt_repo_components: - container acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" +acme_client: acmetool kubernetes_version: 1.27.3 @@ -34,7 +35,7 @@ kubernetes_standalone_pod_cidr: 192.168.255.0/24 kubernetes_standalone_cni_variant: with-portmap -coturn_version: 4.5.2-r2 +coturn_version: 4.6.2-r4 coturn_realm: elev8.at coturn_hostnames: - stun.elev8.at @@ -44,6 +45,8 @@ coturn_auth_secret: "{{ vault_coturn_auth_secret }}" coturn_listening_port: 3478 coturn_tls_listening_port: 443 coturn_install_nginx_vhost: no +coturn_tls: + certificate_provider: "{{ acme_client }}" mumble_version: v1.4.274-4 @@ -53,6 +56,9 @@ mumble_hostnames: mumble_superuser_password: "{{ vault_mumble_superuser_password }}" +mumble_tls: + certificate_provider: "{{ acme_client }}" + mumble_config_options: bonjour: false sslCiphers: "ECDHE+AESGCM:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!RSA:!ADH:!AECDH:!MD5" diff --git a/inventory/host_vars/ele-jitsi.yml b/inventory/host_vars/ele-jitsi.yml index c7520247..e23dc2c9 100644 --- a/inventory/host_vars/ele-jitsi.yml +++ b/inventory/host_vars/ele-jitsi.yml @@ -29,6 +29,7 @@ ssh_users_root: - datacop acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" +acme_client: acmetool kubernetes_version: 1.27.3 @@ -81,6 +82,8 @@ mumble_version: v1.4.274-4 mumble_instance: elev8.at mumble_hostnames: - mumble.elev8.at +mumble_tls: + certificate_provider: "{{ acme_client }}" mumble_superuser_password: "{{ vault_mumble_superuser_password }}" diff --git a/inventory/host_vars/ele-lt.yml b/inventory/host_vars/ele-lt.yml index a53141e0..6389db1d 100644 --- a/inventory/host_vars/ele-lt.yml +++ b/inventory/host_vars/ele-lt.yml @@ -29,6 +29,7 @@ liquidtruth_mongodb_app_password: "{{ vault_liquidtruth_mongodb_app_password }}" acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" +acme_client: acmetool liquidtruth_hostnames: # - liquidtruth.at diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml index e17947ff..a82ca897 100644 --- a/inventory/host_vars/ele-media.yml +++ b/inventory/host_vars/ele-media.yml @@ -112,6 +112,7 @@ wireguard_gateway_tunnels: acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" +acme_client: acmetool elevate_media_share_storage: diff --git a/inventory/host_vars/glt-coturn.yml b/inventory/host_vars/glt-coturn.yml index c0bcbb0f..4a84c31f 100644 --- a/inventory/host_vars/glt-coturn.yml +++ b/inventory/host_vars/glt-coturn.yml @@ -17,6 +17,9 @@ kubelet_storage: spreadspace_apt_repo_components: - container +acme_client: acmetool + + kubernetes_version: 1.27.3 kubernetes_cri_tools_pkg_version: 1.26.0-00 kubernetes_container_runtime: docker @@ -25,7 +28,7 @@ kubernetes_standalone_pod_cidr: 192.168.255.0/24 kubernetes_standalone_cni_variant: with-portmap -coturn_version: 4.5.2-r2 +coturn_version: 4.6.2-r4 coturn_realm: linuxtage.at coturn_hostnames: - cdn13.linuxtage.at @@ -34,12 +37,16 @@ coturn_auth_secret: "{{ vault_coturn_auth_secret }}" coturn_listening_port: 3478 coturn_tls_listening_port: 443 coturn_install_nginx_vhost: no +coturn_tls: + certificate_provider: "{{ acme_client }}" mumble_version: v1.4.274-4 mumble_instance: linuxtage.at mumble_hostnames: - mumble.linuxtage.at +mumble_tls: + certificate_provider: "{{ acme_client }}" mumble_superuser_password: "{{ vault_mumble_superuser_password }}" diff --git a/inventory/host_vars/glt-meet1.yml b/inventory/host_vars/glt-meet1.yml index 6ce86abf..d5ec9b5f 100644 --- a/inventory/host_vars/glt-meet1.yml +++ b/inventory/host_vars/glt-meet1.yml @@ -17,6 +17,8 @@ kubelet_storage: spreadspace_apt_repo_components: - container +acme_client: acmetool + kubernetes_version: 1.27.3 kubernetes_cri_tools_pkg_version: 1.26.0-00 diff --git a/inventory/host_vars/glt-meet2.yml b/inventory/host_vars/glt-meet2.yml index c9093da3..0a757e2d 100644 --- a/inventory/host_vars/glt-meet2.yml +++ b/inventory/host_vars/glt-meet2.yml @@ -17,6 +17,8 @@ kubelet_storage: spreadspace_apt_repo_components: - container +acme_client: acmetool + kubernetes_version: 1.27.3 kubernetes_cri_tools_pkg_version: 1.26.0-00 diff --git a/inventory/host_vars/sk-cloudio/coturn.yml b/inventory/host_vars/sk-cloudio/coturn.yml index 8a9eccd7..1ab00b49 100644 --- a/inventory/host_vars/sk-cloudio/coturn.yml +++ b/inventory/host_vars/sk-cloudio/coturn.yml @@ -1,11 +1,13 @@ --- coturn_base_path: /srv/storage/coturn -coturn_version: 4.5.2-r8 +coturn_version: 4.6.2-r4 coturn_realm: elevate.at coturn_hostnames: - stun.elevate.at - turn.elevate.at +coturn_tls: + certificate_provider: "{{ acme_client }}" coturn_max_bps: 1048576 ## 8Mbit/s coturn_bps_capacity: 13107200 ## 100Mbit/s diff --git a/inventory/host_vars/sk-cloudio/vars.yml b/inventory/host_vars/sk-cloudio/vars.yml index 9165699e..80772c5c 100644 --- a/inventory/host_vars/sk-cloudio/vars.yml +++ b/inventory/host_vars/sk-cloudio/vars.yml @@ -90,3 +90,4 @@ postfix_base_inet_protocols: acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" +acme_client: acmetool diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml index 47447048..f8af167f 100644 --- a/inventory/host_vars/sk-tomnext-nc.yml +++ b/inventory/host_vars/sk-tomnext-nc.yml @@ -105,6 +105,7 @@ postfix_base_mynetworks: acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" +acme_client: acmetool nginx_server_names_hash_bucket_size: 64 diff --git a/roles/apps/coturn/defaults/main.yml b/roles/apps/coturn/defaults/main.yml index 709d3d07..760a6499 100644 --- a/roles/apps/coturn/defaults/main.yml +++ b/roles/apps/coturn/defaults/main.yml @@ -3,7 +3,7 @@ coturn_uid: 930 coturn_gid: 930 coturn_base_path: /srv/coturn -# coturn_version: 4.5.2-r2 +# coturn_version: 4.6.2-r4 # coturn_realm: example.com # coturn_hostnames: # - stun.example.com diff --git a/roles/gitolite/base/defaults/main.yml b/roles/gitolite/base/defaults/main.yml index 1c5962cc..3c2e8fa3 100644 --- a/roles/gitolite/base/defaults/main.yml +++ b/roles/gitolite/base/defaults/main.yml @@ -15,3 +15,5 @@ gitolite_base_path: /srv/git # title: cgit root title # description: this will be shown by cgit below the title # logo: path/to/logo/file/on/ansible/controller.png +# tls: +# certificate_provider: "{{ acme_client }}" diff --git a/roles/gitolite/http/tasks/main.yml b/roles/gitolite/http/tasks/main.yml index fdc86d66..ee5b226c 100644 --- a/roles/gitolite/http/tasks/main.yml +++ b/roles/gitolite/http/tasks/main.yml @@ -98,8 +98,7 @@ nginx_vhost: name: "gitolite-{{ gitolite_instance }}" template: generic - tls: - certificate_provider: "{{ acme_client }}" + tls: "{{ gitolite_instances[gitolite_instance].http.tls }}" hostnames: "{{ gitolite_instances[gitolite_instance].http.hostnames }}" logs: access: "/var/log/nginx/git-{{ gitolite_instance }}_access.log" diff --git a/spreadspace/glt-stream.yml b/spreadspace/glt-stream.yml index 063baba8..e355d126 100644 --- a/spreadspace/glt-stream.yml +++ b/spreadspace/glt-stream.yml @@ -30,7 +30,7 @@ name: stream template: generic tls: - certificate_provider: "{{ acme_client }}" + certificate_provider: acmetool hostnames: - stream.linuxtage.at extra_directives: |- diff --git a/spreadspace/sgg-icecast.yml b/spreadspace/sgg-icecast.yml index 69dbc883..4c6d61c4 100644 --- a/spreadspace/sgg-icecast.yml +++ b/spreadspace/sgg-icecast.yml @@ -33,7 +33,7 @@ name: radio template: generic tls: - certificate_provider: "{{ acme_client }}" + certificate_provider: acmetool hostnames: - radiogloria.at - www.radiogloria.at @@ -50,7 +50,7 @@ name: radio-stream template: generic tls: - certificate_provider: "{{ acme_client }}" + certificate_provider: acmetool hostnames: - live.radiogloria.at locations: -- cgit v1.2.3