Created
December 21, 2022 19:23
-
-
Save chaddupuis/b023f8679de73805ca22bd0e30b8a675 to your computer and use it in GitHub Desktop.
Ansible to build an nginx server with certbot
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # post base server setup | |
| # nginx, pulls confs from git repo | |
| # certbot setup and general firewall conf | |
| # | |
| - hosts: nginxweb | |
| become: yes | |
| vars: | |
| my_ip_range: x.x.x.x/24 | |
| my_jump_ip: x.x.x.x | |
| my_db: x.x.x.x | |
| vars_files: | |
| - vars-nginxweb.yaml | |
| pre_tasks: | |
| - name: "Install packages - nginx certbot python3 tools" | |
| apt: | |
| pkg: ['ipset', 'ebtables', 'python3-dev', 'python3-setuptools', 'python3-venv', 'nginx', 'curl', 'gnupg2', 'ca-certificates', 'lsb-release', 'wget', 'python3-certbot-nginx'] | |
| state: present | |
| - name: Check if a reboot is needed for Debian-based systems | |
| stat: | |
| path: /var/run/reboot-required | |
| register: reboot_required | |
| - name: Generate dhparams | |
| shell: openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048 | |
| args: | |
| creates: /etc/ssl/certs/dhparams.pem | |
| - name: Open ssh service on public zone | |
| firewalld: | |
| service: ssh | |
| zone: "public" | |
| state: enabled | |
| permanent: yes | |
| immediate: yes | |
| notify: | |
| - restart firewalld | |
| - name: Allow ssh access from my ip range on public zone | |
| firewalld: | |
| rich_rule: 'rule family="ipv4" source address="{{my_ip_range}}" port protocol="tcp" port="ssh" accept' | |
| zone: "public" | |
| state: enabled | |
| permanent: yes | |
| immediate: yes | |
| notify: | |
| - restart firewalld | |
| - name: Allow ssh access from remote jump on public zone | |
| firewalld: | |
| rich_rule: 'rule family="ipv4" source address="{{my_jump_ip}}" port protocol="tcp" port="ssh" accept' | |
| zone: "public" | |
| state: enabled | |
| permanent: yes | |
| immediate: yes | |
| notify: | |
| - restart firewalld | |
| - name: Allow ssh access from db on public zone | |
| firewalld: | |
| rich_rule: 'rule family="ipv4" source address="{{my_db}}" port protocol="tcp" port="ssh" accept' | |
| zone: "public" | |
| state: enabled | |
| permanent: yes | |
| immediate: yes | |
| notify: | |
| - restart firewalld | |
| # with rich rules above you then have to remove ssh from public otherwise they dont have meaning | |
| - name: Close ssh service on public zone | |
| firewalld: | |
| service: ssh | |
| zone: "public" | |
| state: disabled | |
| permanent: yes | |
| immediate: yes | |
| notify: | |
| - restart firewalld | |
| - name: Open http service on public zone | |
| firewalld: | |
| service: http | |
| zone: "public" | |
| state: enabled | |
| permanent: yes | |
| immediate: yes | |
| notify: | |
| - restart firewalld | |
| - name: Open https service on public zone | |
| firewalld: | |
| service: https | |
| zone: "public" | |
| state: enabled | |
| permanent: yes | |
| immediate: yes | |
| notify: | |
| - restart firewalld | |
| tasks: | |
| - name: Enabled nginx and ensure it is not masked | |
| ansible.builtin.systemd: | |
| name: nginx | |
| enabled: yes | |
| masked: no | |
| - name: Create general site layout hierarchy | |
| file: | |
| path: /var/www/ | |
| state: directory | |
| owner: root | |
| group: root | |
| mode: 0755 | |
| - name: Create default html directory for challenges | |
| file: | |
| path: /var/www/html | |
| owner: www-data | |
| group: www-data | |
| mode: 0755 | |
| recurse: yes | |
| - name: Clear sites-available pre clone | |
| file: | |
| state: absent | |
| path: /etc/nginx/sites-available | |
| - name: Make new sites-available for clone | |
| file: | |
| state: directory | |
| path: /etc/nginx/sites-available | |
| # copy git files | |
| # obtain deploy key from | |
| # https://gitlab.com/xxxx/*\\\project///*/-/settings/repository | |
| - name: Clone the configuration branch into /etc/nginx then copy around as needed | |
| git: | |
| repo: https://{{confs_read_un}}:{{confs_read_key}}@gitlab.com/xxxxxx/nginx-conf.git | |
| dest: /etc/nginx/sites-available/ | |
| version: main | |
| force: yes | |
| update: yes | |
| - name: Set proper permissions on all sites-available | |
| file: | |
| path: /etc/nginx/sites-available | |
| owner: root | |
| group: root | |
| mode: 0400 | |
| recurse: yes | |
| - name: Create default html directory for challenges | |
| file: | |
| path: /var/www/html | |
| owner: www-data | |
| group: www-data | |
| mode: 0755 | |
| recurse: yes | |
| - name: Copy default index.html from cloned nginx conf files to /var/www/html | |
| ansible.builtin.copy: | |
| remote_src: yes | |
| src: /etc/nginx/sites-available/yyh-default-index.html-orig | |
| dest: /var/www/html/index.html | |
| owner: www-data | |
| group: www-data | |
| mode: 0755 | |
| - name: Remove default nginx index | |
| ansible.builtin.file: | |
| path: /var/www/html/index.nginx-debian.html | |
| state: absent | |
| - name: Create a site directory | |
| file: | |
| path: /var/www/yoursite | |
| owner: www-data | |
| group: www-data | |
| mode: 0755 | |
| recurse: yes | |
| # get yoursite git repo --- a static website | |
| # obtain deploy key from | |
| # https://gitlab.com/xxxxx/*\\\project///*/-/settings/repository | |
| - name: Clone your site into /var/www/yourclinic | |
| git: | |
| repo: https://{{yoursite_read_un}}:{{yoursite_read_key}}@gitlab.com/xxxxxx/yoursite.git | |
| dest: /var/www/yoursite/ | |
| version: master | |
| force: yes | |
| update: yes | |
| # ensure html perms | |
| - name: Fix permissions web files | |
| file: dest=/var/www/yoursite/ owner=www-data group=www-data mode=0755 recurse=yes | |
| - name: Enable your site vhost | |
| file: | |
| src: /etc/nginx/sites-available/your.site.com.conf | |
| dest: /etc/nginx/sites-enabled/your.site.com.conf | |
| state: link | |
| # below is for confs that are just redirectors (no local files) | |
| - name: Enable all the redirect sites | |
| file: | |
| src: /etc/nginx/sites-available/{{ item.site }} | |
| dest: /etc/nginx/sites-enabled/{{ item.site }} | |
| state: link | |
| with_items: | |
| - { site: 'r1-redir.com.conf' } | |
| - { site: 'r2-redir.com.conf' } | |
| - name: Remove default nginx sites-enabled | |
| file: | |
| path: "/etc/nginx/sites-enabled/default" | |
| state: absent | |
| - name: Restart Nginx | |
| service: name=nginx state=restarted enabled=yes | |
| # NOTE BELOW HAS ALL SITES AND REDIRECT SITES | |
| - name: Create letsencrypt certificates | |
| shell: certbot certonly -n --webroot -w /var/www/html -m [email protected] --agree-tos -d {{ item.dname }} | |
| args: | |
| creates: /etc/letsencrypt/live/{{ item.dname }} | |
| with_items: | |
| - { dname: 'yoursite.com' } | |
| - { dname: 'redir1.com' } | |
| - { dname: 'redir2.com' } | |
| - name: Restart Nginx | |
| service: name=nginx state=restarted enabled=yes | |
| - name: Reboot the server if needed. | |
| reboot: | |
| msg: "Reboot initiated by ansible - reboot required file" | |
| connect_timeout: 5 | |
| reboot_timeout: 600 | |
| pre_reboot_delay: 0 | |
| post_reboot_delay: 30 | |
| test_command: whoami | |
| when: reboot_required.stat.exists | |
| # debian comes with systemd timer for certbot renewals but do cron if necessary systemctl cat certbot.timer | |
| - name: Remove old packages from the cache. | |
| apt: | |
| autoclean: yes | |
| - name: Remove dependencies that are no longer needed. | |
| apt: | |
| autoremove: yes | |
| purge: yes | |
| handlers: | |
| - name: restart firewalld | |
| service: | |
| name: firewalld | |
| state: restarted |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment