From 083d71b4d4d694228707b0fe5f392c1331c4f4fd Mon Sep 17 00:00:00 2001 From: Andrea Dell'Amico Date: Fri, 22 Apr 2016 18:55:20 +0200 Subject: [PATCH] library/roles/nginx: letsencrypt hook and configuration for letsencrypt. See https://support.d4science.org/issues/3260. --- nginx/defaults/main.yml | 3 +++ nginx/files/nginx-letsencrypt-acme.sh | 26 ++++++++++++++++++++ nginx/tasks/main.yml | 2 ++ nginx/tasks/nginx-letsencrypt.yml | 29 +++++++++++++++++++++++ nginx/templates/letsencrypt-proxy.conf.j2 | 4 ++++ 5 files changed, 64 insertions(+) create mode 100644 nginx/files/nginx-letsencrypt-acme.sh create mode 100644 nginx/tasks/nginx-letsencrypt.yml create mode 100644 nginx/templates/letsencrypt-proxy.conf.j2 diff --git a/nginx/defaults/main.yml b/nginx/defaults/main.yml index 0cd1fe2..6a16555 100644 --- a/nginx/defaults/main.yml +++ b/nginx/defaults/main.yml @@ -22,3 +22,6 @@ nginx_proxy_connect_timeout: 30s nginx_proxy_read_timeout: 480s nginx_proxy_send_timeout: 120s +nginx_letsencrypt_managed: True +nginx_letsencrypt_proxy_conf: letsencrypt-proxy.conf + diff --git a/nginx/files/nginx-letsencrypt-acme.sh b/nginx/files/nginx-letsencrypt-acme.sh new file mode 100644 index 0000000..074dbc2 --- /dev/null +++ b/nginx/files/nginx-letsencrypt-acme.sh @@ -0,0 +1,26 @@ +#!/bin/bash + +LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks +LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME +LE_LOG_DIR=/var/log/letsencrypt +DATE=$( date ) + +[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR +echo "$DATE" >> $LE_LOG_DIR/nginx.log + +if [ -f /etc/default/letsencrypt ] ; then + . /etc/default/letsencrypt +else + echo "No letsencrypt default file" >> $LE_LOG_DIR/nginx.log +fi + +echo "Reload the nginx service" >> $LE_LOG_DIR/nginx.log +if [ -x /bin/systemctl ] ; then + systemctl reload nginx >> $LE_LOG_DIR/nginx.log 2>&1 +else + service nginx reload >> $LE_LOG_DIR/nginx.log 2>&1 +fi + +echo "Done." >> $LE_LOG_DIR/nginx.log + +exit 0 diff --git a/nginx/tasks/main.yml b/nginx/tasks/main.yml index 69e2426..f8cfbae 100644 --- a/nginx/tasks/main.yml +++ b/nginx/tasks/main.yml @@ -1,3 +1,5 @@ --- - include: nginx.yml +- include: nginx-letsencrypt.yml + when: letsencrypt_acme_install is defined and letsencrypt_acme_install - include: pam-ldap.yml diff --git a/nginx/tasks/nginx-letsencrypt.yml b/nginx/tasks/nginx-letsencrypt.yml new file mode 100644 index 0000000..c9b0b6d --- /dev/null +++ b/nginx/tasks/nginx-letsencrypt.yml @@ -0,0 +1,29 @@ +--- +- block: + - name: Install the letsencrypt conf + template: src={{ item }}.j2 dest=/etc/nginx/conf.d/{{ item }} owner=root group=root mode=0644 + with_items: '{{ nginx_letsencrypt_proxy_conf }}' + notify: Reload nginx + + - name: Create the acme hooks directory if it does not yet exist + file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root + + - name: Install a letsencrypt hook for nginx + copy: src=nginx-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/nginx owner=root group=root mode=4555 + + when: + - letsencrypt_acme_install is defined and letsencrypt_acme_install + - nginx_letsencrypt_managed + tags: [ 'nginx', 'letsencrypt' ] + +- block: + - name: Disable the letsencrypt conf + file: dest=/etc/nginx/conf.d/letsencrypt-proxy.conf state=absent + notify: nginx2 reload + + - name: Remove the letsencrypt hook for nginx + file: path={{ letsencrypt_acme_services_scripts_dir }}/nginx state=absent + + when: not nginx_letsencrypt_managed + tags: [ 'nginx', 'letsencrypt' ] + diff --git a/nginx/templates/letsencrypt-proxy.conf.j2 b/nginx/templates/letsencrypt-proxy.conf.j2 new file mode 100644 index 0000000..1e43c27 --- /dev/null +++ b/nginx/templates/letsencrypt-proxy.conf.j2 @@ -0,0 +1,4 @@ +location /.well-known/acme-challenge { + proxy_pass http://127.0.0.1:{{ letsencrypt_acme_standalone_port}}/.well-known/acme-challenge ; +} +