Ongoing refactoring and dev involving certbot nginx and vaultwarden

2026-06-06 16:19:32 +02:00 · 2026-06-06 16:19:32 +02:00 · 0e768d94e1
parent 648a951533
commit 0e768d94e1
12 changed files with 159 additions and 25 deletions
--- a/ansible/inventories/host_vars/tester.sse.cloud.isti.cnr.it.yaml
+++ b/ansible/inventories/host_vars/tester.sse.cloud.isti.cnr.it.yaml
--- a/ansible/inventories/sse-lab.yaml
+++ b/ansible/inventories/sse-lab.yaml
@ -0,0 +1,5 @@
+---
+sse:
+  children:
+    testing:
+      tester.sse.cloud.isti.cnr.it:
--- a/ansible/playbooks/roles/certbot/defaults/main.yaml
+++ b/ansible/playbooks/roles/certbot/defaults/main.yaml
@ -1 +1,19 @@
-certbot_with_dockered_nginx : True
+certbot_with_dockered_nginx : True
+
+#CERTBOT for letsencrypt
+certbot_create_method: webroot
+certbot_create_if_missing: true
+certbot_admin_email: fabio.sinibaldi@isti.cnr.it
+
+certbot_webroot: "{{ docker_base_volume_path }}/www"
+
+certbot_certs:
+  - name: "{{ ansible_hostname }}"
+    domains: 
+      - "{{ inventory_hostname }}"
+    webroot: "{{ docker_base_volume_path }}/{{ ansible_hostname }}"
+
+#Certbot verbose level
+certbot_create_extra_args: "-vvv --force-renewal"
+certbot_testmode: false
+
--- a/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml
+++ b/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml
@ -1,5 +1,7 @@
 ---
 # Need to stop using port 80 for certbot webroot validation
+# Needed also if not first run 
+
 - name: Gathering NGINX container state
  docker_container_info:
    name: nginx
@ -18,23 +20,23 @@
  include_role:
    name: geerlingguy.certbot

- name: Copy fullchain files to nginx volume
-  ansible.builtin.copy:
-    src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
-    #TODO nginx configuration is not multi domain
-    dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
-    remote_src: true
-    mode: '0644'
-  loop: "{{ certbot_certs }}"
+# - name: Copy fullchain files to nginx volume
+#   ansible.builtin.copy:
+#     src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
+#     #TODO nginx configuration is not multi domain
+#     dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
+#     remote_src: true
+#     mode: '0644'
+#   loop: "{{ certbot_certs }}"

- name: Copy privkey files to nginx volume
-  ansible.builtin.copy:
-    src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
-    #TODO nginx configuration is not multi domain
-    dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
-    remote_src: true
-    mode: '0644'
-  loop: "{{ certbot_certs }}"
+# - name: Copy privkey files to nginx volume
+#   ansible.builtin.copy:
+#     src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
+#     #TODO nginx configuration is not multi domain
+#     dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
+#     remote_src: true
+#     mode: '0644'
+#   loop: "{{ certbot_certs }}"


 - name: Setting up Docker NGINX renewal hooks 
@ -46,7 +48,7 @@
    - pre
    - post

- name: Removing systemctl hooks
+- name: Removing systemctl hooks (defined by geerlingguy)
  ansible.builtin.file:
    path: "{{ item }}"
    state: absent
@ -57,6 +59,8 @@

 # Installs dockered NGINX if needed and start it 

- name: Installing and (Re)starting NGINX
-  include_role:
-    name: chrissayon.wordpress_docker.nginx
+- name: Installing NGINX
+  include_task: install_nginx.yaml
+
+- name: Start NGINX
+  include_task: start_nginx.yaml
--- a/ansible/playbooks/roles/certbot/tasks/install_nginx.yaml
+++ b/ansible/playbooks/roles/certbot/tasks/install_nginx.yaml
@ -0,0 +1,16 @@
+---
+- name: Create conf folder to put nginx folder
+  ansible.builtin.file:
+    path: "{{ docker_base_volume_path }}/nginx/conf"
+    state: directory
+    mode: "0755"
+
+- name: Copy nginx.conf to server
+  template:
+    src: "templates/nginx.conf.j2"
+    dest: "{{ docker_base_volume_path }}/nginx/conf/nginx.conf"
+
+- name: Pull Nginx image
+  docker_image:
+    name: "nginx:{{ nginx_docker_tag }}"
+    source: pull
--- a/ansible/playbooks/roles/certbot/tasks/start_nginx.yaml
+++ b/ansible/playbooks/roles/certbot/tasks/start_nginx.yaml
@ -0,0 +1,17 @@
+---
+- name: Start Nginx Container (HTTPS)
+  docker_container:
+    name: nginx
+    image: nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - name: "{{ docker_nginx_network_name }}"
+    hostname: "{{ docker_nginx_hostname }}"
+    volumes:
+      - "{{ docker_base_volume_path }}/vaultwarden:/var/www/html"
+      - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
+      - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
+      - "/etc/letsencrypt/live:/etc/nginx/ssl/:ro"
+    restart: true
--- a/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2
+++ b/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2
@ -1,9 +1,9 @@
 #!/bin/sh

-{% for item in certbot_certs %}
-cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
-cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
-{% endfor %}
+# {% for item in certbot_certs %}
+# cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
+# cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
+# {% endfor %}

 docker start nginx

--- a/ansible/playbooks/roles/certbot/templates/nginx.conf.j2
+++ b/ansible/playbooks/roles/certbot/templates/nginx.conf.j2
@ -0,0 +1,34 @@
+{% for item in certbot_certs %}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ item.name }};
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ item.name }};
+
+    root   /var/www/html;
+    index  index.php;
+
+
+    ssl_certificate /etc/nginx/ssl/{{ item.name }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ item.name }}/privatekey.pem;
+
+    client_max_body_size 40M;
+
+
+    location / {
+        proxy_pass http://{{ docker_wordpress_hostname }}:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}
--- a/ansible/playbooks/roles/vaultwarden/defaults/main.yaml
+++ b/ansible/playbooks/roles/vaultwarden/defaults/main.yaml
@ -0,0 +1,5 @@
+vaultwarden_docker_tag
+docker_vaultwarden_network_name
+docker_vaultwarden_hostname
+docker_base_volume_path
+
--- a/ansible/playbooks/roles/vaultwarden/tasks/install_certbot.yaml
+++ b/ansible/playbooks/roles/vaultwarden/tasks/install_certbot.yaml
@ -0,0 +1,4 @@
+---
+- name: Instal and configure certbot
+  include_role:
+    name: geerlingguy.certbot
--- a/ansible/playbooks/roles/vaultwarden/tasks/main.yaml
+++ b/ansible/playbooks/roles/vaultwarden/tasks/main.yaml
@ -0,0 +1,17 @@
+---
+- name: Pull Vaultwarden server image
+  docker_image:
+    name: "vaultwarden/server:{{ vaultwarden_docker_tag }}"
+    source: pull
+
+- name: Create container with Vaultwarden image
+  docker_container:
+    name: vaultwarden
+    image: vaultwarden
+    networks:
+      - name: "{{ docker_vaultwarden_network_name }}"
+    hostname: "{{ docker_vaultwarden_hostname }}"
+    ports:
+      - "80:"
+    volumes:
+      - "{{ docker_base_volume_path }}/vaultwarden:/data/"
--- a/ansible/playbooks/vaultwarden.yaml
+++ b/ansible/playbooks/vaultwarden.yaml
@ -0,0 +1,14 @@
+---
+- name: Install and configure Vaultwarden
+  hosts: web
+  become : True
+
+  roles:
+    - geerlingguy.docker
+    - vaultwarden
+
+  tasks:
+    - name: Install certbot and nginx
+      include_task: nginx_http.yaml
+      when:
+        - vaultwarden_with_nginx_https.yaml