diff --git a/ansible/inventories/group_vars/automotive/automotive.yaml b/ansible/inventories/group_vars/automotive/automotive.yaml index 329f01c..f33513b 100644 --- a/ansible/inventories/group_vars/automotive/automotive.yaml +++ b/ansible/inventories/group_vars/automotive/automotive.yaml @@ -35,5 +35,5 @@ certbot_certs: - "{{ nginx_server_name }}" #Certbot verbose level -certbot_create_extra_args: "-v" +certbot_create_extra_args: "-vvv --force-renewal" certbot_testmode: false \ No newline at end of file diff --git a/ansible/playbooks/roles/certbot/defaults/main.yaml b/ansible/playbooks/roles/certbot/defaults/main.yaml new file mode 100644 index 0000000..fdfde23 --- /dev/null +++ b/ansible/playbooks/roles/certbot/defaults/main.yaml @@ -0,0 +1 @@ +certbot_with_dockered_nginx : True \ No newline at end of file diff --git a/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml b/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml new file mode 100644 index 0000000..319856a --- /dev/null +++ b/ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml @@ -0,0 +1,62 @@ +--- +# Need to stop using port 80 for certbot webroot validation +- name: Gathering NGINX container state + docker_container_info: + name: nginx + register: nginx_info + +- name: Stop NGINX if present + docker_container: + name: nginx + state: stopped + when: + - nginx_info.exists + +# Manage certbot + +- name: Instal and configure certbot + include_role: + name: geerlingguy.certbot + +- name: Copy fullchain files to nginx volume + ansible.builtin.copy: + src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem" + #TODO nginx configuration is not multi domain + dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem" + remote_src: true + mode: '0644' + loop: "{{ certbot_certs }}" + +- name: Copy privkey files to nginx volume + ansible.builtin.copy: + src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem" + #TODO nginx configuration is not multi domain + dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem" + remote_src: true + mode: '0644' + loop: "{{ certbot_certs }}" + + +- name: Setting up Docker NGINX renewal hooks + template: + src: "docker_nginx_{{ item }}.j2" + dest: "/etc/letsencrypt/renewal-hooks/{{ item }}/docker_nginx_{{ item }}.sh" + mode: '0744' + loop: + - pre + - post + +- name: Removing systemctl hooks + ansible.builtin.file: + path: "{{ item }}" + state: absent + loop: + - "/etc/letsencrypt/renewal-hooks/pre/stop_services" + - "/etc/letsencrypt/renewal-hooks/post/start_services" + + +# Installs dockered NGINX if needed and start it + +- name: Installing and (Re)starting NGINX + include_role: + name: chrissayon.wordpress_docker.nginx diff --git a/ansible/playbooks/roles/certbot/tasks/main.yaml b/ansible/playbooks/roles/certbot/tasks/main.yaml new file mode 100644 index 0000000..882be34 --- /dev/null +++ b/ansible/playbooks/roles/certbot/tasks/main.yaml @@ -0,0 +1,3 @@ +--- +- include_tasks: certbot_with_dockered_nginx.yaml + when: certbot_with_dockered_nginx \ No newline at end of file diff --git a/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2 b/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2 new file mode 100644 index 0000000..1721fab --- /dev/null +++ b/ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2 @@ -0,0 +1,10 @@ +#!/bin/sh + +{% for item in certbot_certs %} +cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem +cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem +{% endfor %} + +docker start nginx + +docker ps diff --git a/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2 b/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2 new file mode 100644 index 0000000..7a6498a --- /dev/null +++ b/ansible/playbooks/roles/certbot/templates/docker_nginx_pre.j2 @@ -0,0 +1,5 @@ +#!/bin/sh +docker stop nginx + +docker ps + diff --git a/ansible/playbooks/templates/nginx.j2 b/ansible/playbooks/templates/nginx.j2 index fce58f5..238ab26 100644 --- a/ansible/playbooks/templates/nginx.j2 +++ b/ansible/playbooks/templates/nginx.j2 @@ -15,9 +15,10 @@ server { root /var/www/html; index index.php; + ssl_certificate /etc/nginx/ssl/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/privatekey.pem; - {# ssl_trusted_certificate /etc/nginx/ssl/intermediatecertificate.pem; #} + location / { proxy_pass http://{{ docker_wordpress_hostname }}:80; diff --git a/ansible/playbooks/wordpress.yaml b/ansible/playbooks/wordpress.yaml index bddf1b4..a14ef46 100644 --- a/ansible/playbooks/wordpress.yaml +++ b/ansible/playbooks/wordpress.yaml @@ -10,53 +10,4 @@ - chrissayon.wordpress_docker.network - chrissayon.wordpress_docker.mysql - chrissayon.wordpress_docker.wordpress - - - tasks: - # Need to stop using port 80 for certbot webroot validation - - name: Gathering NGINX container state - docker_container_info: - name: nginx - register: nginx_info - - - name: Stop NGINX if present - docker_container: - name: nginx - state: stopped - when: - - nginx_info.exists - - # Manage certbot - - - name: Install / configure certbot - include_role: - name: geerlingguy.certbot - - # Copy certificates - # configured volume for ssl is - # "/usr/data/wp/nginx/ssl:/etc/nginx/ssl/:ro" - - - name: Copy fullchain files to nginx volume - ansible.builtin.copy: - src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem" - #TODO nginx configuration is not multi domain - dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem" - remote_src: true - mode: '0644' - loop: "{{ certbot_certs }}" - - - name: Copy privkey files to nginx volume - ansible.builtin.copy: - src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem" - #TODO nginx configuration is not multi domain - dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem" - remote_src: true - mode: '0644' - loop: "{{ certbot_certs }}" - - - # Restart NGINX - - - name: (Re)start NGINX - include_role: - name: chrissayon.wordpress_docker.nginx + - certbot \ No newline at end of file