Ongoing refactoring and dev involving certbot nginx and vaultwarden

ansible/inventories/sse-lab.yaml

@@ -0,0 +1,5 @@
+---
+sse:
+  children:
+    testing:
+      tester.sse.cloud.isti.cnr.it:

ansible/playbooks/roles/certbot/defaults/main.yaml

@@ -1 +1,19 @@
-certbot_with_dockered_nginx : True
+certbot_with_dockered_nginx : True
+
+#CERTBOT for letsencrypt
+certbot_create_method: webroot
+certbot_create_if_missing: true
+certbot_admin_email: fabio.sinibaldi@isti.cnr.it
+
+certbot_webroot: "{{ docker_base_volume_path }}/www"
+
+certbot_certs:
+  - name: "{{ ansible_hostname }}"
+    domains: 
+      - "{{ inventory_hostname }}"
+    webroot: "{{ docker_base_volume_path }}/{{ ansible_hostname }}"
+
+#Certbot verbose level
+certbot_create_extra_args: "-vvv --force-renewal"
+certbot_testmode: false
+

ansible/playbooks/roles/certbot/tasks/certbot_with_dockered_nginx.yaml

@@ -1,5 +1,7 @@
 ---
 # Need to stop using port 80 for certbot webroot validation
+# Needed also if not first run 
+
 - name: Gathering NGINX container state
   docker_container_info:
     name: nginx
@@ -18,23 +20,23 @@
   include_role:
     name: geerlingguy.certbot
 
-- name: Copy fullchain files to nginx volume
+# - name: Copy fullchain files to nginx volume
-  ansible.builtin.copy:
+#   ansible.builtin.copy:
-    src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
+#     src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
-    #TODO nginx configuration is not multi domain
+#     #TODO nginx configuration is not multi domain
-    dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
+#     dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
-    remote_src: true
+#     remote_src: true
-    mode: '0644'
+#     mode: '0644'
-  loop: "{{ certbot_certs }}"
+#   loop: "{{ certbot_certs }}"
 
-- name: Copy privkey files to nginx volume
+# - name: Copy privkey files to nginx volume
-  ansible.builtin.copy:
+#   ansible.builtin.copy:
-    src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
+#     src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
-    #TODO nginx configuration is not multi domain
+#     #TODO nginx configuration is not multi domain
-    dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
+#     dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
-    remote_src: true
+#     remote_src: true
-    mode: '0644'
+#     mode: '0644'
-  loop: "{{ certbot_certs }}"
+#   loop: "{{ certbot_certs }}"
 
 
 - name: Setting up Docker NGINX renewal hooks 
@@ -46,7 +48,7 @@
     - pre
     - post
 
-- name: Removing systemctl hooks
+- name: Removing systemctl hooks (defined by geerlingguy)
   ansible.builtin.file:
     path: "{{ item }}"
     state: absent
@@ -57,6 +59,8 @@
 
 # Installs dockered NGINX if needed and start it 
 
-- name: Installing and (Re)starting NGINX
+- name: Installing NGINX
-  include_role:
+  include_task: install_nginx.yaml
-    name: chrissayon.wordpress_docker.nginx
+
+- name: Start NGINX
+  include_task: start_nginx.yaml

ansible/playbooks/roles/certbot/tasks/install_nginx.yaml

@@ -0,0 +1,16 @@
+---
+- name: Create conf folder to put nginx folder
+  ansible.builtin.file:
+    path: "{{ docker_base_volume_path }}/nginx/conf"
+    state: directory
+    mode: "0755"
+
+- name: Copy nginx.conf to server
+  template:
+    src: "templates/nginx.conf.j2"
+    dest: "{{ docker_base_volume_path }}/nginx/conf/nginx.conf"
+
+- name: Pull Nginx image
+  docker_image:
+    name: "nginx:{{ nginx_docker_tag }}"
+    source: pull

ansible/playbooks/roles/certbot/tasks/start_nginx.yaml

@@ -0,0 +1,17 @@
+---
+- name: Start Nginx Container (HTTPS)
+  docker_container:
+    name: nginx
+    image: nginx
+    ports:
+      - "80:80"
+      - "443:443"
+    networks:
+      - name: "{{ docker_nginx_network_name }}"
+    hostname: "{{ docker_nginx_hostname }}"
+    volumes:
+      - "{{ docker_base_volume_path }}/vaultwarden:/var/www/html"
+      - "{{ docker_base_volume_path }}/nginx/conf:/etc/nginx/conf.d"
+      - "{{ docker_base_volume_path }}/nginx/logs:/var/log/nginx"
+      - "/etc/letsencrypt/live:/etc/nginx/ssl/:ro"
+    restart: true

ansible/playbooks/roles/certbot/templates/docker_nginx_post.j2

@@ -1,9 +1,9 @@
 #!/bin/sh
 
-{% for item in certbot_certs %}
+# {% for item in certbot_certs %}
-cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
+# cp /etc/letsencrypt/live/{{ item.name }}/fullchain.pem {{ docker_base_volume_path }}/nginx/ssl/fullchain.pem
-cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
+# cp /etc/letsencrypt/live/{{ item.name }}/privkey.pem {{ docker_base_volume_path }}/nginx/ssl/private.pem
-{% endfor %}
+# {% endfor %}
 
 docker start nginx
 

ansible/playbooks/roles/certbot/templates/nginx.conf.j2

@@ -0,0 +1,34 @@
+{% for item in certbot_certs %}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ item.name }};
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ item.name }};
+
+    root   /var/www/html;
+    index  index.php;
+
+
+    ssl_certificate /etc/nginx/ssl/{{ item.name }}/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/{{ item.name }}/privatekey.pem;
+
+    client_max_body_size 40M;
+
+
+    location / {
+        proxy_pass http://{{ docker_wordpress_hostname }}:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+}

ansible/playbooks/roles/vaultwarden/defaults/main.yaml

@@ -0,0 +1,5 @@
+vaultwarden_docker_tag
+docker_vaultwarden_network_name
+docker_vaultwarden_hostname
+docker_base_volume_path
+

ansible/playbooks/roles/vaultwarden/tasks/install_certbot.yaml

@@ -0,0 +1,4 @@
+---
+- name: Instal and configure certbot
+  include_role:
+    name: geerlingguy.certbot

ansible/playbooks/roles/vaultwarden/tasks/main.yaml

@@ -0,0 +1,17 @@
+---
+- name: Pull Vaultwarden server image
+  docker_image:
+    name: "vaultwarden/server:{{ vaultwarden_docker_tag }}"
+    source: pull
+
+- name: Create container with Vaultwarden image
+  docker_container:
+    name: vaultwarden
+    image: vaultwarden
+    networks:
+      - name: "{{ docker_vaultwarden_network_name }}"
+    hostname: "{{ docker_vaultwarden_hostname }}"
+    ports:
+      - "80:"
+    volumes:
+      - "{{ docker_base_volume_path }}/vaultwarden:/data/"

ansible/playbooks/vaultwarden.yaml

@@ -0,0 +1,14 @@
+---
+- name: Install and configure Vaultwarden
+  hosts: web
+  become : True
+
+  roles:
+    - geerlingguy.docker
+    - vaultwarden
+
+  tasks:
+    - name: Install certbot and nginx
+      include_task: nginx_http.yaml
+      when:
+        - vaultwarden_with_nginx_https.yaml