Skip to content

Commit

Permalink
ansible: Improve SSL cert config
Browse files Browse the repository at this point in the history
  • Loading branch information
Mauve Signweaver committed Nov 28, 2024
1 parent 58793b7 commit 2ee63db
Show file tree
Hide file tree
Showing 5 changed files with 30 additions and 7 deletions.
3 changes: 2 additions & 1 deletion ansible/roles/distributed_press/defaults/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -14,11 +14,12 @@ distributed_press_host: "localhost"
distributed_press_ipfs_provider: "builtin"

distributed_press_git_repo: "https://github.com/hyphacoop/api.distributed.press.git"
distributed_press_git_branch: "v2.1.4"
distributed_press_git_branch: "v2.1.6"
distributed_press_source: "{{distributed_press_home}}/api.distributed.press"

distributed_press_domain: "example.com"
distributed_press_letsencrypt_email: "[email protected]"
distributed_press_cert_name: "{{distributed_press_domain}}-0001"

# These will be used to be served over nginx along with letsencrypt certs
distributed_press_served_sites: []
Expand Down
22 changes: 22 additions & 0 deletions ansible/roles/distributed_press/tasks/main.yml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -183,6 +183,28 @@
- name: "Enable NGINX firewall"
shell: "ufw allow 'Nginx Full'"

- name: "Copy over default site config"
template:
src: nginx-default.j2
dest: "/etc/nginx/sites-enabled/default"

- name: "Copy over site config"
template:
src: nginx-site.j2
dest: "/etc/nginx/sites-enabled/{{distributed_press_domain}}"

- name: "Copy over social inbox site config"
when: social_inbox_enabled
template:
src: nginx-social-site.j2
dest: "/etc/nginx/sites-enabled/{{social_inbox_domain}}"

- name: "Copy over static site configs"
template:
src: nginx-static.j2
dest: "/etc/nginx/sites-enabled/{{item}}"
loop: "{{distributed_press_served_sites}}"

- name: "Reload NGINX"
systemd:
daemon_reload: true
Expand Down
4 changes: 2 additions & 2 deletions ansible/roles/distributed_press/templates/nginx-site.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -34,8 +34,8 @@ server {

listen [::]:443 ssl ipv6only=on; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{distributed_press_domain}}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_domain}}/privkey.pem; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Expand Down
4 changes: 2 additions & 2 deletions ansible/roles/distributed_press/templates/nginx-social-site.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -37,8 +37,8 @@ server {

listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{distributed_press_domain}}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_domain}}/privkey.pem; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

Expand Down
4 changes: 2 additions & 2 deletions ansible/roles/distributed_press/templates/nginx-static.j2
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,8 +36,8 @@ server {

listen [::]:443 ssl; # managed by Certbot
listen 443 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{distributed_press_domain}}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_domain}}/privkey.pem; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
}
Expand Down

0 comments on commit 2ee63db

Please sign in to comment.