Use certbot to issue certificates

2023-12-21 16:35:20 +00:00 · 2023-12-21 16:35:20 +00:00 · 39899cd1e0
commit 39899cd1e0
parent 8e1a203df2
10 changed files with 80 additions and 43 deletions
--- a/ansible/files/nginx-docker.conf
+++ b/ansible/files/nginx-docker.conf
@ -9,8 +9,8 @@ server {
    set $upstream {{ upstream }};

    ssl_certificate {{ ssl_cert_path }}/fullchain.pem;
-    ssl_certificate_key {{ ssl_cert_path }}/key.pem;
-    ssl_trusted_certificate {{ ssl_cert_path }}/cert.pem;
+    ssl_certificate_key {{ ssl_cert_path }}/privkey.pem;
+    ssl_trusted_certificate {{ ssl_cert_path }}/chain.pem;
    include includes/ssl.conf;

    include includes/docker-resolver.conf;
--- a/ansible/galaxy-requirements.yml
+++ b/ansible/galaxy-requirements.yml
@ -20,3 +20,5 @@ roles:
    version: v2022.10.17
  - src: nginxinc.nginx
    version: 0.24.1
+  - src: geerlingguy.certbot
+    version: 5.1.0
--- a/ansible/group_vars/all/certbot.yml
+++ b/ansible/group_vars/all/certbot.yml
@ -0,0 +1,13 @@
+certbot_install_method: package
+certbot_auto_renew: true
+certbot_auto_renew_user: root
+certbot_auto_renew_hour: 23
+certbot_auto_renew_minute: 30
+certbot_auto_renew_options: --quiet --post-hook "systemctl reload nginx"
+certbot_admin_email: "{{ vault_certbot_admin_email }}"
+
+certbot_create_method: webroot
+
+certbot_webroot: /var/www/certbot-webroot
+
+certbot_create_if_missing: true
--- a/ansible/group_vars/all/vault.yml
+++ b/ansible/group_vars/all/vault.yml
@ -1,38 +1,41 @@
 $ANSIBLE_VAULT;1.1;AES256
-64313263396466623131663462303837643566386538363331643866643630663237313165343936
-6661326238643732343035346436393737303234356533630a386166383135343135373135373036
-38336137316638633339656633363263633462363766643739306136306233663732613135306230
-6233653966313034350a616133663134343235643930396462613139326233396563633061623437
-63343464346239323030336261633964346331323465623461313762373863336361356533666130
-61613930616462373465316532376139373261616438616334643664383937303865386663316133
-30356564343334303764346433366265653663646231636666363065393465326237613236666536
-64663965633264373266386131366465393938343238366430306335346561303366343836323533
-38323033336361343431656233353662383463653232616137666266653332353039303438646466
-31666434666264303163643662323531376239666432616561363830643836313734363732363137
-66366630636465326631353464356465303939393766386332616661623133343735626338386661
-31346134663366386339383439363035376361313336393335656532363638616136323637333734
-38343261333533653833353461386537633635303739663432633766373634363832313030623665
-33663737393164643839373064383964376239333465363731643862303238353432623635656665
-38383265623034393631303638663633336466336566336231366334396532303934663538656666
-32316465626563306534653531646334336133343162623433623734653465346231323764393662
-35333930656435636539373862346631323839303335623364313436383432316437353731373463
-31373138326565626661613335663964623264336232393364336630306236396230316232306235
-66626131393966313739626432366463663335643263323237333534643036396537383339373932
-36343236643731646535346433363139363131623738633234336162383361326661353161656436
-34663463326264323239383066623038316639336666363230616535616631623637646539343335
-63633731323564636234313838306661616363306165356661343930616231666165613461366435
-39313938666431303930663763363462633466326665366432363334393333343766623061666135
-38636639626134663930333664396534646165383435613035393333383563616639393262333933
-30623861623638393838643561373834396431396538316662326134356639323431656631623137
-37666534326530623966343361393235303934323635313063623833353161643165386363373765
-31633461313062396633623561666537633239353035363932333064303338363632316632343031
-36323266343665356635643131613364616134666161353063356562343561633064666661623832
-61366538383631303030316535666639323236323536346635326563383033643538653761623930
-37336434386462363030363866636661656632663938623066636435316437663962303265353363
-30353734653334323536303330633865663963333839386632333336306637333335383532323039
-61666263663266313763353662353136646336646539333163303366323162323435616266626466
-34646134313732393164306463643261326439333565643036303663326263353434663762653263
-63636334363965313137306238393239393938626437353832326634663562653663663265633861
-62363630306364326136653234623764333063306138313037306363346435323435623661393630
-31656463313838313135386331386332333763336362393630643062643966646339386230663038
-36653632626663613536383331393336356333666334646633626363663965393563
+63376661396632313137666432623833393836313463393466663331306566633734313864386538
+6365623730303762613261346138613733323664306361660a303762663233366462653363313038
+64333230383538653136663630336664653435356438666261316366626238343535386431653930
+3432393363373533340a613664306366383533326637626238336638376435313730666433393439
+30623336653365383939333936346661383663383535633562353130363861386264336539303566
+62636634366363306536633532336664336164373739643834366431626635393762323634626436
+31333936376466616261376239643961616431333461386165393762656363353964353031356538
+37353466353037306236323562396264633966353932633461353964616661666363313432396236
+35343065666636663632376264346263623065383266383039373132336339343030633231623636
+61383765636366326231346130386562323630326161663536636534666434343035653535303961
+65336661366534613631343566623136626163363664303364306364313635633962333961333639
+61666431393134313032633730623532383765636334666462303234313530316331646463623965
+66323435313561623136636264393362323530343661303562623365636431633431636361343765
+64366465613936363065303463323432646562343031363764616637623136633034383235656565
+65623066653538313966376532373564633062326164643234376365623936376632623136363263
+34363630613364393133343565383630623036376134353633373836636232653261633337323366
+30376263613862663966396539663834313066303163663636366330316535373634346463666636
+38663335336565616462613838346435353330643533326164353532646436643031666166636465
+30653735396537376536613239613166323665393066616366303431336662646363613536373861
+36643838633832303866363032396335626234623863656432336431666333373235373539666638
+63383130363333646135333630323230393231396262363039666336326436613831633831313331
+38333038353338643532343830346436353331313763323264303031396137376336643834363837
+38633739613534613837643432663465366632383732333437633663643136376139363633636465
+62623261663462333162313938376261386439633964626664393439356561306433333661366239
+39633739333830303730353663663863623539376333373161663237663862623333626633343836
+32386135636639306161303865643633616431373563626461386562626336643638336436333631
+63656136363235393761366664626531313566646537343930663633393337643264633731366165
+65326165376466333537653733303463363431383963343561366530343335353561613438643339
+64646136336362393339323565353835376237346538396165653763343030373732633065643436
+37336532313939306265303731663430613237666534616463343633313837323532666532363238
+62376638343862356231323165326561653637666232646437316234376638366333313732373266
+64633365613630306265303664366536616332323435356234616334323733363131366532363562
+64613631333931626263356538633831396261653038633535643437643332396436653233646438
+35613861363438333463643935636232346639353763323663396366356537633339353664616636
+64386133653531313039306631386136353638333066353765613761353532393662633564666130
+39306534383434333733396134393163633136376633633565326331373637393231613934623638
+37626130353035326230656364393164633538356466623635366230643331663634636330363561
+34326465643464376565346163393834616166366464313635396463396639353965303831353564
+65313534646662636636613066653938396666303733623238613662393536643364323331363961
+65613037313332346665
--- a/ansible/host_vars/walker/main.yml
+++ b/ansible/host_vars/walker/main.yml
@ -2,3 +2,12 @@ restic_backup_locations:
  - /opt

 nginx_https_redirect: true
+
+certbot_certs:
+  - domains:
+      - theorangeone.net
+  - domains:
+      - commento.theorangeone.net
+  - domains:
+      - plausible.theorangeone.net
+      - elbisualp.theorangeone.net
--- a/ansible/main.yml
+++ b/ansible/main.yml
@ -99,6 +99,8 @@

 - hosts: walker
  roles:
+    - role: geerlingguy.certbot
+      become: true
    - nebula
    - coredns
    - nginx
--- a/ansible/roles/commento/tasks/main.yml
+++ b/ansible/roles/commento/tasks/main.yml
@ -29,4 +29,4 @@
  vars:
    server_name: commento.theorangeone.net
    upstream: commento-commento-1.docker:8080
-    ssl_cert_path: /etc/nginx/ssl/theorangeone.net
+    ssl_cert_path: /etc/letsencrypt/live/commento.theorangeone.net
--- a/ansible/roles/nginx/files/nginx-https-redirect.conf
+++ b/ansible/roles/nginx/files/nginx-https-redirect.conf
@ -2,5 +2,13 @@ server {
    listen 80;
    server_name _;
    access_log off;
-    return 308 https://$host$request_uri;
+
+    location ^~ /.well-known/acme-challenge/ {
+        default_type "text/plain";
+        root {{ certbot_webroot }};
+    }
+
+    location / {
+        return 308 https://$host$request_uri;
+    }
 }
--- a/ansible/roles/plausible/tasks/main.yml
+++ b/ansible/roles/plausible/tasks/main.yml
@ -45,6 +45,6 @@
  vars:
    server_name: plausible.theorangeone.net elbisualp.theorangeone.net
    upstream: plausible-plausible-1.docker:8000
-    ssl_cert_path: /etc/nginx/ssl/theorangeone.net
+    ssl_cert_path: /etc/letsencrypt/live/plausible.theorangeone.net
    location_extra: |
      rewrite ^/js/index.js$ /js/plausible.js last;
--- a/ansible/roles/website/tasks/main.yml
+++ b/ansible/roles/website/tasks/main.yml
@ -29,6 +29,6 @@
  vars:
    server_name: theorangeone.net
    upstream: website-nginx-1.docker:8000
-    ssl_cert_path: /etc/nginx/ssl/theorangeone.net
+    ssl_cert_path: /etc/letsencrypt/live/theorangeone.net
    location_extra: |
      more_set_headers "Server: $upstream_http_server";