Skip to content

Instantly share code, notes, and snippets.

@chaddupuis
Created December 21, 2022 19:23
Embed
What would you like to do?
Ansible to build an nginx server with certbot
# post base server setup
# nginx, pulls confs from git repo
# certbot setup and general firewall conf
#
- hosts: nginxweb
become: yes
vars:
my_ip_range: x.x.x.x/24
my_jump_ip: x.x.x.x
my_db: x.x.x.x
vars_files:
- vars-nginxweb.yaml
pre_tasks:
- name: "Install packages - nginx certbot python3 tools"
apt:
pkg: ['ipset', 'ebtables', 'python3-dev', 'python3-setuptools', 'python3-venv', 'nginx', 'curl', 'gnupg2', 'ca-certificates', 'lsb-release', 'wget', 'python3-certbot-nginx']
state: present
- name: Check if a reboot is needed for Debian-based systems
stat:
path: /var/run/reboot-required
register: reboot_required
- name: Generate dhparams
shell: openssl dhparam -out /etc/ssl/certs/dhparams.pem 2048
args:
creates: /etc/ssl/certs/dhparams.pem
- name: Open ssh service on public zone
firewalld:
service: ssh
zone: "public"
state: enabled
permanent: yes
immediate: yes
notify:
- restart firewalld
- name: Allow ssh access from my ip range on public zone
firewalld:
rich_rule: 'rule family="ipv4" source address="{{my_ip_range}}" port protocol="tcp" port="ssh" accept'
zone: "public"
state: enabled
permanent: yes
immediate: yes
notify:
- restart firewalld
- name: Allow ssh access from remote jump on public zone
firewalld:
rich_rule: 'rule family="ipv4" source address="{{my_jump_ip}}" port protocol="tcp" port="ssh" accept'
zone: "public"
state: enabled
permanent: yes
immediate: yes
notify:
- restart firewalld
- name: Allow ssh access from db on public zone
firewalld:
rich_rule: 'rule family="ipv4" source address="{{my_db}}" port protocol="tcp" port="ssh" accept'
zone: "public"
state: enabled
permanent: yes
immediate: yes
notify:
- restart firewalld
# with rich rules above you then have to remove ssh from public otherwise they dont have meaning
- name: Close ssh service on public zone
firewalld:
service: ssh
zone: "public"
state: disabled
permanent: yes
immediate: yes
notify:
- restart firewalld
- name: Open http service on public zone
firewalld:
service: http
zone: "public"
state: enabled
permanent: yes
immediate: yes
notify:
- restart firewalld
- name: Open https service on public zone
firewalld:
service: https
zone: "public"
state: enabled
permanent: yes
immediate: yes
notify:
- restart firewalld
tasks:
- name: Enabled nginx and ensure it is not masked
ansible.builtin.systemd:
name: nginx
enabled: yes
masked: no
- name: Create general site layout hierarchy
file:
path: /var/www/
state: directory
owner: root
group: root
mode: 0755
- name: Create default html directory for challenges
file:
path: /var/www/html
owner: www-data
group: www-data
mode: 0755
recurse: yes
- name: Clear sites-available pre clone
file:
state: absent
path: /etc/nginx/sites-available
- name: Make new sites-available for clone
file:
state: directory
path: /etc/nginx/sites-available
# copy git files
# obtain deploy key from
# https://gitlab.com/xxxx/*\\\project///*/-/settings/repository
- name: Clone the configuration branch into /etc/nginx then copy around as needed
git:
repo: https://{{confs_read_un}}:{{confs_read_key}}@gitlab.com/xxxxxx/nginx-conf.git
dest: /etc/nginx/sites-available/
version: main
force: yes
update: yes
- name: Set proper permissions on all sites-available
file:
path: /etc/nginx/sites-available
owner: root
group: root
mode: 0400
recurse: yes
- name: Create default html directory for challenges
file:
path: /var/www/html
owner: www-data
group: www-data
mode: 0755
recurse: yes
- name: Copy default index.html from cloned nginx conf files to /var/www/html
ansible.builtin.copy:
remote_src: yes
src: /etc/nginx/sites-available/yyh-default-index.html-orig
dest: /var/www/html/index.html
owner: www-data
group: www-data
mode: 0755
- name: Remove default nginx index
ansible.builtin.file:
path: /var/www/html/index.nginx-debian.html
state: absent
- name: Create a site directory
file:
path: /var/www/yoursite
owner: www-data
group: www-data
mode: 0755
recurse: yes
# get yoursite git repo --- a static website
# obtain deploy key from
# https://gitlab.com/xxxxx/*\\\project///*/-/settings/repository
- name: Clone your site into /var/www/yourclinic
git:
repo: https://{{yoursite_read_un}}:{{yoursite_read_key}}@gitlab.com/xxxxxx/yoursite.git
dest: /var/www/yoursite/
version: master
force: yes
update: yes
# ensure html perms
- name: Fix permissions web files
file: dest=/var/www/yoursite/ owner=www-data group=www-data mode=0755 recurse=yes
- name: Enable your site vhost
file:
src: /etc/nginx/sites-available/your.site.com.conf
dest: /etc/nginx/sites-enabled/your.site.com.conf
state: link
# below is for confs that are just redirectors (no local files)
- name: Enable all the redirect sites
file:
src: /etc/nginx/sites-available/{{ item.site }}
dest: /etc/nginx/sites-enabled/{{ item.site }}
state: link
with_items:
- { site: 'r1-redir.com.conf' }
- { site: 'r2-redir.com.conf' }
- name: Remove default nginx sites-enabled
file:
path: "/etc/nginx/sites-enabled/default"
state: absent
- name: Restart Nginx
service: name=nginx state=restarted enabled=yes
# NOTE BELOW HAS ALL SITES AND REDIRECT SITES
- name: Create letsencrypt certificates
shell: certbot certonly -n --webroot -w /var/www/html -m you@you.com --agree-tos -d {{ item.dname }}
args:
creates: /etc/letsencrypt/live/{{ item.dname }}
with_items:
- { dname: 'yoursite.com' }
- { dname: 'redir1.com' }
- { dname: 'redir2.com' }
- name: Restart Nginx
service: name=nginx state=restarted enabled=yes
- name: Reboot the server if needed.
reboot:
msg: "Reboot initiated by ansible - reboot required file"
connect_timeout: 5
reboot_timeout: 600
pre_reboot_delay: 0
post_reboot_delay: 30
test_command: whoami
when: reboot_required.stat.exists
# debian comes with systemd timer for certbot renewals but do cron if necessary systemctl cat certbot.timer
- name: Remove old packages from the cache.
apt:
autoclean: yes
- name: Remove dependencies that are no longer needed.
apt:
autoremove: yes
purge: yes
handlers:
- name: restart firewalld
service:
name: firewalld
state: restarted
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment