Last active
November 10, 2017 21:11
-
-
Save Elemnir/d7a0763659c3bea69a827870b74f1c16 to your computer and use it in GitHub Desktop.
Ansible for Deploying Nginx as a proxy server to other services, secured by Certbot
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| nginx_proxy_sites: | |
| - domain_name: www.example.com | |
| enabled: true | |
| unit_name: example | |
| repo: https://github.com/user/project.git | |
| source_path: /data/www/www.example.com | |
| internal_address: http://127.0.0.1:8080 | |
| aliases: | |
| - www.example.com | |
| - example.com | |
| environment: | |
| DJANGO_SECRET_KEY: '******' | |
| extra_locations: | |
| - { url: "/static/", path: "/data/www/www.example.com/static" } | |
| - { url: "/protected/", path: "/data/www/www.example.com/protected" , internal: true } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| --- | |
| - block: | |
| - name: Install Nginx and other packages | |
| package: | |
| name: "{{ item }}" | |
| state: latest | |
| with_items: | |
| - nginx | |
| - certbot | |
| - python34-devel | |
| - python-pip | |
| - python-virtualenv | |
| - git | |
| - name: Upgrade pip and virtualenv because CentOS is dumb | |
| command: "pip install --upgrade {{ item }}" | |
| with_items: | |
| - pip | |
| - virtualenv | |
| register: pip_result | |
| changed_when: "'Requirement already up-to-date' not in pip_result.stdout" | |
| - name: Create directories | |
| file: | |
| path: "/data/www/certbot" | |
| owner: nginx | |
| group: nginx | |
| mode: 0755 | |
| state: directory | |
| with_items: | |
| - /data/www | |
| - /data/www/certbot | |
| - name: Open firewall for HTTP and HTTPS | |
| firewalld: | |
| service: "{{ item }}" | |
| permanent: true | |
| state: enabled | |
| register: firewalld_result | |
| with_items: | |
| - http | |
| - https | |
| - name: Restart Firewalld if we made a change | |
| systemd: | |
| service: firewalld | |
| state: restarted | |
| when: firewalld_result|changed | |
| - name: Copy Nginx config file | |
| template: | |
| src: "nginx.conf.j2" | |
| dest: "/etc/nginx/nginx.conf" | |
| backup: yes | |
| register: nginx_conf_result | |
| - name: Generate dhparams | |
| shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048 | |
| args: | |
| creates: /etc/nginx/dhparams.pem | |
| - name: Restart Nginx when nginx.conf changes | |
| systemd: | |
| name: nginx.service | |
| state: restarted | |
| when: nginx_conf_result|changed | |
| - name: Clone site repos if they haven't been already | |
| git: | |
| repo: "{{ item.repo }}" | |
| dest: "{{ item.source_path }}" | |
| update: no | |
| become_user: nginx | |
| with_items: "{{ nginx_proxy_sites }}" | |
| - name: Copy service files from repos | |
| copy: | |
| src: "{{ item.source_path }}/deploy/{{ item.unit_name }}.service" | |
| dest: "/etc/systemd/system/{{ item.unit_name }}.service" | |
| remote_src: yes | |
| with_items: "{{ nginx_proxy_sites }}" | |
| - name: Make /etc/systemd-envfiles directory | |
| file: | |
| path: /etc/systemd-envfiles | |
| state: directory | |
| - name: Set environment variables for the sites | |
| template: | |
| src: "unit.environment.j2" | |
| dest: "/etc/systemd-envfiles/{{ item.unit_name }}.environment" | |
| owner: root | |
| group: root | |
| mode: 0700 | |
| with_items: "{{ nginx_proxy_sites }}" | |
| - name: Start and enable services for enabled sites | |
| systemd: | |
| daemon_reload: yes | |
| name: "{{ item.unit_name }}.service" | |
| state: "{% if item.enabled %}started{% else %}stopped{% endif %}" | |
| enabled: "{% if item.enabled %}yes{% else %}no{% endif %}" | |
| with_items: "{{ nginx_proxy_sites }}" | |
| - name: Run Certbot to obtain SSL certs for each site | |
| shell: "certbot certonly -n --webroot -w /data/www/certbot -m {{ admin_email }} --agree-tos {% for d in item.aliases %}-d {{d}} {% endfor %}" | |
| args: | |
| creates: "/etc/letsencrypt/live/{{ item.domain_name }}" | |
| with_items: "{{ nginx_proxy_sites }}" | |
| - name: Copy the site config files | |
| template: | |
| src: "site.conf.j2" | |
| dest: "/etc/nginx/conf.d/{{ item.domain_name }}.conf" | |
| register: site_conf_result | |
| with_items: "{{ nginx_proxy_sites }}" | |
| - name: Restart Nginx when site configs change | |
| systemd: | |
| name: nginx.service | |
| state: restarted | |
| when: site_conf_result|changed | |
| - name: Enable Nginx | |
| systemd: | |
| name: nginx.service | |
| enabled: yes | |
| - name: Add cronjob to renew certificates | |
| cron: | |
| name: "Certbot renewal" | |
| special_time: monthly | |
| job: "certbot renew --deploy-hook 'systemctl restart nginx.service'" | |
| become: true |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment