the-nine-worlds/ansible-edda
the-nine-worlds/ansible-edda
1
0
Fork 0
Code Issues 1 Pull Requests Packages Projects Releases Wiki Activity

Configure SSL passthrough

Browse Source
This commit is contained in:
Wojciech Kozlowski 2023-07-09 22:02:51 +02:00
parent dbb294679c
commit a6b2bfa467
21 changed files with 156 additions and 118 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
playbooks/roles/services/deploy/lrproxy/files/config
View File

@ -1 +0,0 @@
../../rproxy/files/config

2
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf → playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/archive.music.wojciechkozlowski.eu.conf
View File

@ -13,7 +13,7 @@ server {
}
server {
listen 443 ssl;
listen 127.0.0.1:443 ssl;
server_name archive.music.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/archive.music.wojciechkozlowski.eu/fullchain.pem;

2
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf → playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/cloud.wojciechkozlowski.eu.conf
View File

@ -13,7 +13,7 @@ server {
}
server {
listen 443 ssl;
listen 127.0.0.1:443 ssl;
server_name cloud.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/cloud.wojciechkozlowski.eu/fullchain.pem;

2
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf → playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/git.wojciechkozlowski.eu.conf
View File

@ -13,7 +13,7 @@ server {
}
server {
listen 443 ssl;
listen 127.0.0.1:443 ssl;
server_name git.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/git.wojciechkozlowski.eu/fullchain.pem;

2
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf → playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/music.wojciechkozlowski.eu.conf
View File

@ -13,7 +13,7 @@ server {
}
server {
listen 443 ssl;
listen 127.0.0.1:443 ssl;
server_name music.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/music.wojciechkozlowski.eu/fullchain.pem;

2
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf → playbooks/roles/services/deploy/lrproxy/files/config/nginx-conf.d/notes.wojciechkozlowski.eu.conf
View File

@ -13,7 +13,7 @@ server {
}
server {
listen 443 ssl;
listen 127.0.0.1:443 ssl;
server_name notes.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/notes.wojciechkozlowski.eu/fullchain.pem;

1
playbooks/roles/services/deploy/lrproxy/files/config/nginx.conf Symbolic link
View File

@ -0,0 +1 @@
../../../rproxy/files/config/nginx.conf

22
playbooks/roles/services/deploy/lrproxy/files/config/stream.conf Normal file
View File

@ -0,0 +1,22 @@
stream {
map $ssl_preread_server_name $name {
wojciechkozlowski.eu rproxy;
www.wojciechkozlowski.eu rproxy;
default lrproxy;
}
upstream rproxy {
server pod-rproxy:443;
}
upstream lrproxy {
server 127.0.0.1:443;
}
server {
listen pod-lrproxy:443;
proxy_pass $name;
ssl_preread on;
}
}

83
playbooks/roles/services/deploy/lrproxy/tasks/main.yml
View File

@ -27,7 +27,14 @@
src: "./config/{{ item }}"
dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}"
mode: 0644
loop: "{{ services_rproxy_nginx_conf_d_files }}"
loop:
- "nginx.conf"
- "stream.conf"
- "nginx-conf.d/archive.music.wojciechkozlowski.eu.conf"
- "nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
- "nginx-conf.d/git.wojciechkozlowski.eu.conf"
- "nginx-conf.d/music.wojciechkozlowski.eu.conf"
- "nginx-conf.d/notes.wojciechkozlowski.eu.conf"
register: services_deploy_lrproxy_config_files
- name: "configure systemd service"
@ -38,6 +45,8 @@
loop:
- "pod-lrproxy.service"
- "container-lrproxy-nginx.service"
- "container-lrproxy-certbot.service"
- "container-lrproxy-certbot.timer"
register: services_deploy_lrproxy_systemd_files
- name: "systemd user daemon reload"
@ -47,6 +56,13 @@
when:
services_deploy_lrproxy_systemd_files.changed
- name: "enable container-lrproxy-certbot timer"
ansible.builtin.systemd:
name: "container-lrproxy-certbot.timer"
enabled: true
scope: "user"
register: services_deploy_lrproxy_certbot_timer
- name: "generate diffie hellman ephemeral parameters"
ansible.builtin.command: >-
openssl dhparam
@ -57,65 +73,6 @@
{{ services_service_user_home }}/.config/{{ services_service_user_name }}/dhparam.pem"
register: services_deploy_lrproxy_dhparam
- block:
- name: "configure rsync-certificates service"
ansible.builtin.template:
src: "./systemd/{{ item }}"
dest: "{{ services_service_user_home }}/.config/systemd/user/{{ item }}"
mode: 0600
loop:
- "rsync-certificates.service"
- "rsync-certificates.timer"
register: services_deploy_lrproxy_rsync_certificates_files
- name: "systemd user daemon reload"
ansible.builtin.systemd:
daemon_reload: true
scope: "user"
when:
services_deploy_lrproxy_rsync_certificates_files.changed
- name: "enable rsync-certificates timer"
ansible.builtin.systemd:
name: "rsync-certificates.timer"
enabled: true
scope: "user"
register: services_deploy_lrproxy_rsync_certificates_timer
- name: "create the .ssh directory"
ansible.builtin.file:
path: "{{ services_service_user_home }}/.ssh"
state: "directory"
mode: 0700
- name: "generate ssh keypair for rsync"
community.crypto.openssh_keypair:
path: "\
{{ services_service_user_home }}/.ssh/\
{{ services_host_services.lrproxy.rproxy_host }}-\
{{ services_host_services.lrproxy.rproxy_user }}"
type: "ed25519"
register: services_deploy_lrproxy_keypair
- name: "configure public key on {{ services_host_services.lrproxy.rproxy_host }}"
ignore_unreachable: "{{ services_deploy_lrproxy_ignore_unreachable_rproxy }}"
delegate_to: "{{ services_host_services.lrproxy.rproxy_host }}"
become_user: "{{ services_host_services.lrproxy.rproxy_user }}"
ansible.posix.authorized_key:
user: "{{ services_host_services.lrproxy.rproxy_user }}"
state: "present"
key: "{{ services_deploy_lrproxy_keypair.public_key }}"
key_options: "\
command=\"rsync --server --sender -avz . \
{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/\
{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/\
\",from=\"{{ vpn_wireguard_address }}\",\
no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-x11-forwarding"
when:
services_host_services.lrproxy.rproxy_host is defined
- name: "get uid"
ansible.builtin.getent:
database: "passwd"
@ -138,10 +95,8 @@
when:
(services_deploy_lrproxy_config_files.changed or
services_deploy_lrproxy_systemd_files.changed or
services_deploy_lrproxy_rsync_certificates_files.changed or
services_deploy_lrproxy_rsync_certificates_timer.changed or
services_deploy_lrproxy_dhparam.changed or
services_deploy_lrproxy_keypair.changed) and
services_deploy_lrproxy_certbot_timer.changed or
services_deploy_lrproxy_dhparam.changed) and
services_deploy_lrproxy_service_active_state.stdout == "active"
become_user: "{{ services_service_user_name }}"

24
playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.service Normal file
View File

@ -0,0 +1,24 @@
[Unit]
Description=Podman container-lrproxy-certbot.service
Documentation=man:podman-generate-systemd(1)
OnFailure=status-mail@%n.service
[Service]
Environment=PODMAN_SYSTEMD_UNIT=%n
TimeoutStopSec=70
ExecStartPre=/bin/rm -f %t/container-lrproxy-certbot.pid %t/container-lrproxy-certbot.ctr-id
ExecStartPre=/usr/bin/podman pull docker.io/certbot/certbot
ExecStart=/usr/bin/podman run \
--conmon-pidfile %t/container-lrproxy-certbot.pid \
--cidfile %t/container-lrproxy-certbot.ctr-id \
--cgroups=no-conmon \
--pod-id-file %t/pod-lrproxy.pod-id \
--replace \
-v /etc/resolv.conf:/etc/resolv.conf:ro \
-v {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt/_data:/etc/letsencrypt \
-v var-lib-letsencrypt:/var/lib/letsencrypt \
-v var-www-html:/var/www/html \
--name=pod-lrproxy-certbot \
docker.io/certbot/certbot --non-interactive renew
ExecStopPost=/usr/bin/podman rm --ignore -f --cidfile %t/container-lrproxy-certbot.ctr-id
Type=oneshot

6
playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.timer → playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-certbot.timer
View File

@ -1,12 +1,12 @@
[Unit]
Description=Rsync certificates obtained by certbot
Documentation=man:rsync(1)
Description=Renew certificates with certbot
Documentation=man:certbot(1)
BindsTo=pod-lrproxy.service
After=pod-lrproxy.service
DefaultDependencies=no
[Timer]
OnCalendar=Fri *-*-* 18:00:00
OnCalendar=Fri *-*-* 06:00:00
Persistent=true
RandomizedDelaySec=1h

3
playbooks/roles/services/deploy/lrproxy/templates/systemd/container-lrproxy-nginx.service
View File

@ -23,9 +23,12 @@ ExecStart=/usr/bin/podman run \
{{ services_rproxy_nginx_add_hosts }} \
-v {{ services_root_directory }}/{{ services_resolv_host }}-resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-lrproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
-v ./.config/pod-lrproxy/stream.conf:/etc/nginx/stream.conf:ro \
-v ./.config/pod-lrproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
-v ./.config/pod-lrproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \
-v {{ services_data_directory }}/pod-lrproxy/etc-letsencrypt/_data:/etc/letsencrypt:ro \
-v var-lib-letsencrypt:/var/lib/letsencrypt:ro \
-v var-www-html:/var/www/html \
--name=pod-lrproxy-nginx \
docker.io/library/nginx:{{ services_deploy_versions.lrproxy.nginx }}
ExecStop=/usr/bin/podman stop --ignore --cidfile %t/container-lrproxy-nginx.ctr-id -t 10

12
playbooks/roles/services/deploy/lrproxy/templates/systemd/rsync-certificates.service
View File

@ -1,12 +0,0 @@
[Unit]
Description=Podman rsync-certificates.service
Documentation=man:rsync(1)
OnFailure=status-mail@%n.service
[Service]
Type=oneshot
ExecStart=/usr/bin/rsync -e 'ssh -i .ssh/{{ services_host_services.lrproxy.rproxy_host }}-{{ services_host_services.lrproxy.rproxy_user }} -l {{ services_host_services.lrproxy.rproxy_user }}' \
-avz \
--delete \
{{ hostvars[services_host_services.lrproxy.rproxy_host].vpn_wireguard_address }}:{{ hostvars[services_host_services.lrproxy.rproxy_host].services_data_directory }}/{{ services_host_services.lrproxy.rproxy_user }}/etc-letsencrypt/ \
{{ services_data_directory }}/pod-lrproxy/etc-letsencrypt

11
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/http-default.conf Normal file
View File

@ -0,0 +1,11 @@
server {
listen 80;
server_name _;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://pod-lrproxy;
}
}

26
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/wojciechkozlowski.eu.conf
View File

@ -1,6 +1,6 @@
server {
listen 80;
server_name wojciechkozlowski.eu www.wojciechkozlowski.eu;
server_name wojciechkozlowski.eu;
location ^~ /.well-known {
allow all;
@ -13,7 +13,7 @@ server {
}
server {
listen 443 ssl;
listen 127.0.0.1:443 ssl;
server_name wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/wojciechkozlowski.eu/fullchain.pem;
@ -33,25 +33,3 @@ server {
}
}
server {
listen 443 ssl;
server_name www.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://pod-www;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

35
playbooks/roles/services/deploy/rproxy/files/config/nginx-conf.d/www.wojciechkozlowski.eu.conf Normal file
View File

@ -0,0 +1,35 @@
server {
listen 80;
server_name www.wojciechkozlowski.eu;
location ^~ /.well-known {
allow all;
root /var/www/html;
}
location / {
return 301 https://$server_name$request_uri;
}
}
server {
listen 127.0.0.1:443 ssl;
server_name www.wojciechkozlowski.eu;
ssl_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/www.wojciechkozlowski.eu/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/www.wojciechkozlowski.eu/chain.pem;
location / {
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_pass http://pod-www;
}
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/nginx/html;
}
}

2
playbooks/roles/services/deploy/rproxy/files/config/nginx.conf
View File

@ -55,3 +55,5 @@ http {
include /etc/nginx/conf.d/*.conf;
}
include /etc/nginx/stream.conf;

22
playbooks/roles/services/deploy/rproxy/files/config/stream.conf Normal file
View File

@ -0,0 +1,22 @@
stream {
map $ssl_preread_server_name $name {
wojciechkozlowski.eu rproxy;
www.wojciechkozlowski.eu rproxy;
default lrproxy;
}
upstream rproxy {
server 127.0.0.1:443;
}
upstream lrproxy {
server pod-lrproxy:443;
}
server {
listen pod-rproxy:443;
proxy_pass $name;
ssl_preread on;
}
}

7
playbooks/roles/services/deploy/rproxy/tasks/main.yml
View File

@ -27,7 +27,12 @@
src: "./config/{{ item }}"
dest: "{{ services_service_user_home }}/.config/{{ services_service_user_name }}/{{ item }}"
mode: 0644
loop: "{{ services_rproxy_nginx_conf_d_files }}"
loop:
- "nginx.conf"
- "stream.conf"
- "nginx-conf.d/http-default.conf"
- "nginx-conf.d/wojciechkozlowski.eu.conf"
- "nginx-conf.d/www.wojciechkozlowski.eu.conf"
register: services_deploy_rproxy_config_files
- name: "configure systemd service"

1
playbooks/roles/services/deploy/rproxy/templates/systemd/container-rproxy-nginx.service
View File

@ -23,6 +23,7 @@ ExecStart=/usr/bin/podman run \
{{ services_rproxy_nginx_add_hosts }} \
-v /etc/resolv.conf:/etc/resolv.conf:ro \
-v ./.config/pod-rproxy/nginx.conf:/etc/nginx/nginx.conf:ro \
-v ./.config/pod-rproxy/stream.conf:/etc/nginx/stream.conf:ro \
-v ./.config/pod-rproxy/nginx-conf.d:/etc/nginx/conf.d:ro \
-v ./.config/pod-rproxy/dhparam.pem:/etc/ssl/certs/dhparam.pem:ro \
-v {{ services_data_directory }}/pod-rproxy/etc-letsencrypt/_data:/etc/letsencrypt:ro \

8
playbooks/roles/services/deploy/rproxy/vars/nginx.yml
View File

@ -5,11 +5,3 @@ services_rproxy_nginx_add_hosts: "\
{{ add_host_list.append('--add-host=pod-' ~ service.key ~ ':' ~ service.value.address) }}\
{% endfor %}\
{{ add_host_list | join(' ') }}"
services_rproxy_nginx_conf_d_files:
- "nginx.conf"
- "nginx-conf.d/archive.music.wojciechkozlowski.eu.conf"
- "nginx-conf.d/cloud.wojciechkozlowski.eu.conf"
- "nginx-conf.d/git.wojciechkozlowski.eu.conf"
- "nginx-conf.d/music.wojciechkozlowski.eu.conf"
- "nginx-conf.d/notes.wojciechkozlowski.eu.conf"
- "nginx-conf.d/wojciechkozlowski.eu.conf"