Activer les pages personnelles et stocker les users dans host_vars
This commit is contained in:
parent
ef1daa42d3
commit
1e4979d521
12
README.md
12
README.md
|
|
@ -1,3 +1,13 @@
|
|||
# infra
|
||||
|
||||
Configuration système de fr.tild3.org
|
||||
Configuration système de fr.tild3.org
|
||||
|
||||
# Ajouter unE utilisateurice
|
||||
|
||||
Pour créer un compte, il suffit de le déclarer dans host_vars/fr.yml:
|
||||
|
||||
```
|
||||
- name: username
|
||||
(- sudo: true)
|
||||
- key: "clé publique SSH (format ~/.ssh/authorized_keys)"
|
||||
```
|
||||
|
|
|
|||
|
|
@ -0,0 +1,6 @@
|
|||
users:
|
||||
- name: tofu
|
||||
sudo: true
|
||||
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIG4bKe9LSA3/AY4gCB20eyJVPW+zOg07/b3A4QC0Z6XC"
|
||||
- name: kumquat
|
||||
key: "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFZ5FBnDlBIGlJ4TI0babTTmS5ECPM3yuDP1AhnNQUDZ"
|
||||
|
|
@ -0,0 +1,5 @@
|
|||
# Because we are using logrotate for greater flexibility, disable the
|
||||
# internal certbot logrotation.
|
||||
max-log-backups = 0
|
||||
rsa-key-size = 4096
|
||||
email = southerntofu@thunix.net
|
||||
|
|
@ -0,0 +1,29 @@
|
|||
- name: setup base packages
|
||||
apt:
|
||||
state: present
|
||||
name: "{{ packages }}"
|
||||
update_cache: yes
|
||||
vars:
|
||||
packages:
|
||||
- git
|
||||
- subversion
|
||||
- mercurial
|
||||
- htop
|
||||
- tmux
|
||||
- vim
|
||||
- emacs
|
||||
- certbot
|
||||
- mutt
|
||||
- weechat
|
||||
- elinks
|
||||
- rustc
|
||||
- cargo
|
||||
- cargo-doc
|
||||
- rsync
|
||||
|
||||
- name: setup certbot with contact email
|
||||
copy:
|
||||
src: ../files/letsencrypt_cli.ini
|
||||
dest: /etc/letsencrypt/cli.ini
|
||||
|
||||
- include: users.yml
|
||||
|
|
@ -0,0 +1,21 @@
|
|||
- name: Register users
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
state: present
|
||||
skeleton: /etc/skel
|
||||
shell: /bin/bash
|
||||
system: no
|
||||
createhome: yes
|
||||
home: "/home/{{ item.name }}"
|
||||
|
||||
- name: Make admins sudo
|
||||
user:
|
||||
name: "{{ item.name }}"
|
||||
group: sudo
|
||||
when: item.sudo|default(false) == true
|
||||
|
||||
- name: Publish SSH keys
|
||||
authorized_key:
|
||||
user: "{{ item.name }}"
|
||||
state: present
|
||||
key: "{{ item.key }}"
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
- include_tasks: setup_user.yml
|
||||
loop: "{{ users }}"
|
||||
|
|
@ -0,0 +1,37 @@
|
|||
server {
|
||||
listen 80 default_server;
|
||||
listen [::]:80 default_server;
|
||||
|
||||
server_name _;
|
||||
root /var/www/html;
|
||||
|
||||
location /.well-known/acme-challenge {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
|
||||
location / {
|
||||
return 302 https://$host$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl default_server;
|
||||
listen [::]:443 ssl default_server;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/fr.tild3.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/fr.tild3.org/privkey.pem;
|
||||
|
||||
server_name _;
|
||||
root /var/www/html;
|
||||
index index.html;
|
||||
|
||||
location ~ ^/~(.+?)(/.*)?$ {
|
||||
alias /home/$1/public_html/$2;
|
||||
autoindex on;
|
||||
#try_files $2 $2/ = 404;
|
||||
}
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
# Taken from https://raw.githubusercontent.com/certbot/certbot/master/certbot-nginx/certbot_nginx/_internal/tls_configs/options-ssl-nginx.conf
|
||||
# This file contains important security parameters. If you modify this file
|
||||
# manually, Certbot will be unable to automatically provide future security
|
||||
# updates. Instead, Certbot will print and log an error message with a path to
|
||||
# the up-to-date file that you will need to refer to when manually updating
|
||||
# this file.
|
||||
|
||||
ssl_session_cache shared:le_nginx_SSL:10m;
|
||||
ssl_session_timeout 1440m;
|
||||
ssl_session_tickets off;
|
||||
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_prefer_server_ciphers off;
|
||||
|
||||
ssl_ciphers "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384";
|
||||
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
{% for user in users %}
|
||||
server {
|
||||
listen 443 ssl;
|
||||
listen [::]:443 ssl;
|
||||
|
||||
ssl_certificate /etc/letsencrypt/live/{{ user.name }}.fr.tild3.org/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ user.name }}.fr.tild3.org/privkey.pem;
|
||||
server_name {{ user.name }}.fr.tild3.org;
|
||||
root /home/{{ user.name }}/public_html;
|
||||
index index.html;
|
||||
|
||||
location / {
|
||||
try_files $uri $uri/ =404;
|
||||
}
|
||||
}
|
||||
{% endfor %}
|
||||
|
|
@ -0,0 +1,2 @@
|
|||
- name: reload nginx
|
||||
service: name=nginx state=restarted
|
||||
|
|
@ -0,0 +1,10 @@
|
|||
- name: Generate main certificate
|
||||
command:
|
||||
creates: /etc/letsencrypt/live/fr.tild3.org/fullchain.pem
|
||||
cmd: certbot certonly --non-interactive --agree-tos --webroot -w /var/www/html -d fr.tild3.org -d www.fr.tild3.org
|
||||
|
||||
- name: Generate user certificates
|
||||
command:
|
||||
creates: "/etc/letsencrypt/live/{{ item.name }}.fr.tild3.org/fullchain.pem"
|
||||
cmd: "certbot certonly --non-interactive --agree-tos --webroot -w /var/www/html -d {{ item.name }}.fr.tild3.org"
|
||||
loop: "{{ users }}"
|
||||
|
|
@ -0,0 +1,7 @@
|
|||
---
|
||||
# This playbook contains all of the www config
|
||||
|
||||
- include: packages.yml
|
||||
# TODO: Some certbot is needed before we can load the whole nginx config so we need some intermediary step (bootstrapping process)
|
||||
- include: nginx.yml
|
||||
- include: certbot.yml
|
||||
|
|
@ -0,0 +1,41 @@
|
|||
#This play configs apapche for us
|
||||
---
|
||||
|
||||
#Sites
|
||||
- name: Prepare symlink for default site
|
||||
file:
|
||||
src: /etc/nginx/sites-available/default-site.conf
|
||||
dest: /etc/nginx/sites-enabled/default-site.conf
|
||||
state: link
|
||||
|
||||
- name: Deploy default site configuration
|
||||
copy:
|
||||
src: ../files/default-site.conf
|
||||
dest: /etc/nginx/sites-available/default-site.conf
|
||||
force: yes
|
||||
follow: no
|
||||
notify: reload nginx
|
||||
|
||||
- name: Deploy TLS config
|
||||
copy:
|
||||
src: ../files/ssl.conf
|
||||
dest: /etc/nginx/conf.d/ssl.conf
|
||||
notify: reload nginx
|
||||
|
||||
- name: Prepare symlink for user sites
|
||||
file:
|
||||
src: /etc/nginx/sites-available/users-site.conf
|
||||
dest: /etc/nginx/sites-enabled/users-site.conf
|
||||
force: yes
|
||||
follow: no
|
||||
state: link
|
||||
|
||||
- name: Deploy config for user sites on subdomains
|
||||
template:
|
||||
src: ../files/users.conf.j2
|
||||
dest: /etc/nginx/sites-available/users-site.conf
|
||||
|
||||
- name: Add public_html to /etc/skel
|
||||
file:
|
||||
path: /etc/skel/public_html
|
||||
state: directory
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
# Install apache and accoutrements www, irrespective of what role they might have
|
||||
---
|
||||
- name: Install packages for webserver
|
||||
apt:
|
||||
name: "{{ packages }}"
|
||||
state: present
|
||||
update_cache: yes
|
||||
vars:
|
||||
packages:
|
||||
- nginx
|
||||
- php-fpm
|
||||
- php-curl
|
||||
- php-gd
|
||||
- php-intl
|
||||
- php-sqlite3
|
||||
- php-mbstring
|
||||
Loading…
Reference in New Issue