Include letsencrypt setup & add woodpecker nginx config

2024-12-10 21:20:52 +01:00 · 2024-12-10 21:20:52 +01:00 · c9a68c6a3f
commit c9a68c6a3f
parent b5db9c3daf
7 changed files with 88 additions and 1 deletions
--- a/handlers.yml
+++ b/handlers.yml
@ -33,3 +33,10 @@
    state: restarted
    enabled: true
    scope: user
+
+- name: restart certbot
+  become: true
+  systemd:
+    name: certbot
+    state: restarted
+    enabled: false
--- a/tasks/nginx.yml
+++ b/tasks/nginx.yml
@ -9,6 +9,7 @@
  loop:
    - { src: 'templates/nginx/default.j2', dest: '/etc/nginx/sites-available/default' }
    - { src: 'templates/nginx/forgejo.j2', dest: '/etc/nginx/sites-available/forgejo' }
+    - { src: 'templates/nginx/woodpecker.j2', dest: '/etc/nginx/sites-available/woodpecker' }
    - { src: 'templates/nginx/sentry.j2', dest: '/etc/nginx/sites-available/sentry' }
    - { src: 'templates/nginx/vpn.j2', dest: '/etc/nginx/sites-available/vpn' }
    - {
@ -32,6 +33,10 @@
        src: '/etc/nginx/sites-available/forgejo',
        dest: '/etc/nginx/sites-enabled/forgejo',
      }
+    - {
+        src: '/etc/nginx/sites-available/woodpecker',
+        dest: '/etc/nginx/sites-enabled/woodpecker',
+      }
    - {
        src: '/etc/nginx/sites-available/sentry',
        dest: '/etc/nginx/sites-enabled/sentry',
@ -43,4 +48,33 @@
      }
  notify: restart nginx

-# TODO: provision certbot configuration
+
+# Run the folowing command to regenerate a certificate:
+#
+# sudo certbot certonly \
+#    --authenticator standalone \
+#    --pre-hook 'systemctl stop nginx' \
+#    --post-hook 'systemctl start nginx' \
+#    --cert-name fudiggity.nl \
+#    -d fudiggity.nl \
+#    -d rss.fudiggity.nl \
+#    -d .....
+#
+# This will also save its configuration.
+#
+- name: copy letsencrypt configuration
+  become: true
+  template:
+    src: 'templates/letsencrypt/cli.j2'
+    dest: '/etc/letsencrypt/cli.ini'
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart certbot
+
+- name: enable certbot periodic certificate renewal
+  become: true
+  systemd:
+    name: certbot.timer
+    state: started
+    enabled: true
--- a/templates/letsencrypt/cli.j2
+++ b/templates/letsencrypt/cli.j2
@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+#
+# Because we are using logrotate for greater flexibility, disable the
+# internal certbot logrotation.
+max-log-backups = 0
+
+# Adjust interactive output regarding automated renewal
+preconfigured-renewal = True
+
+authenticator = standalone
+pre-hook = /bin/systemctl stop nginx
+post-hook = /bin/systemctl start nginx
--- a/templates/nginx/woodpecker.j2
+++ b/templates/nginx/woodpecker.j2
@ -0,0 +1,29 @@
+# {{ ansible_managed }}
+
+server {
+	listen {{ https_port }} ssl;
+	server_name {{ woodpecker_domain }};
+
+	include snippets/certificates.conf;
+	include snippets/ssl-params.conf;
+
+	access_log /var/log/nginx/woodpecker.log;
+	error_log /var/log/nginx/woodpecker.log;
+
+	location / {
+		gzip off;
+
+		proxy_read_timeout      90;
+		proxy_connect_timeout   90;
+		proxy_redirect          off;
+
+		proxy_set_header Host 			$host;
+		proxy_set_header X-Real-IP 		$remote_addr;
+		proxy_set_header X-Forwarded-For   	$proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Ssl     	on;
+		proxy_set_header X-Forwarded-Proto 	$scheme;
+		proxy_set_header X-Frame-Options 	SAMEORIGIN;
+
+		proxy_pass 				http://{{ woodpecker_ip }}:{{ woodpecker_port }};
+	}
+}
--- a/vars/main.yml
+++ b/vars/main.yml
@ -9,3 +9,4 @@ packages:
  - ca-certificates
  - gnupg
  - radeontop
+  - certbot
--- a/vars/network.yml
+++ b/vars/network.yml
@ -16,6 +16,9 @@ forgejo_ip: '127.0.0.1'
 forgejo_port: '3000'
 forgejo_ssh_port: '22'

+woodpecker_ip: '127.0.0.1'
+woodpecker_port: '8000'
+
 newsreader_ip: '127.0.0.1'
 newsreader_port: '5000'

--- a/vars/nginx.yml
+++ b/vars/nginx.yml
@ -1,4 +1,5 @@
 domain_name: 'fudiggity.nl'
 forgejo_domain: 'forgejo.fudiggity.nl'
+woodpecker_domain: 'woodpekcer.fudiggity.nl'
 sentry_domain: 'sentry.fudiggity.nl'
 newsreader_domain: 'rss.fudiggity.nl'