add valid cert to internal communication

2023-03-05 18:26:08 +01:00
parent 3c883cdded
commit 4e1833bbbf
12 changed files with 66 additions and 41 deletions
--- a/roles/webserver/tasks/main.yaml
+++ b/roles/webserver/tasks/main.yaml
@ -20,6 +20,19 @@
    state: restarted
    enabled: yes

+- name: Generate certificate for all server instances
+  command:
+    cmd: certbot certonly --non-interactive --agree-tos -m tormakristof@tormakristof.eu --nginx -d {{item.domain}}
+  with_items: "{{ webserver }}"
+
+- name: "Generate certbot script"
+  ansible.builtin.template:
+    src: certbot.sh
+    dest: /etc/cron.weekly/certbot
+    owner: root
+    group: root
+    mode: '0700'
+
 - name: "Generate nginx configuration"
  ansible.builtin.template:
    src: nginx.conf
--- a/roles/webserver/templates/certbot.sh
+++ b/roles/webserver/templates/certbot.sh
@ -0,0 +1,5 @@
+#!/bin/bash
+# {{ansible_managed}}
+{% for server in webserver %}
+certbot renew --nginx --cert-name {{ server.domain }}
+{% endfor %}
--- a/roles/webserver/templates/nginx.conf
+++ b/roles/webserver/templates/nginx.conf
@ -69,9 +69,9 @@ http {
            server_name {{ server.domain }};
            ssl_certificate /etc/ssl/certs/ssl-cert-snakeoil.pem;
            ssl_certificate_key /etc/ssl/private/ssl-cert-snakeoil.key;
-            {% if server.bigrequests %}
+            {% if server.bigrequests -%}
            client_max_body_size    8G;
-            {% endif %}
+            {% endif -%}
            location /{
                {% if server.https %}
                proxy_pass  https://127.0.0.1:{{ server.port }};
@ -97,11 +97,11 @@ http {
                proxy_pass  http://127.0.0.1:{{ location.port }};
                {% endif %}
            }
-            {% endfor %}
+            {% endfor -%}
            {% endif %}
        }

-        {%- endfor %}
+        {%- endfor -%}

        server {
            listen 8888;