mirror of
https://github.com/cwchristerw/tjas-infra
synced 2025-12-02 13:53:39 +00:00
Compare commits
4 Commits
02a3fccbce
...
b5c59f3f0d
| Author | SHA1 | Date | |
|---|---|---|---|
|
b5c59f3f0d | ||
|
|
d2222d9c2e | ||
|
|
b195e58c8f | ||
|
|
d1c91b1654 |
@@ -19,7 +19,7 @@ server {
|
||||
root /usr/share/nginx/html;
|
||||
index index.html index.htm;
|
||||
|
||||
#return 301 https://$host$request_uri;
|
||||
return 301 https://$host$request_uri;
|
||||
}
|
||||
|
||||
if ($request_method !~ ^(GET|HEAD|POST)$ )
|
||||
@@ -28,43 +28,43 @@ server {
|
||||
}
|
||||
}
|
||||
|
||||
# server {
|
||||
server {
|
||||
|
||||
# listen 443 ssl default_server;
|
||||
# listen [::]:443 ssl default_server;
|
||||
listen 443 ssl default_server;
|
||||
listen [::]:443 ssl default_server;
|
||||
|
||||
# server_name _;
|
||||
server_name _;
|
||||
|
||||
# http2 on;
|
||||
http2 on;
|
||||
|
||||
# ssl_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/fullchain.pem;
|
||||
# ssl_certificate_key /etc/nginx/certs/pvjjk-1vos-niinisalo/privkey.pem;
|
||||
# ssl_protocols TLSv1.2 TLSv1.3;
|
||||
# ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
||||
# ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||
# ssl_prefer_server_ciphers off;
|
||||
# ssl_session_cache shared:SSL:20m;
|
||||
# ssl_session_timeout 180m;
|
||||
ssl_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/fullchain.pem;
|
||||
ssl_certificate_key /etc/nginx/certs/pvjjk-1vos-niinisalo/privkey.pem;
|
||||
ssl_protocols TLSv1.2 TLSv1.3;
|
||||
ssl_ecdh_curve X25519:prime256v1:secp384r1;
|
||||
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
|
||||
ssl_prefer_server_ciphers off;
|
||||
ssl_session_cache shared:SSL:20m;
|
||||
ssl_session_timeout 180m;
|
||||
|
||||
# ssl_trusted_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/chain.pem;
|
||||
ssl_trusted_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/chain.pem;
|
||||
|
||||
# expires off;
|
||||
# etag off;
|
||||
# if_modified_since off;
|
||||
expires off;
|
||||
etag off;
|
||||
if_modified_since off;
|
||||
|
||||
# gzip on;
|
||||
# gzip_min_length 1000;
|
||||
# gzip_proxied any;
|
||||
# gzip_types *;
|
||||
# gunzip on;
|
||||
gzip on;
|
||||
gzip_min_length 1000;
|
||||
gzip_proxied any;
|
||||
gzip_types *;
|
||||
gunzip on;
|
||||
|
||||
# location / {
|
||||
# root /usr/share/nginx/html;
|
||||
# index index.html index.htm;
|
||||
# }
|
||||
location / {
|
||||
root /usr/share/nginx/html;
|
||||
index index.html index.htm;
|
||||
}
|
||||
|
||||
# if ($request_method !~ ^(GET|HEAD|POST)$ )
|
||||
# {
|
||||
# return 405;
|
||||
# }
|
||||
# }
|
||||
if ($request_method !~ ^(GET|HEAD|POST)$ )
|
||||
{
|
||||
return 405;
|
||||
}
|
||||
}
|
||||
|
||||
@@ -467,7 +467,7 @@
|
||||
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Private Key"
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "/root/data/openssl/{{ cert }}/privatekey.pem"
|
||||
path: "/root/data/openssl/{{ cert }}/privkey.pem"
|
||||
type: ECC
|
||||
curve: secp384r1
|
||||
loop: "{{ config.openssl.certificates.keys() | list }}"
|
||||
@@ -481,7 +481,7 @@
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate Signing Request / Root"
|
||||
community.crypto.openssl_csr:
|
||||
path: "/root/data/openssl/{{ cert }}/csr.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
|
||||
commonName: "{{ config.openssl.certificates[cert].commonName }}"
|
||||
organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
|
||||
organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
|
||||
@@ -501,7 +501,7 @@
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate Signing Request / Intermediate"
|
||||
community.crypto.openssl_csr:
|
||||
path: "/root/data/openssl/{{ cert }}/csr.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
|
||||
commonName: "{{ config.openssl.certificates[cert].commonName }}"
|
||||
organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
|
||||
organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
|
||||
@@ -523,14 +523,14 @@
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate Signing Request / Service"
|
||||
community.crypto.openssl_csr:
|
||||
path: "/root/data/openssl/{{ cert }}/csr.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
|
||||
commonName: "{{ config.openssl.certificates[cert].commonName }}"
|
||||
organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
|
||||
organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
|
||||
stateOrProvinceName: "{{ config.openssl.certificates[cert].location.providence | default(None) }}"
|
||||
localityName: "{{ config.openssl.certificates[cert].location.city | default(None) }}"
|
||||
countryName: FI
|
||||
subjectAltName: "{{ config.openssl.certificates[cert].domains }}"
|
||||
subjectAltName: "{{ ['DNS:'] | product(config.openssl.certificates[cert].domains) | map('join') | list }}"
|
||||
loop: "{{ config.openssl.certificates.keys() | list }}"
|
||||
loop_control:
|
||||
label: "{{ cert }}"
|
||||
@@ -541,15 +541,16 @@
|
||||
- openssl
|
||||
- www
|
||||
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate"
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate / Root"
|
||||
community.crypto.x509_certificate:
|
||||
path: "/root/data/openssl/{{ cert }}/cert.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
|
||||
csr_path: "/root/data/openssl/{{ cert }}/csr.pem"
|
||||
provider: "ownca"
|
||||
ownca_path: /etc/ssl/crt/ansible_CA.crt
|
||||
ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem
|
||||
provider: selfsigned
|
||||
selfsigned_not_after: "+7300d"
|
||||
loop: "{{ config.openssl.certificates.keys() | list }}"
|
||||
loop_control:
|
||||
label: "{{ cert }}"
|
||||
@@ -557,20 +558,40 @@
|
||||
when:
|
||||
- config.openssl.certificates[cert].issuer is undefined
|
||||
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate"
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate / Intermediate"
|
||||
community.crypto.x509_certificate:
|
||||
path: "/root/data/openssl/{{ cert }}/cert.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
|
||||
csr_path: "/root/data/openssl/{{ cert }}/csr.pem"
|
||||
provider: "ownca"
|
||||
ownca_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/cert.pem"
|
||||
ownca_privatekey_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/privatekey.pem"
|
||||
ownca_privatekey_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/privkey.pem"
|
||||
provider: ownca
|
||||
ownca_not_after: "+365d"
|
||||
loop: "{{ config.openssl.certificates.keys() | list }}"
|
||||
loop_control:
|
||||
label: "{{ cert }}"
|
||||
loop_var: "cert"
|
||||
when:
|
||||
- config.openssl.certificates[cert].domains is undefined
|
||||
- config.openssl.certificates[cert].issuer is defined
|
||||
|
||||
- name: "Deployer - OpenSSL - Configure - Generate Certificate / Service"
|
||||
community.crypto.x509_certificate:
|
||||
path: "/root/data/openssl/{{ cert }}/cert.pem"
|
||||
privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
|
||||
csr_path: "/root/data/openssl/{{ cert }}/csr.pem"
|
||||
provider: "ownca"
|
||||
ownca_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/cert.pem"
|
||||
ownca_privatekey_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/privkey.pem"
|
||||
provider: ownca
|
||||
ownca_not_after: "+30d"
|
||||
loop: "{{ config.openssl.certificates.keys() | list }}"
|
||||
loop_control:
|
||||
label: "{{ cert }}"
|
||||
loop_var: "cert"
|
||||
when:
|
||||
- config.openssl.certificates[cert].domains is defined
|
||||
- config.openssl.certificates[cert].issuer is defined
|
||||
|
||||
- name: "Deployer - Nginx - Configure - Create Folder"
|
||||
|
||||
Reference in New Issue
Block a user