commit - /dev/null
commit + c6fa08bd337bb02bc2d250d5b496a95c830c3dd0
blob - /dev/null
blob + ba5dc1f214d59543dfd947176373a93f4c9d9467 (mode 644)
--- /dev/null
+++ README.md
+Ansible role for a httpd(8) with SSL
+====================================
+
+Ansible role to create a web server with httpd(8) on OpenBSD (>=6.1) and let's encrypt.
+
+Requirements
+------------
+
+OpenBSD >=6.1 -{release,stable,current}
+
+Notes
+-----
+
+You need to run this after the playbook:
+
+```
+# acme-client -vAD foobar.com
+```
+
+To renew the certs a cronjob must be placed:
+
+```
+#!/bin/sh
+acme-client foobar.com
+
+if [ $? -eq 0 ]
+then
+ /etc/rc.d/httpd reload
+fi
+```
+
+We asume that, you already have an entry on pf.conf like:
+
+```
+...
+pass in on $ext_if proto tcp from any to any port 80
+...
+pass in on $ext_if proto tcp from any to any port 443
+...
+```
+
+Or if your web server is behind the firewall, you need something like:
+
+```
+...
+pass in on $ext_if proto tcp from any to any port 80 \
+ rdr-to 10.0.0.10 port 80
+pass in on $ext_if proto tcp from any to any port 443 \
+ rdr-to 10.0.0.10 port 443
+...
+```
+
+And also you already have a DNS entry for your domain.
+
+
+Example Playbook
+----------------
+
+```
+---
+- hosts: test
+ roles:
+ - role: gonzalo-.httpd-ssl
+ become: yes
+ become_method: doas
+
+ vars:
+ domain: 'foobar.com'
+ alias: 'www.foobar.com'
+ httpd_conf: '/etc/httpd'
+ www_dir: '/var/www/sites'
+```
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+https://x61.sh/
blob - /dev/null
blob + 791d4a5101de2d18addaa8694ce1513edeb8cae6 (mode 644)
--- /dev/null
+++ defaults/main.yml
+---
+# defaults file for httpd-ssl
\ No newline at end of file
blob - /dev/null
blob + 9d0a5de928c331f08428dc09ec2f0c1fe3ec0c3b (mode 644)
--- /dev/null
+++ handlers/main.yml
+---
+# handlers file for httpd-ssl
\ No newline at end of file
blob - /dev/null
blob + 0d96c2c92c04240aa62f12b62b710ca55c4613ab (mode 644)
--- /dev/null
+++ meta/main.yml
+galaxy_info:
+ author: gonzalo-
+ description: Role to setup httpd server with ssl on OpenBSD.
+ license: BSD
+ min_ansible_version: 1.9
+ galaxy_tags:
+ - openbsd
+ - httpd
+ - ssl
+ - tls
+ - acme-client
+ - letsencrypt
+ platforms:
+ - name: OpenBSD
+ versions:
+ - 6.1
+ dependencies: []
blob - /dev/null
blob + 3b995bf06e6fb43e0a659f24dcd15935b9a465f4 (mode 644)
--- /dev/null
+++ tasks/main.yml
+---
+
+- file:
+ path: "{{ httpd_conf }}"
+ state: directory
+
+- file:
+ path: "/var/www/{{ vhosts_dir }}"
+ state: directory
+ owner: root
+ group: daemon
+
+- file:
+ path: "/var/www/{{ vhosts_dir }}/{{ domain }}"
+ state: directory
+ owner: root
+ group: daemon
+
+- blockinfile: |
+ dest=/etc/acme-client.conf backup=yes
+ content="domain {{ domain }} {
+ alternative names { {{ alias }} }
+ domain key "/etc/ssl/private/{{ domain }}.key"
+ domain certificate "/etc/ssl/{{ domain }}.crt"
+ domain full chain certificate "/etc/ssl/{{ domain }}.fullchain.pem"
+ sign with letsencrypt
+ }"
+ insertafter=EOF
+
+- template: src=httpd.conf.j2 dest="/etc/httpd.conf" owner="root" group="wheel" mode="0644"
+- template: src=site.conf.j2 dest="/etc/httpd/{{ domain }}.conf" owner="root" group="wheel" mode="0644"
blob - /dev/null
blob + 8272e15a73500438a9cca02b82044fa860618975 (mode 644)
--- /dev/null
+++ templates/httpd.conf.j2
+ext_addr="*"
+
+types { include "/usr/share/misc/mime.types" }
+
+## Sites
+include "{{ httpd_conf }}/{{ domain }}.conf"
+
+## Default
+server "default" {
+ listen on $ext_addr port 80
+ listen on $ext_addr port 443
+
+ alias match "%d+%.%d+%.%d+%.%d+"
+ alias match "%w*::*"
+
+ log { access "default-access.log", error "default-error.log" }
+
+ ## PHP-FPM
+ #location "*.php" {
+ # fastcgi socket "/run/php-fpm.sock"
+ #}
+ ##
+
+ block
+
+ root "/htdocs"
+}
+
blob - /dev/null
blob + c6e1763daa0a2e262bc20c480544077000e49c78 (mode 644)
--- /dev/null
+++ templates/site.conf.j2
+## {{ domain }} - HTTP
+server "{{ domain }}" {
+ alias "{{ alias }}"
+
+ listen on $ext_addr port 80
+
+ ## acme-client
+ location "/.well-known/acme-challenge/*" {
+ root "/acme"
+ root strip 2
+ }
+
+ ## rdr from http -> https
+ #location "/*" { block return 301 "https://$SERVER_NAME$REQUEST_URI" }
+
+ root "{{ vhosts_dir }}/{{ domain }}"
+}
+
+## {{ domain }} - HTTPS
+server "{{ domain }}" {
+ alias "{{ alias }}"
+
+ listen on $ext_addr tls port 443
+
+ tls {
+ certificate "/etc/ssl/{{ domain }}.fullchain.pem"
+ key "/etc/ssl/private/{{ domain }}.key"
+ }
+
+ log { access "{{ domain }}-access.log", error "{{ domain }}-error.log" }
+
+ #location "*.php" {
+ # fastcgi socket "/run/php-fpm.sock"
+ #}
+
+ directory { index index.html }
+
+ root "{{ vhosts_dir }}/{{ domain }}"
+}
blob - /dev/null
blob + 878877b0776c44f55fc4e458f70840f31da5bb01 (mode 644)
--- /dev/null
+++ tests/inventory
+localhost
+
blob - /dev/null
blob + b8ccf87de7d5da29f745ef58254336172175609f (mode 644)
--- /dev/null
+++ tests/test.yml
+---
+- hosts: localhost
+ gather_facts: true
+ become: True
+ become_method: doas
+ roles:
+ - httpd-ssl
blob - /dev/null
blob + 3182b31bc64066dc07887e8a11daa05def063796 (mode 644)
--- /dev/null
+++ vars/main.yml
+---
+# vars file for httpd-ssl
\ No newline at end of file
