commit c6fa08bd337bb02bc2d250d5b496a95c830c3dd0 from: gonzalo date: Wed Jul 25 23:43:31 2018 UTC initial ansible-role-httpd-ssl commit - /dev/null commit + c6fa08bd337bb02bc2d250d5b496a95c830c3dd0 blob - /dev/null blob + ba5dc1f214d59543dfd947176373a93f4c9d9467 (mode 644) --- /dev/null +++ README.md @@ -0,0 +1,82 @@ +Ansible role for a httpd(8) with SSL +==================================== + +Ansible role to create a web server with httpd(8) on OpenBSD (>=6.1) and let's encrypt. + +Requirements +------------ + +OpenBSD >=6.1 -{release,stable,current} + +Notes +----- + +You need to run this after the playbook: + +``` +# acme-client -vAD foobar.com +``` + +To renew the certs a cronjob must be placed: + +``` +#!/bin/sh +acme-client foobar.com + +if [ $? -eq 0 ] +then + /etc/rc.d/httpd reload +fi +``` + +We asume that, you already have an entry on pf.conf like: + +``` +... +pass in on $ext_if proto tcp from any to any port 80 +... +pass in on $ext_if proto tcp from any to any port 443 +... +``` + +Or if your web server is behind the firewall, you need something like: + +``` +... +pass in on $ext_if proto tcp from any to any port 80 \ + rdr-to 10.0.0.10 port 80 +pass in on $ext_if proto tcp from any to any port 443 \ + rdr-to 10.0.0.10 port 443 +... +``` + +And also you already have a DNS entry for your domain. + + +Example Playbook +---------------- + +``` +--- +- hosts: test + roles: + - role: gonzalo-.httpd-ssl + become: yes + become_method: doas + + vars: + domain: 'foobar.com' + alias: 'www.foobar.com' + httpd_conf: '/etc/httpd' + www_dir: '/var/www/sites' +``` + +License +------- + +BSD + +Author Information +------------------ + +https://x61.sh/ blob - /dev/null blob + 791d4a5101de2d18addaa8694ce1513edeb8cae6 (mode 644) --- /dev/null +++ defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for httpd-ssl \ No newline at end of file blob - /dev/null blob + 9d0a5de928c331f08428dc09ec2f0c1fe3ec0c3b (mode 644) --- /dev/null +++ handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for httpd-ssl \ No newline at end of file blob - /dev/null blob + 0d96c2c92c04240aa62f12b62b710ca55c4613ab (mode 644) --- /dev/null +++ meta/main.yml @@ -0,0 +1,17 @@ +galaxy_info: + author: gonzalo- + description: Role to setup httpd server with ssl on OpenBSD. + license: BSD + min_ansible_version: 1.9 + galaxy_tags: + - openbsd + - httpd + - ssl + - tls + - acme-client + - letsencrypt + platforms: + - name: OpenBSD + versions: + - 6.1 + dependencies: [] blob - /dev/null blob + 3b995bf06e6fb43e0a659f24dcd15935b9a465f4 (mode 644) --- /dev/null +++ tasks/main.yml @@ -0,0 +1,31 @@ +--- + +- file: + path: "{{ httpd_conf }}" + state: directory + +- file: + path: "/var/www/{{ vhosts_dir }}" + state: directory + owner: root + group: daemon + +- file: + path: "/var/www/{{ vhosts_dir }}/{{ domain }}" + state: directory + owner: root + group: daemon + +- blockinfile: | + dest=/etc/acme-client.conf backup=yes + content="domain {{ domain }} { + alternative names { {{ alias }} } + domain key "/etc/ssl/private/{{ domain }}.key" + domain certificate "/etc/ssl/{{ domain }}.crt" + domain full chain certificate "/etc/ssl/{{ domain }}.fullchain.pem" + sign with letsencrypt + }" + insertafter=EOF + +- template: src=httpd.conf.j2 dest="/etc/httpd.conf" owner="root" group="wheel" mode="0644" +- template: src=site.conf.j2 dest="/etc/httpd/{{ domain }}.conf" owner="root" group="wheel" mode="0644" blob - /dev/null blob + 8272e15a73500438a9cca02b82044fa860618975 (mode 644) --- /dev/null +++ templates/httpd.conf.j2 @@ -0,0 +1,28 @@ +ext_addr="*" + +types { include "/usr/share/misc/mime.types" } + +## Sites +include "{{ httpd_conf }}/{{ domain }}.conf" + +## Default +server "default" { + listen on $ext_addr port 80 + listen on $ext_addr port 443 + + alias match "%d+%.%d+%.%d+%.%d+" + alias match "%w*::*" + + log { access "default-access.log", error "default-error.log" } + + ## PHP-FPM + #location "*.php" { + # fastcgi socket "/run/php-fpm.sock" + #} + ## + + block + + root "/htdocs" +} + blob - /dev/null blob + c6e1763daa0a2e262bc20c480544077000e49c78 (mode 644) --- /dev/null +++ templates/site.conf.j2 @@ -0,0 +1,39 @@ +## {{ domain }} - HTTP +server "{{ domain }}" { + alias "{{ alias }}" + + listen on $ext_addr port 80 + + ## acme-client + location "/.well-known/acme-challenge/*" { + root "/acme" + root strip 2 + } + + ## rdr from http -> https + #location "/*" { block return 301 "https://$SERVER_NAME$REQUEST_URI" } + + root "{{ vhosts_dir }}/{{ domain }}" +} + +## {{ domain }} - HTTPS +server "{{ domain }}" { + alias "{{ alias }}" + + listen on $ext_addr tls port 443 + + tls { + certificate "/etc/ssl/{{ domain }}.fullchain.pem" + key "/etc/ssl/private/{{ domain }}.key" + } + + log { access "{{ domain }}-access.log", error "{{ domain }}-error.log" } + + #location "*.php" { + # fastcgi socket "/run/php-fpm.sock" + #} + + directory { index index.html } + + root "{{ vhosts_dir }}/{{ domain }}" +} blob - /dev/null blob + 878877b0776c44f55fc4e458f70840f31da5bb01 (mode 644) --- /dev/null +++ tests/inventory @@ -0,0 +1,2 @@ +localhost + blob - /dev/null blob + b8ccf87de7d5da29f745ef58254336172175609f (mode 644) --- /dev/null +++ tests/test.yml @@ -0,0 +1,7 @@ +--- +- hosts: localhost + gather_facts: true + become: True + become_method: doas + roles: + - httpd-ssl blob - /dev/null blob + 3182b31bc64066dc07887e8a11daa05def063796 (mode 644) --- /dev/null +++ vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for httpd-ssl \ No newline at end of file