From eb6fdd29d3723efc575e3d86e2c9cf7ea9bfb11f Mon Sep 17 00:00:00 2001 From: Kevin Veen-Birkenbach Date: Wed, 29 Jan 2025 15:52:40 +0100 Subject: [PATCH] Implemented draft for wildcard certificate --- group_vars/all/00_general.yml | 16 ++++++++-------- .../templates/nginx-proxy.conf.j2 | 9 ++------- roles/docker-ldap/templates/nginx.stream.conf.j2 | 3 +-- roles/docker-ldap/vars/main.yml | 4 +++- roles/docker-mailu/vars/main.yml | 9 +++++---- .../docker-mastodon/templates/.env.production.j2 | 2 +- roles/letsencrypt/templates/ssl_credentials.j2 | 4 ++++ roles/letsencrypt/templates/ssl_header.j2 | 5 ++--- tasks/recieve-certbot-certificate.yml | 15 ++++++++++++++- 9 files changed, 40 insertions(+), 27 deletions(-) create mode 100644 roles/letsencrypt/templates/ssl_credentials.j2 diff --git a/group_vars/all/00_general.yml b/group_vars/all/00_general.yml index 26d98ae5..7329356a 100644 --- a/group_vars/all/00_general.yml +++ b/group_vars/all/00_general.yml @@ -19,17 +19,17 @@ test_email: "test@{{primary_domain}}" # Server Tact Variables ## Ours in which the server is "awake" (100% working). Rest of the time is reserved for maintanance -hours_server_awake: "0..23" +hours_server_awake: "0..23" ## Random delay for systemd timers to avoid peak loads. -randomized_delay_sec: "5min" +randomized_delay_sec: "5min" # Storage Space-Related Configurations -size_percent_maximum_backup: 75 # Maximum storage space in percent for backups -size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions -size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space +size_percent_maximum_backup: 75 # Maximum storage space in percent for backups +size_percent_cleanup_disc_space: 85 # Threshold for triggering cleanup actions +size_percent_disc_space_warning: 90 # Warning threshold in percent for free disk space # Runtime Variables for Process Control -activate_all_timers: false # Activates all timers, independend if the handlers had been triggered -nginx_matomo_tracking: false # Activates matomo tracking on all html pages - +activate_all_timers: false # Activates all timers, independend if the handlers had been triggered +nginx_matomo_tracking: false # Activates matomo tracking on all html pages +enable_one_letsencrypt_cert_for_all: true # Activates one letsencrypt cert for all instead of one per subdomain \ No newline at end of file diff --git a/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2 b/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2 index 04b2fa44..6c915c69 100644 --- a/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2 +++ b/roles/docker-bigbluebutton/templates/nginx-proxy.conf.j2 @@ -1,11 +1,6 @@ server { - listen 443 ssl default_server; - listen [::]:443 ssl default_server; - http2 on; - server_name {{domain}}; - - ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; + + {% include 'roles/letsencrypt/templates/ssl_header.j2' %} location / { proxy_http_version 1.1; diff --git a/roles/docker-ldap/templates/nginx.stream.conf.j2 b/roles/docker-ldap/templates/nginx.stream.conf.j2 index aae7147c..710f14cc 100644 --- a/roles/docker-ldap/templates/nginx.stream.conf.j2 +++ b/roles/docker-ldap/templates/nginx.stream.conf.j2 @@ -3,8 +3,7 @@ server { proxy_pass 127.0.0.1:{{ldap_localhost_port}}; # SSL Configuration for LDAPS - ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; + {% include 'roles/letsencrypt/templates/ssl_credentials.j2' %} ssl_protocols TLSv1.2 TLSv1.3; ssl_ciphers HIGH:!aNULL:!MD5; } diff --git a/roles/docker-ldap/vars/main.yml b/roles/docker-ldap/vars/main.yml index ce28e6ea..33c813bd 100644 --- a/roles/docker-ldap/vars/main.yml +++ b/roles/docker-ldap/vars/main.yml @@ -7,4 +7,6 @@ ldap_localhost_port: 389 # OAuth2 Proxy Configuration oauth2_proxy_upstream_application_and_port: "{{ ldap_webinterface }}:{% if ldap_webinterface == 'phpldapadmin' %}8080{% else %}80{% endif %}" -oauth2_proxy_active: true \ No newline at end of file +oauth2_proxy_active: true + +enable_one_letsencrypt_cert_for_all: false \ No newline at end of file diff --git a/roles/docker-mailu/vars/main.yml b/roles/docker-mailu/vars/main.yml index 2ab9a658..5d02b106 100644 --- a/roles/docker-mailu/vars/main.yml +++ b/roles/docker-mailu/vars/main.yml @@ -1,4 +1,5 @@ -docker_compose_project_name: "mailu" -database_password: "{{mailu_database_password}}" -database_type: "mariadb" -cert_mount_directory: "{{docker_compose_instance_directory}}/certs/" \ No newline at end of file +docker_compose_project_name: "mailu" +database_password: "{{mailu_database_password}}" +database_type: "mariadb" +cert_mount_directory: "{{docker_compose_instance_directory}}/certs/" +enable_one_letsencrypt_cert_for_all: false \ No newline at end of file diff --git a/roles/docker-mastodon/templates/.env.production.j2 b/roles/docker-mastodon/templates/.env.production.j2 index ec013d3c..dfd2c0ac 100644 --- a/roles/docker-mastodon/templates/.env.production.j2 +++ b/roles/docker-mastodon/templates/.env.production.j2 @@ -1,5 +1,5 @@ LOCAL_DOMAIN={{domain}} -ALTERNATE_DOMAINS="{{ domains_mastodon_alternates | join(',') }}" +ALTERNATE_DOMAINS="{{ domains.mastodon_alternates | join(',') }}" SINGLE_USER_MODE={{mastodon_single_user_mode}} SECRET_KEY_BASE={{mastodon_secret_key_base}} OTP_SECRET={{mastodon_otp_secret}} diff --git a/roles/letsencrypt/templates/ssl_credentials.j2 b/roles/letsencrypt/templates/ssl_credentials.j2 new file mode 100644 index 00000000..5ee8b4fb --- /dev/null +++ b/roles/letsencrypt/templates/ssl_credentials.j2 @@ -0,0 +1,4 @@ +{% set ssl_cert_folder = primary_domain if enable_one_letsencrypt_cert_for_all else domain %} +ssl_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/fullchain.pem; +ssl_certificate_key /etc/letsencrypt/live/{{ ssl_cert_folder }}/privkey.pem; +ssl_trusted_certificate /etc/letsencrypt/live/{{ ssl_cert_folder }}/chain.pem; \ No newline at end of file diff --git a/roles/letsencrypt/templates/ssl_header.j2 b/roles/letsencrypt/templates/ssl_header.j2 index dcb4fd85..c9d79b67 100644 --- a/roles/letsencrypt/templates/ssl_header.j2 +++ b/roles/letsencrypt/templates/ssl_header.j2 @@ -8,6 +8,5 @@ ssl_prefer_server_ciphers on; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; -ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; -ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; -ssl_trusted_certificate /etc/letsencrypt/live/{{domain}}/chain.pem; +{% include 'roles/letsencrypt/templates/ssl_credentials.j2' %} + diff --git a/tasks/recieve-certbot-certificate.yml b/tasks/recieve-certbot-certificate.yml index 1b0781bd..71894346 100644 --- a/tasks/recieve-certbot-certificate.yml +++ b/tasks/recieve-certbot-certificate.yml @@ -2,4 +2,17 @@ command: >- certbot certonly --agree-tos --email {{ administrator_email }} --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ domain }} - {{ '--test-cert' if mode_test | bool else '' }} \ No newline at end of file + {{ '--test-cert' if mode_test | bool else '' }} + when: not enable_one_letsencrypt_cert_for_all + +- name: "recieve certbot certificate for *{{ primary_domain }}" + command: >- + certbot certonly --agree-tos --email {{ administrator_email }} + --non-interactive --webroot -w /var/lib/letsencrypt/ -d {{ primary_domain }} -d *.{{ primary_domain }} + {{ '--test-cert' if mode_test | bool else '' }} + when: enable_one_letsencrypt_cert_for_all and run_once_recieve_certificate is not defined + +- name: run the recieve_certificate tasks once + set_fact: + run_once_recieve_certificate: true + when: run_once_recieve_certificate is not defined \ No newline at end of file