diff options
| author | Guilhem Moulin <guilhem@fripost.org> | 2015-12-20 14:13:08 +0100 |
|---|---|---|
| committer | Guilhem Moulin <guilhem@fripost.org> | 2015-12-20 14:13:13 +0100 |
| commit | da2572ddb144086034eba1989ae909763e95c680 (patch) | |
| tree | d3374338793592412ca1b10fb4fc20068a392c4e /roles/webmail | |
| parent | 01e59771866559cc13a58800282617d04cb286a6 (diff) | |
Use the Let's Encrypt CA for our public certs.
Diffstat (limited to 'roles/webmail')
| -rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 13 | ||||
| -rw-r--r-- | roles/webmail/tasks/roundcube.yml | 20 |
2 files changed, 13 insertions, 20 deletions
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index 1297834..df10be9 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -1,39 +1,46 @@ server { listen 80; listen [::]:80; - server_name mail.fripost.org; + server_name mail.fripost.org; + server_name webmail.fripost.org; + + include snippets/acme-challenge.conf; access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; - return 301 https://$host$request_uri; + location / { + return 301 https://$host$request_uri; + } } server { listen 443; listen [::]:443; - server_name mail.fripost.org; + server_name mail.fripost.org; + server_name webmail.fripost.org; + root /var/lib/roundcube; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/mail.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files, or files under hidden diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml index ed6a3b4..3eaf766 100644 --- a/roles/webmail/tasks/roundcube.yml +++ b/roles/webmail/tasks/roundcube.yml @@ -86,67 +86,53 @@ owner=root group=root mode=0644 with_items: - classic - larry - name: Configure Roundcube plugins copy: src=etc/roundcube/plugins/{{ item }}/config.inc.php dest=/etc/roundcube/plugins/{{ item }}/config.inc.php owner=root group=root mode=0644 with_items: - additional_message_headers - jqueryui - managesieve - password - name: Start php5-fpm service: name=php5-fpm state=started -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/mail.fripost.org.pem - --privkey=/etc/nginx/ssl/mail.fripost.org.key - --ou=WWW --cn=mail.fripost.org --dns=mail.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/roundcube copy: src=etc/nginx/sites-available/roundcube dest=/etc/nginx/sites-available/roundcube owner=root group=root mode=0644 - register: r2 + register: r1 notify: - Restart Nginx - name: Create /etc/nginx/sites-enabled/roundcube file: src=../sites-available/roundcube dest=/etc/nginx/sites-enabled/roundcube owner=root group=root state=link force=yes - register: r3 + register: r2 notify: - Restart Nginx - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data sudo: False fetch: src=/etc/nginx/ssl/mail.fripost.org.pem dest=certs/public/ fail_on_missing=yes flat=yes tags: - genkey |