From da2572ddb144086034eba1989ae909763e95c680 Mon Sep 17 00:00:00 2001 From: Guilhem Moulin Date: Sun, 20 Dec 2015 14:13:08 +0100 Subject: Use the Let's Encrypt CA for our public certs. --- roles/wiki/files/etc/nginx/sites-available/website | 17 +++++++++------ roles/wiki/files/etc/nginx/sites-available/wiki | 10 +++------ roles/wiki/tasks/main.yml | 24 +++++----------------- 3 files changed, 19 insertions(+), 32 deletions(-) (limited to 'roles/wiki') diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 3e32158..2519286 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -5,10 +5,14 @@ server { server_name fripost.org; server_name www.fripost.org; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; + include snippets/acme-challenge.conf; - return 301 https://fripost.org$request_uri; + access_log /var/log/nginx/www.access.log; + error_log /var/log/nginx/www.error.log info; + + location / { + return 301 https://$host$request_uri; + } } @@ -16,14 +20,15 @@ server { listen 443; listen [::]:443; - server_name fripost.org; + server_name fripost.org; + server_name www.fripost.org; include snippets/ssl.conf; ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; - access_log /var/log/nginx/access.log; - error_log /var/log/nginx/error.log info; + access_log /var/log/nginx/www.access.log; + error_log /var/log/nginx/www.error.log info; location / { try_files $uri $uri/ =404; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index 3777b87..2855e07 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -4,18 +4,14 @@ server { server_name wiki.fripost.org; + include snippets/acme-challenge.conf; + access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } - try_files $uri $uri/ =404; - index index.html; - root /var/lib/ikiwiki/public_html/fripost-wiki; - } - - location = /ikiwiki.cgi { - return 302 https://$host$request_uri; + return 301 https://$host$request_uri; } } diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml index 22a5831..763f99a 100644 --- a/roles/wiki/tasks/main.yml +++ b/roles/wiki/tasks/main.yml @@ -65,26 +65,12 @@ - meta: flush_handlers -- name: Generate a private key and a X.509 certificate for Nginx - command: genkeypair.sh x509 - --pubkey=/etc/nginx/ssl/fripost.org.pem - --privkey=/etc/nginx/ssl/fripost.org.key - --ou=WWW --cn=fripost.org --dns=fripost.org --dns=wiki.fripost.org - -t rsa -b 4096 -h sha512 - register: r1 - changed_when: r1.rc == 0 - failed_when: r1.rc > 1 - notify: - - Restart Nginx - tags: - - genkey - - name: Copy /etc/nginx/sites-available/{wiki,website} copy: src=etc/nginx/sites-available/{{ item }} dest=/etc/nginx/sites-available/{{ item }} owner=root group=root mode=0644 - register: r2 + register: r1 with_items: - website - wiki @@ -96,7 +82,7 @@ dest=/etc/nginx/sites-enabled/{{ item }} owner=root group=root state=link force=yes - register: r3 + register: r2 with_items: - website - wiki @@ -105,15 +91,15 @@ - name: Start Nginx service: name=nginx state=started - when: not (r1.changed or r2.changed or r3.changed) + when: not (r1.changed or r2.changed) - meta: flush_handlers - name: Fetch Nginx's X.509 certificate # Ensure we don't fetch private data sudo: False - fetch: src=/etc/nginx/ssl/fripost.org.pem - dest=certs/public/ + fetch: src=/etc/nginx/ssl/www.fripost.org.pem + dest=certs/public/fripost.org.pem fail_on_missing=yes flat=yes tags: -- cgit v1.2.3