diff --git a/group_vars/mailman.yml b/group_vars/mailman.yml
index 9be951c759af3a919884f053818c60d8610fda1f..115215fa45c3df3d51ea31f50f7d2cea64c43ac8 100644
--- a/group_vars/mailman.yml
+++ b/group_vars/mailman.yml
@@ -9,7 +9,7 @@ loc_nginx:
servers:
- server_name:
- lists.crans.org
- ssl: true
+ ssl: crans.org
root: "/usr/lib/cgi-bin/mailman/"
index:
- index.htm
diff --git a/group_vars/nginx.yml b/group_vars/nginx.yml
index 4f8d5101ed48035486bb88d554332eee7efa7b93..76e216b528e377ed4b8f6e458e2eded708d72581 100644
--- a/group_vars/nginx.yml
+++ b/group_vars/nginx.yml
@@ -4,11 +4,14 @@ glob_nginx:
who: "L'équipe technique du Cr@ns"
service_name: service
ssl:
- cert: /etc/letsencrypt/live/crans.org/fullchain.pem
- cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
- trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
+ # Add adm.crans.org if necessary
+ - name: crans.org
+ cert: /etc/letsencrypt/live/crans.org/fullchain.pem
+ cert_key: /etc/letsencrypt/live/crans.org/privkey.pem
+ trusted_cert: /etc/letsencrypt/live/crans.org/chain.pem
servers:
- - ssl: false
+ - ssl: false # Replace by crans.org or adm.crans.org
+ default: true
server_name:
- "default"
- "_"
@@ -21,4 +24,5 @@ glob_nginx:
auth_passwd: []
default_server:
default_ssl_server:
+ default_ssl_domain: crans.org
deploy_robots_file: false
diff --git a/host_vars/charybde.adm.crans.org.yml b/host_vars/charybde.adm.crans.org.yml
index 625d329e3b54cf8016210e52ed1b4b18c40cd4fb..fd0885f90010a67592f66d53dfcca2257435fa29 100644
--- a/host_vars/charybde.adm.crans.org.yml
+++ b/host_vars/charybde.adm.crans.org.yml
@@ -37,26 +37,26 @@ to_backup:
loc_nginx:
service_name: ftp
servers:
- server_name:
- - "ftp"
- - "ftp.*"
- - "mirror"
- - "mirror.*"
- - "archive.ubuntu.com"
- - "fr.archive.ubuntu.com"
- - "security.ubuntu.com"
- - "ftps"
- - "ftps.*"
- root: "/pubftp"
- locations:
- - filter: "/"
- - params:
- - "autoindex on"
- - "autoindex_exact_size off"
- - "add_before_body /.html/HEADER.html"
- - "add_after_body /.html/FOOTER.html"
- - filter: "/pub/events/"
- params:
- - "mp4"
- - "mp4_buffer_size 1m"
- - "mp4_max_buffer_size 5m"
+ - server_name:
+ - "ftp"
+ - "ftp.*"
+ - "mirror"
+ - "mirror.*"
+ - "archive.ubuntu.com"
+ - "fr.archive.ubuntu.com"
+ - "security.ubuntu.com"
+ - "ftps"
+ - "ftps.*"
+ root: "/pubftp"
+ locations:
+ - filter: "/"
+ params:
+ - "autoindex on"
+ - "autoindex_exact_size off"
+ - "add_before_body /.html/HEADER.html"
+ - "add_after_body /.html/FOOTER.html"
+ - filter: "/pub/events/"
+ params:
+ - "mp4"
+ - "mp4_buffer_size 1m"
+ - "mp4_max_buffer_size 5m"
diff --git a/host_vars/irc.adm.crans.org.yml b/host_vars/irc.adm.crans.org.yml
index c825629ff9f065aeccf8bfbee36dd75bc1f7eec6..bf956da8c254ff50f98bcadbb72cea0dc4625d28 100644
--- a/host_vars/irc.adm.crans.org.yml
+++ b/host_vars/irc.adm.crans.org.yml
@@ -4,7 +4,12 @@ interfaces:
srv: ens19
loc_certbot:
- domains: "irc.crans.org"
+ - dns_rfc2136_server: '172.16.10.147'
+ dns_rfc2136_name: certbot_challenge.
+ dns_rfc2136_secret: "{{ vault_certbot_dns_secret }}"
+ mail: root@crans.org
+ certname: crans.org
+ domains: "irc.crans.org"
loc_nginx:
service_name: "thelounge"
@@ -12,7 +17,8 @@ loc_nginx:
- server_name:
- "irc.crans.org"
- "irc"
- ssl: true
+ default: true
+ ssl: crans.org
locations:
- filter: "^~ /web/"
params:
diff --git a/plays/irc.yml b/plays/irc.yml
index 95563292fc2df1a2f0fb6f1a49cd200819e4622c..ab25370663361ff009f655066201c85e9211f2cc 100755
--- a/plays/irc.yml
+++ b/plays/irc.yml
@@ -2,7 +2,7 @@
---
- hosts: irc
vars:
- certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
+ certbot: '{{ loc_certbot | default(glob_certbot | default([])) }}'
nginx: '{{ glob_nginx | default({}) | combine(loc_nginx | default({})) }}'
thelounge: '{{ glob_thelounge | default({}) | combine(loc_thelounge | default({})) }}'
roles:
diff --git a/plays/mailman.yml b/plays/mailman.yml
index a0a2a60f054330eb7d2661ad9aed3826e3c797ab..ac7afd009a7cb6b418ec1aa45473d204f2d99870 100755
--- a/plays/mailman.yml
+++ b/plays/mailman.yml
@@ -8,6 +8,10 @@
default_url: "https://lists.crans.org/"
default_host: "lists.crans.org"
default_language: "fr"
+ custom_logo: "crans_icon_dark.svg"
+ custom_logo_name: "crans.svg"
+ custom_logo_url: "https://www.crans.org/"
+ custom_logo_alt: "CRANS"
spamassassin: "SpamAssassin_crans"
smtphost: "smtp.adm.crans.org"
mynetworks: ['138.231.0.0/16', '185.230.76.0/22', '2a0c:700:0::/40']
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 4d4179c8c3f0d268ad85161a12adf50f318c0c70..847e397babe0b739254e7d2b2cbd88e1a39b057a 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -7,16 +7,22 @@
retries: 3
until: apt_result is succeeded
-- name: Copy snippets
+- name: Copy proxypass snippets
template:
- src: "nginx/snippets/{{ item }}.j2"
- dest: "/etc/nginx/snippets/{{ item }}"
+ src: "nginx/snippets/options-proxypass.conf.j2"
+ dest: "/etc/nginx/snippets/options-proxypass.conf"
owner: root
group: root
mode: 0644
- loop:
- - options-ssl.conf
- - options-proxypass.conf
+
+- name: Copy SSL snippets
+ template:
+ src: "nginx/snippets/options-ssl.conf.j2"
+ dest: "/etc/nginx/snippets/options-ssl.{{ item.name }}.conf"
+ owner: root
+ group: root
+ mode: 0644
+ loop: "{{ nginx.ssl }}"
- name: Copy dhparam
template:
@@ -98,12 +104,6 @@
group: www-data
mode: 0644
-- name: Indicate role in motd
- template:
- src: update-motd.d/05-service.j2
- dest: /etc/update-motd.d/05-nginx
- mode: 0755
-
- name: Install passwords
when: nginx.auth_passwd|length > 0
template:
@@ -119,3 +119,9 @@
owner: www-data
group: www-data
mode: 0644
+
+- name: Indicate role in motd
+ template:
+ src: update-motd.d/05-service.j2
+ dest: /etc/update-motd.d/05-nginx
+ mode: 0755
diff --git a/roles/nginx/templates/nginx/sites-available/service.j2 b/roles/nginx/templates/nginx/sites-available/service.j2
index 5a883a483cc52b25c53992090e686c8c0e08c43c..1e17e0994994ac34f78cd12e317b61debbd846ac 100644
--- a/roles/nginx/templates/nginx/sites-available/service.j2
+++ b/roles/nginx/templates/nginx/sites-available/service.j2
@@ -19,7 +19,7 @@ upstream {{ upstream.name }} {
server {
listen 443 default_server ssl;
listen [::]:443 default_server ssl;
- include "/etc/nginx/snippets/options-ssl.conf";
+ include "/etc/nginx/snippets/options-ssl.{{ nginx.default_ssl_domain }}.conf";
server_name _;
charset utf-8;
@@ -55,8 +55,8 @@ server {
{% if server.ssl is defined and server.ssl -%}
# Redirect HTTP to HTTPS
server {
- listen 80;
- listen [::]:80;
+ listen 80{% if server.default is defined and server.default %} default_server{% endif %};
+ listen [::]:80{% if server.default is defined and server.default %} default_server{% endif %};
server_name {{ server.server_name|join(" ") }};
charset utf-8;
@@ -72,9 +72,9 @@ server {
server {
{% if server.ssl is defined and server.ssl -%}
- listen 443 ssl;
- listen [::]:443 ssl;
- include "/etc/nginx/snippets/options-ssl.conf";
+ listen 443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+ listen [::]:443{% if server.default is defined and server.default %} default_server{% endif %} ssl;
+ include "/etc/nginx/snippets/options-ssl.{{ server.ssl }}.conf";
{% else -%}
listen 80 default;
listen [::]:80 default;
@@ -86,29 +86,21 @@ server {
# Hide Nginx version
server_tokens off;
- {% if server.root is defined -%}
- root {{ server.root }};
- {% endif -%}
- {% if server.index is defined -%}
- index {{ server.index|join(" ") }};
- {% endif -%}
-
- {% if server.access_log is defined -%}
- access_log {{ server.access_log }};
- {% endif -%}
- {% if server.error_log is defined -%}
- error_log {{ server.error_log }};
- {% endif -%}
+ {% if server.root is defined %}root {{ server.root }};{% endif %}
+ {% if server.index is defined %}index {{ server.index|join(" ") }};{% endif %}
- {% if server.locations is defined -%}
+ {% if server.access_log is defined %}access_log {{ server.access_log }};{% endif %}
+ {% if server.error_log is defined %}error_log {{ server.error_log }};{% endif %}
- {% for location in server.locations -%}
+{% if server.locations is defined %}
+{% for location in server.locations %}
location {{ location.filter }} {
- {% for param in location.params -%}
+{% for param in location.params %}
{{ param }};
- {% endfor -%}
+{% endfor %}
}
- {% endfor -%}
-{% endif -%}
+
+{% endfor %}
+{% endif %}
}
{% endfor %}
diff --git a/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2 b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
index 1a9273a814ebb14034f4d2503b7bd5940d52424d..c980c90bc2b05345682ebcf5955d830210364971 100644
--- a/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
+++ b/roles/nginx/templates/nginx/snippets/options-ssl.conf.j2
@@ -1,7 +1,7 @@
{{ ansible_header | comment }}
-ssl_certificate {{ nginx.ssl.cert }};
-ssl_certificate_key {{ nginx.ssl.cert_key }};
+ssl_certificate {{ item.cert }};
+ssl_certificate_key {{ item.cert_key }};
ssl_session_timeout 1d;
ssl_session_cache shared:MozSSL:10m;
ssl_session_tickets off;
@@ -13,5 +13,5 @@ ssl_prefer_server_ciphers off;
# Enable OCSP Stapling, point to certificate chain
ssl_stapling on;
ssl_stapling_verify on;
-ssl_trusted_certificate {{ nginx.ssl.trusted_cert }};
+ssl_trusted_certificate {{ item.trusted_cert }};
diff --git a/roles/nginx/templates/update-motd.d/10-service.j2 b/roles/nginx/templates/update-motd.d/10-service.j2
deleted file mode 100755
index 82373d0b38e8376f20e82c033c12241c94018582..0000000000000000000000000000000000000000
--- a/roles/nginx/templates/update-motd.d/10-service.j2
+++ /dev/null
@@ -1,3 +0,0 @@
-#!/usr/bin/tail +14
-{{ ansible_header | comment }}
-�[0m> �[38;5;82mNGINX�[0m a été déployé sur cette machine. Voir �[38;5;6m/etc/nginx/�[0m.