Vhosts creation change (#63)

Changed the way vhosts are created. This is to prevent situation where https vhosts are created without corresponding certificate which is causing error. Solution to that is to check if ssl cert exists for vhost before creating them. Suggested approach is to create vhost called '01.letsencrypt' or `01.domain.ltd` using `letsencrypt` template. This will allow new certificates to be created for upcoming vhosts and once certs are created, nginx will be able to create vhosts and not error out. (so first run letsencrypt and then nginx). Currently vhost creation and enabling is done separate for HTTP and HTTPS vhosts. Not the best solution, but works for now. Reviewed-on: #63 Reviewed-by: meaz <meaz@no-reply@disroot.org> Co-authored-by: muppeth <muppeth@disroot.org> Co-committed-by: muppeth <muppeth@disroot.org>
2024-03-07 10:07:17 +00:00 · 2024-03-07 10:07:17 +00:00 · 002e1183fc
parent 31bfe12f38
commit 002e1183fc
1 changed files with 78 additions and 9 deletions
--- a/tasks/vhost.yml
+++ b/tasks/vhost.yml
@ -3,19 +3,44 @@
  slurp:
    src: "/var/lib/tor/{{ item.name }}/hostname"
  register: "onion_address"
-  when:  item.onion is defined and item.onion == 'true'
+  when:  
+    - item.onion is defined
+    - item.onion == 'true'

 - name: "[NGINX] - Set fact"
  set_fact:
    enable_tor: 'false'
+    
+- name: "[NGINX] - Check if the certificate for the vhost exists"
+  stat:
+    path: '{{ nginx_ssl_dir }}/{{ item.name }}/privkey.pem'
+  register: cert_exists
+  when:
+    - item.ssl_name is defined

- name: "[NGINX] - Create vhosts"
+- name: "[NGINX] - Create HTTPS vhosts"
  template:
    src: etc/nginx/sites-available/{{ item.template }}.j2
    dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
  notify:
      - reload nginx
-  when: item.state is defined and item.state != 'delete'
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.stat.exists 
+    - item.state is defined 
+    - item.state != 'delete'
+
+- name: "[NGINX] - Create HTTP vhosts"
+  template:
+    src: etc/nginx/sites-available/{{ item.template }}.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined 
+    - item.state != 'delete'

 - name: "[NGINX] - Delete vhosts"
  file:
@ -23,16 +48,36 @@
    state: absent
  notify:
      - reload nginx
-  when: item.state is defined and item.state == 'delete'
+  when: 
+    - item.state is defined
+    - item.state == 'delete'

- name: "[NGINX] - Enable vhosts"
+- name: "[NGINX] - Enable HTTPS vhosts"
  file:
    src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
    state: link
  notify:
      - reload nginx
-  when: item.state is defined and item.state == 'enable'
+  when:
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.skipped == 'false'
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state == 'enable'
+
+- name: "[NGINX] - Enable HTTP vhosts"
+  file:
+    src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
+    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
+    state: link
+  notify:
+      - reload nginx
+  when:
+    - item.ssl_name is not defined 
+    - item.state is defined
+    - item.state == 'enable'

 - name: "[NGINX] - Disable vhosts"
  file:
@ -40,7 +85,10 @@
    state: absent
  notify:
      - reload nginx
-  when: item.state is defined and (item.state == 'disable' or item.state == 'delete')
+  when: 
+    - item.state is defined
+    - item.state == 'disable' 
+    - item.state == 'delete'

 - name: "[NGINX] - Delete default vhost when explicitely defined"
  file:
@ -50,10 +98,31 @@
    - reload nginx
  when: nginx_default_vhost is not none

- name: "[NGINX] - Create maintenance vhosts"
+- name: "[NGINX] - Create HTTPS maintenance vhosts"
  template:
    src: etc/nginx/sites-available/maintenance.j2
    dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
  notify:
      - reload nginx
-  when: (item.state is defined) and (item.state != 'delete') and (item.maintenance is defined) and (item.maintenance == 'true') 
+  when: 
+    - item.ssl_name is defined
+    - cert_exists is defined
+    - cert_exists.skipped == 'false'
+    - cert_exists.stat.exists
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true' 
+
+- name: "[NGINX] - Create HTTP maintenance vhosts"
+  template:
+    src: etc/nginx/sites-available/maintenance.j2
+    dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
+  notify:
+      - reload nginx
+  when: 
+    - item.ssl_name is not defined
+    - item.state is defined
+    - item.state != 'delete'
+    - item.maintenance is defined
+    - item.maintenance == 'true'