cleaned up and streamlined the wildcard cert creation process

Merge branch 'main' into wildcard
deploy with machine_name
2023-12-29 18:26:59 +01:00 · 2023-12-29 14:11:16 +00:00 · 2023-12-03 12:17:02 +01:00 · 2023-11-26 12:12:42 +01:00 · 2023-11-26 12:12:09 +01:00
5 changed files with 83 additions and 98 deletions
--- a/README.MD
+++ b/README.MD
@ -38,11 +38,58 @@ nginx_vhosts:
      - 'fastcgi_pass unix:{{ pool_listen }};'
    state: 'enable'
    letsencrypt: 'false'
-```
+  
+  # Selfsigned cert example:
+   - name: 'privatebin.example.com'
+     template: 'privatebin'
+     proto: 'https'
+     listen: '443'
+     root: 'privatebin'
+     index: 'index.php'
+     ssl_name: 'bin.example.com'
+     selfsigned: 'true'
+     use_access_log: 'false'
+     use_error_log: 'true'
+     nginx_error_log_level: 'warn'
+     upstream_params:
+       - 'fastcgi_pass unix:{{ pool_listen }};'
+       - 'fastcgi_index index.php;'
+       - 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
+     header_xframe: 'none'
+     header_cto: 'none'
+     file_cache:
+       - cache: 'max=1000 inactive=20s'
+         valid: '30s'
+         min_users: '2'
+         cache_errors: 'on'
+     state: 'enable'
+     letsencrypt: 'false'

-## Changelog
- **04.03.2021** - Modyfied header info for proxy (locations), and core templates
- **26.01.2021** - Rewritten templates structure
- **02.12.2020** - conversejs template
- **14.12.2019** - Start changelog
- **14.12.2019** - Updated hubzilla,privatebin, framadate template
+  # Selfsigned wildcard cert example:
+   - name: 'privatebin.example.com'
+     template: 'privatebin'
+     proto: 'https'
+     listen: '443'
+     root: 'privatebin'
+     index: 'index.php'
+     wildcard: 'true' #enable wildcard
+     ssl_name: 'wildcard.example.com' #specify direcotry name for wildcard cert
+     domain_name: 'example.com' #domain name to create the cert for: *.example.com
+     selfsigned: 'true'
+     use_access_log: 'false'
+     use_error_log: 'true'
+     nginx_error_log_level: 'warn'
+     upstream_params:
+       - 'fastcgi_pass unix:{{ pool_listen }};'
+       - 'fastcgi_index index.php;'
+       - 'fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;'
+     header_xframe: 'none'
+     header_cto: 'none'
+     file_cache:
+       - cache: 'max=1000 inactive=20s'
+         valid: '30s'
+         min_users: '2'
+         cache_errors: 'on'
+     state: 'enable'
+     letsencrypt: 'false'
+```
--- a/tasks/ssl.yml
+++ b/tasks/ssl.yml
@ -76,7 +76,7 @@
    state: directory
    mode: 0755
  with_items: "{{ nginx_vhosts }}"
-  when: item.selfsigned is defined and item.selfsigned == 'true'
+  when: item.selfsigned is defined and item.selfsigned == 'true' 
  notify: reload nginx

 - name: '[SELFSIGNED] - Create a self-signed key'
@ -85,15 +85,25 @@
    size: 2048
    type: RSA
  with_items: "{{ nginx_vhosts }}"
-  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
+  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' 
  notify: reload nginx

 - name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR)'
  openssl_csr:
-    path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
+    path: '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
    privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
  with_items: "{{ nginx_vhosts }}"
-  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
+  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'  and (item.wildcard is not defined or item.wildcard != 'true')
+  notify: reload nginx
+
+- name: '[SELFSIGNED] - Generate OpenSSL Certificate Signing Request (CSR) for wildcard'
+  openssl_csr:
+    path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/selfsigned.crs'
+    privatekey_path:  '{{ ssl_src_path }}/{{ item.ssl_name }}/privkey.pem'
+    common_name: "*.{{ item.domain_name }}"
+    subject_alt_name: "DNS:*.{{ item.domain_name }}"
+  with_items: "{{ nginx_vhosts }}"
+  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true' and item.wildcard is defined and item.wildcard == 'true'
  notify: reload nginx

 - name: '[SELFSIGNED] - Create a self-signed certificate'
@ -105,3 +115,4 @@
  with_items: "{{ nginx_vhosts }}"
  when: item.selfsigned is defined and item.state == 'enable' and item.selfsigned == 'true'
  notify: reload nginx
+
--- a/tasks/vhost.yml
+++ b/tasks/vhost.yml
@ -3,44 +3,19 @@
  slurp:
    src: "/var/lib/tor/{{ item.name }}/hostname"
  register: "onion_address"
-  when:  
-    - item.onion is defined
-    - item.onion == 'true'
+  when:  item.onion is defined and item.onion == 'true'

 - name: "[NGINX] - Set fact"
  set_fact:
    enable_tor: 'false'
-    
- name: "[NGINX] - Check if the certificate for the vhost exists"
-  stat:
-    path: '{{ nginx_ssl_dir }}/{{ item.name }}/privkey.pem'
-  register: cert_exists
-  when:
-    - item.ssl_name is defined

- name: "[NGINX] - Create HTTPS vhosts"
+- name: "[NGINX] - Create vhosts"
  template:
    src: etc/nginx/sites-available/{{ item.template }}.j2
    dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
  notify:
      - reload nginx
-  when: 
-    - item.ssl_name is defined
-    - cert_exists is defined
-    - cert_exists.stat.exists 
-    - item.state is defined 
-    - item.state != 'delete'
-
- name: "[NGINX] - Create HTTP vhosts"
-  template:
-    src: etc/nginx/sites-available/{{ item.template }}.j2
-    dest: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
-  notify:
-      - reload nginx
-  when: 
-    - item.ssl_name is not defined
-    - item.state is defined 
-    - item.state != 'delete'
+  when: item.state is defined and item.state != 'delete'

 - name: "[NGINX] - Delete vhosts"
  file:
@ -48,35 +23,16 @@
    state: absent
  notify:
      - reload nginx
-  when: 
-    - item.state is defined
-    - item.state == 'delete'
+  when: item.state is defined and item.state == 'delete'

- name: "[NGINX] - Enable HTTPS vhosts"
+- name: "[NGINX] - Enable vhosts"
  file:
    src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
    state: link
  notify:
      - reload nginx
-  when:
-    - item.ssl_name is defined
-    - cert_exists is defined
-    - cert_exists.stat.exists
-    - item.state is defined
-    - item.state == 'enable'
-
- name: "[NGINX] - Enable HTTP vhosts"
-  file:
-    src: "{{ nginx_etc_dir }}/sites-available/{{ item.name }}"
-    dest: "{{ nginx_etc_dir }}/sites-enabled/{{ item.name }}"
-    state: link
-  notify:
-      - reload nginx
-  when:
-    - item.ssl_name is not defined 
-    - item.state is defined
-    - item.state == 'enable'
+  when: item.state is defined and item.state == 'enable'

 - name: "[NGINX] - Disable vhosts"
  file:
@ -84,10 +40,7 @@
    state: absent
  notify:
      - reload nginx
-  when: 
-    - item.state is defined
-    - item.state == 'disable' 
-    - item.state == 'delete'
+  when: item.state is defined and (item.state == 'disable' or item.state == 'delete')

 - name: "[NGINX] - Delete default vhost when explicitely defined"
  file:
@ -97,30 +50,10 @@
    - reload nginx
  when: nginx_default_vhost is not none

- name: "[NGINX] - Create HTTPS maintenance vhosts"
+- name: "[NGINX] - Create maintenance vhosts"
  template:
    src: etc/nginx/sites-available/maintenance.j2
    dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
  notify:
      - reload nginx
-  when: 
-    - item.ssl_name is defined
-    - cert_exists is defined
-    - cert_exists.stat.exists
-    - item.state is defined
-    - item.state != 'delete'
-    - item.maintenance is defined
-    - item.maintenance == 'true' 
-
- name: "[NGINX] - Create HTTP maintenance vhosts"
-  template:
-    src: etc/nginx/sites-available/maintenance.j2
-    dest: "{{ nginx_etc_dir }}/sites-available/maintenance-{{ item.name }}"
-  notify:
-      - reload nginx
-  when: 
-    - item.ssl_name is not defined
-    - item.state is defined
-    - item.state != 'delete'
-    - item.maintenance is defined
-    - item.maintenance == 'true' 
+  when: (item.state is defined) and (item.state != 'delete') and (item.maintenance is defined) and (item.maintenance == 'true') 
--- a/templates/etc/nginx/sites-available/core.j2
+++ b/templates/etc/nginx/sites-available/core.j2
@ -20,10 +20,8 @@ server {
 {% endif %}
 {% if item.proto == 'https' %}
  listen {{ item.listen }} ssl {% if item.http2 is defined %}http2{% endif %};
-
  ssl_certificate {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'fullchain.pem' + ';' }}
  ssl_certificate_key {{ nginx_ssl_dir + '/' + item.ssl_name + '/' + 'privkey.pem;' }}
-
 {% endif %}
  server_tokens off;
 {% if item.max_upload is defined %}
--- a/templates/etc/nginx/sites-available/cryptpad.j2
+++ b/templates/etc/nginx/sites-available/cryptpad.j2
@ -5,10 +5,6 @@
 {% extends "core.j2" %}

 {% block app_specific %}
-
-    # Include mime.types to be able to support .mjs files (see "types" below)
-    include mime.types;
-
    # CryptPad serves static assets over these two domains.
    # `main_domain` is what users will enter in their address bar.
    # Privileged computation such as key management is handled in this scope
@ -117,6 +113,11 @@
    # We've applied other sandboxing techniques to mitigate the risk of running WebAssembly in this privileged scope
    if ($uri ~ ^\/unsafeiframe\/inner\.html.*$) { set $unsafe 1; }

+    # draw.io uses inline script tags in it's index.html. The hashes are added here.
+    if ($uri ~ ^\/components\/drawio\/src\/main\/webapp\/index.html.*$) {
+        set $scriptSrc "'self' 'sha256-dLMFD7ijAw6AVaqecS7kbPcFFzkxQ+yeZSsKpOdLxps=' 'sha256-6g514VrT/cZFZltSaKxIVNFF46+MFaTSDTPB8WfYK+c=' resource: https://${main_domain}";
+    }
+
    # privileged contexts allow a few more rights than unprivileged contexts, though limits are still applied
    if ($unsafe) {
        set $scriptSrc "'self' 'unsafe-eval' 'unsafe-inline' resource: https://${main_domain}";
@ -125,11 +126,6 @@
    # Finally, set all the rules you composed above.
    add_header Content-Security-Policy "default-src 'none'; child-src $childSrc; worker-src $workerSrc; media-src $mediaSrc; style-src $styleSrc; script-src $scriptSrc; connect-src $connectSrc; font-src $fontSrc; img-src $imgSrc; frame-src $frameSrc; frame-ancestors $frameAncestors";

-    # Add support for .mjs files used by pdfjs
-    types {
-        application/javascript mjs;
-    }
-
 {% endblock %}

 {% block root %}
Author	SHA1	Message	Date
muppeth	fb2dde1d7d	cleaned up and streamlined the wildcard cert creation process	2023-12-29 18:26:59 +01:00
muppeth	41b95fb710	Merge branch 'main' into wildcard	2023-12-29 14:11:16 +00:00
meaz	bc560888db	deploy with machine_name	2023-12-03 12:17:02 +01:00
meaz	b82921e642	set server name to wildcard when wildcard set	2023-11-26 12:12:42 +01:00
meaz	8b9468191a	add subject_alt_name and CN when wildcard declared	2023-11-26 12:12:09 +01:00