# @nocommit: job to periodically update the certs --- - name: Deploy Nginx-based key server for TrueNAS unlock hosts: keyserver become: true vars: server_name: "keyserver.viktorbarzin.me" key_filename: "truenas.key" htpasswd_user: "truenas" htpasswd_password: "" # replace with vault ssl_cert_path: "/etc/ssl/certs/keyserver.crt" ssl_key_path: "/etc/ssl/private/keyserver.key" local_ssl_cert: "../../../secrets/fullchain.pem" # LOCAL path local_ssl_key: "../../../secrets/privkey.pem" # LOCAL path tasks: - name: Install packages apt: name: - nginx - apache2-utils - python3-passlib state: present update_cache: yes - name: Create basic-auth file community.general.htpasswd: path: /etc/nginx/.htpasswd name: "{{ htpasswd_user }}" password: "{{ htpasswd_password }}" crypt_scheme: bcrypt - name: Create key directory file: path: /srv/keys state: directory owner: root group: root mode: '0755' - name: Create key file if it doesn't exist command: "head -c 128 /dev/urandom > /srv/keys/{{ key_filename }}" args: creates: "/srv/keys/{{ key_filename }}" - name: Set key file permissions file: path: "/srv/keys/{{ key_filename }}" owner: www-data group: www-data mode: '0640' - name: Enable info logging in nginx.conf lineinfile: path: /etc/nginx/nginx.conf regexp: '^(\s*)error_log' line: ' error_log /var/log/nginx/error.log info;' insertafter: 'http {' notify: reload nginx - name: Ensure rate limit config exists copy: dest: /etc/nginx/conf.d/ratelimit.conf content: | limit_req_zone $binary_remote_addr zone=authfail:10m rate=5r/m; notify: reload nginx - name: Deploy keyserver nginx site copy: dest: /etc/nginx/sites-available/keyserver.conf content: | server { listen 443 ssl; server_name {{ server_name }}; ssl_certificate {{ ssl_cert_path }}; ssl_certificate_key {{ ssl_key_path }}; ssl_protocols TLSv1.2 TLSv1.3; ssl_prefer_server_ciphers on; limit_req zone=authfail burst=2 nodelay; location /keys/ { alias /srv/keys/; auth_basic "Restricted"; auth_basic_user_file /etc/nginx/.htpasswd; autoindex off; add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; } } notify: reload nginx - name: Enable keyserver site file: src: /etc/nginx/sites-available/keyserver.conf dest: /etc/nginx/sites-enabled/keyserver.conf state: link notify: reload nginx - name: Remove default site file: path: /etc/nginx/sites-enabled/default state: absent notify: reload nginx - name: Copy SSL certificate to server copy: src: "{{ local_ssl_cert }}" dest: "{{ ssl_cert_path }}" owner: root group: root mode: '0644' notify: reload nginx - name: Copy SSL private key to server copy: src: "{{ local_ssl_key }}" dest: "{{ ssl_key_path }}" owner: root group: root mode: '0644' notify: reload nginx # - name: Create self-signed SSL certificate if missing # command: > # openssl req -x509 -newkey rsa:2048 -nodes # -keyout {{ ssl_key_path }} # -out {{ ssl_cert_path }} # -days 365 # -subj "/CN={{ server_name }}" # args: # creates: "{{ ssl_cert_path }}" notify: reload nginx - name: Test nginx config command: nginx -t register: nginx_test failed_when: "'successful' not in nginx_test.stderr" - name: Ensure nginx is running service: name: nginx state: started enabled: true handlers: - name: reload nginx service: name: nginx state: reloaded