From 84148e368d3804c841d566cd0a8f28263445ef97 Mon Sep 17 00:00:00 2001 From: jaseg Date: Thu, 28 Mar 2019 01:50:07 +0900 Subject: [PATCH] gerboweb: Add HTTPS via letsencrypt --- gerboweb/deploy/nginx.conf | 50 +++++++++++++++--------------------- gerboweb/deploy/playbook.yml | 17 +++++++++++- gerboweb/gerboweb.py | 3 --- 3 files changed, 36 insertions(+), 34 deletions(-) diff --git a/gerboweb/deploy/nginx.conf b/gerboweb/deploy/nginx.conf index 22b3be2..c76a3db 100644 --- a/gerboweb/deploy/nginx.conf +++ b/gerboweb/deploy/nginx.conf @@ -39,8 +39,28 @@ http { listen 80 default_server; listen [::]:80 default_server; server_name gerbolyze.jaseg.net; + return 301 https://$host$request_uri; + } + + server { + listen 443 ssl http2 default_server; + listen [::]:443 ssl http2 default_server; + server_name gerbolyze.jaseg.net; root /usr/share/nginx/html; + ssl_certificate "/etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem"; + ssl_certificate_key "/etc/letsencrypt/live/gerbolyze.jaseg.net/privkey.pem"; + ssl_dhparam "/etc/letsencrypt/ssl-dhparams.pem"; + include /etc/letsencrypt/options-ssl-nginx.conf; + + ssl_stapling on; + ssl_stapling_verify on; + + resolver 67.207.67.2 67.207.67.3 valid=300s; + resolver_timeout 10s; + + add_header Strict-Transport-Security "max-age=86400"; + # Load configuration files for the default server block. include /etc/nginx/default.d/*.conf; @@ -64,35 +84,5 @@ http { } } -# Settings for a TLS enabled server. -# -# server { -# listen 443 ssl http2 default_server; -# listen [::]:443 ssl http2 default_server; -# server_name _; -# root /usr/share/nginx/html; -# -# ssl_certificate "/etc/pki/nginx/server.crt"; -# ssl_certificate_key "/etc/pki/nginx/private/server.key"; -# ssl_session_cache shared:SSL:1m; -# ssl_session_timeout 10m; -# ssl_ciphers PROFILE=SYSTEM; -# ssl_prefer_server_ciphers on; -# -# # Load configuration files for the default server block. -# include /etc/nginx/default.d/*.conf; -# -# location / { -# } -# -# error_page 404 /404.html; -# location = /40x.html { -# } -# -# error_page 500 502 503 504 /50x.html; -# location = /50x.html { -# } -# } - } diff --git a/gerboweb/deploy/playbook.yml b/gerboweb/deploy/playbook.yml index eb4f367..3789c21 100644 --- a/gerboweb/deploy/playbook.yml +++ b/gerboweb/deploy/playbook.yml @@ -16,7 +16,7 @@ - name: Install host requisites dnf: - name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3 + name: btrfs-progs,arch-install-scripts,nginx,uwsgi,python3-flask,python3-flask-wtf,systemd-container,uwsgi-plugin-python3,certbot,python3-certbot-nginx state: latest - name: Create container image filesystem @@ -131,6 +131,21 @@ src: gerboweb-job-processor.service dest: /etc/systemd/system/ + - name: Set SELinux to permissive mode # FIXME + selinux: + state: permissive + policy: targeted + + - name: Create letsencrypt certificate + command: certbot --nginx certonly -d gerbolyze.jaseg.net -n --agree-tos --email gerboweb@jaseg.net + args: + creates: /etc/letsencrypt/live/gerbolyze.jaseg.net/fullchain.pem + + - name: Enable certbot renewal timer + systemd: + name: certbot-renew.timer + enabled: yes + - name: Enable uwsgi systemd socket systemd: daemon-reload: yes diff --git a/gerboweb/gerboweb.py b/gerboweb/gerboweb.py index 6b579f0..17e03e2 100644 --- a/gerboweb/gerboweb.py +++ b/gerboweb/gerboweb.py @@ -1,8 +1,5 @@ #!/usr/bin/env python3 -# TODO create systemd unit file -# TODO create systemd tmpfiles.d config -# TODO setup ansible deployment # TODO setup webserver user disk quota import tempfile