diff --git a/group_vars/vpn.yml b/group_vars/vpn.yml index ea2f63d..eb264d0 100644 --- a/group_vars/vpn.yml +++ b/group_vars/vpn.yml @@ -1,19 +1,2 @@ -headscale_version: '0.22.3' -headscale_arch: 'amd64' -headscale_user_name: 'headscale' -headscale_user_group: '{{ headscale_user_name }}' -headscale_user_uid: '800' -headscale_user_gid: '{{ headscale_user_uid }}' - -headscale_binary_path: '/usr/local/bin/headscale' -headscale_config_dir: '/etc/headscale' -headscale_var_data_dir: '/var/lib/headscale' -headscale_pid_dir: '/var/run/headscale' -headscale_directories: - - '{{ headscale_config_dir }}' - - '{{ headscale_var_data_dir }}' - - '{{ headscale_pid_dir }}' - +--- headscale_users: ['simponic'] -headscale_enable_routes: [] -headscale_exit_nodes: [] diff --git a/group_vars/webservers.yml b/group_vars/webservers.yml new file mode 100644 index 0000000..6ac1436 --- /dev/null +++ b/group_vars/webservers.yml @@ -0,0 +1,2 @@ +--- +letsencrypt_email: 'elizabeth.hunt@simponic.xyz' diff --git a/roles/vpn/tasks/main.yml b/roles/vpn/tasks/main.yml index 4f6bcca..6ad0c57 100644 --- a/roles/vpn/tasks/main.yml +++ b/roles/vpn/tasks/main.yml @@ -31,6 +31,12 @@ group: root mode: 0700 +- name: ensure headscale users + shell: | + docker exec headscale headscale user create "{{ item }}" + with_items: + - "{{ headscale_users }}" + - name: daemon-reload and enable headscale ansible.builtin.systemd_service: state: restarted diff --git a/roles/webservers/files/levi/.gitkeep b/roles/webservers/files/levi/.gitkeep new file mode 100644 index 0000000..e69de29 diff --git a/roles/webservers/files/nginx.conf b/roles/webservers/files/nginx.conf new file mode 100644 index 0000000..6ddd8ab --- /dev/null +++ b/roles/webservers/files/nginx.conf @@ -0,0 +1,26 @@ +user www-data; +worker_processes 4; +pid /run/nginx.pid; + +events { + worker_connections 768; +} + +http { + sendfile on; + tcp_nopush on; + tcp_nodelay on; + keepalive_timeout 65; + types_hash_max_size 2048; + include /etc/nginx/mime.types; + default_type application/octet-stream; + + access_log /var/log/nginx/access.log; + error_log /var/log/nginx/error.log; + + gzip on; + gzip_disable "msie6"; + + include /etc/nginx/conf.d/*.conf; + include /etc/nginx/sites-enabled/*; +} diff --git a/roles/webservers/files/nijika/headscale.simponic.xyz b/roles/webservers/files/nijika/headscale.simponic.xyz deleted file mode 100644 index 442a2ac..0000000 --- a/roles/webservers/files/nijika/headscale.simponic.xyz +++ /dev/null @@ -1,48 +0,0 @@ -server { - server_name headscale.simponic.xyz; - - location /web { - proxy_pass https://127.0.0.1:9443; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $server_name; - proxy_redirect http:// https://; - proxy_buffering off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - } - - location / { - proxy_pass https://127.0.0.1:27896; - proxy_http_version 1.1; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - proxy_set_header Host $server_name; - proxy_redirect http:// https://; - proxy_buffering off; - proxy_set_header X-Real-IP $remote_addr; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; - add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; - } - - listen 443 ssl; # managed by Certbot - ssl_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem; # managed by Certbot - ssl_certificate_key /etc/letsencrypt/live/headscale.simponic.xyz/privkey.pem; # managed by Certbot - include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot - ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot - keepalive_timeout 70; -} - -server { - if ($host = headscale.simponic.xyz) { - return 301 https://$host$request_uri; - } # managed by Certbot - - server_name headscale.simponic.xyz; - listen 80; - return 404; # managed by Certbot -} diff --git a/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf b/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf new file mode 100644 index 0000000..7bfaf44 --- /dev/null +++ b/roles/webservers/files/nijika/http.headscale.simponic.xyz.conf @@ -0,0 +1,15 @@ +server_tokens off; + +server { + listen 80 default_server; + server_name headscale.simponic.xyz; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + rewrite ^ https://headscale.simponic.xyz$request_uri? permanent; + } +} diff --git a/roles/webservers/files/nijika/https.headscale.simponic.xyz.conf b/roles/webservers/files/nijika/https.headscale.simponic.xyz.conf new file mode 100644 index 0000000..b078672 --- /dev/null +++ b/roles/webservers/files/nijika/https.headscale.simponic.xyz.conf @@ -0,0 +1,46 @@ +server { + listen 443 ssl; + server_name headscale.simponic.xyz; + + ssl_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/headscale.simponic.xyz/privkey.pem; + ssl_trusted_certificate /etc/letsencrypt/live/headscale.simponic.xyz/fullchain.pem; + + ssl_session_cache shared:SSL:50m; + ssl_session_timeout 5m; + ssl_stapling on; + ssl_stapling_verify on; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"; + + ssl_dhparam /etc/nginx/dhparams.pem; + ssl_prefer_server_ciphers on; + + location /web { + proxy_pass https://127.0.0.1:9443; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $server_name; + proxy_redirect http:// https://; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } + + location / { + proxy_pass http://127.0.0.1:27896; + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection "upgrade"; + proxy_set_header Host $server_name; + proxy_buffering off; + proxy_set_header X-Real-IP $remote_addr; + proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; + add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always; + } +} diff --git a/roles/webservers/tasks/main.yml b/roles/webservers/tasks/main.yml index 680b050..03fba22 100644 --- a/roles/webservers/tasks/main.yml +++ b/roles/webservers/tasks/main.yml @@ -15,4 +15,76 @@ service: name=ufw state=restarted enabled=yes - name: install nginx - apt: name=nginx status=latest + apt: name=nginx state=latest + +- name: install letsencrypt + apt: name=letsencrypt state=latest + +- name: create letsencrypt directory + file: name=/var/www/letsencrypt state=directory + +- name: remove default nginx + file: name=/etc/nginx/sites-enabled/default state=absent + +- name: generate dhparams + shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048 + args: + creates: /etc/nginx/dhparams.pem + +- name: add system nginx config + template: + src: ../files/nginx.conf + dest: /etc/nginx/nginx.conf + +- name: copy http nginx configuration for each domain + copy: + src: "{{ item }}" + dest: "/etc/nginx/sites-enabled/" + with_fileglob: + - "files/{{ inventory_hostname }}/http.*.conf" + +- name: restart nginx to get letsencrypt certificate + service: name=nginx state=restarted enabled=yes + +- name: find deployed domains + ansible.builtin.find: + paths: "/etc/nginx/sites-enabled/" + patterns: "http.*.conf" + register: nginx_conf_files + delegate_to: "{{ inventory_hostname }}" + +- name: extract domains from deployed nginx configurations + shell: | + grep -oP 'server_name\s+\K[^;]+' "{{ item.path }}" + loop: "{{ nginx_conf_files.files }}" + register: extracted_domains + +- name: request letsencrypt certificate + shell: > + letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} \ + --agree-tos -d {{ item.stdout }} + args: + creates: "/etc/letsencrypt/live/{{ item.stdout }}" + loop: "{{ extracted_domains.results }}" + when: item.stdout != "" + +- name: copy https nginx configuration for each domain + copy: + src: "{{ item }}" + dest: "/etc/nginx/sites-enabled/" + with_fileglob: + - "files/{{ inventory_hostname }}/https.*.conf" + +- name: reload nginx to activate sites + service: name=nginx state=restarted + +- name: add monthly letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits + cron: + name: "letsencrypt_renewal_{{ item.stdout }}" + day: "{{ '%02d' | format(1 + (item.stdout | hash('md5') | int(0, 16) % 27)) }}" + hour: "{{ (item.stdout | hash('md5') | int(0, 16) % 24 ) }}" + minute: "{{ (item.stdout | hash('md5') | int(0, 16) % 60 ) }}" + job: "letsencrypt renew --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos && service nginx reload" + loop: "{{ extracted_domains.results }}" + when: item.stdout != "" +