add static site

deploy-static.yml

@@ -0,0 +1,4 @@
+- name: static setup
+  hosts: static
+  roles:
+    - static

inventory

@@ -51,3 +51,6 @@ europa  ansible_user=root ansible_connection=ssh
 
 [gitea]
 nijika  ansible_user=root ansible_connection=ssh
+
+[static]
+levi  ansible_user=root ansible_connection=ssh

roles/private/tasks/main.yml

@@ -84,11 +84,8 @@
 - name: reload nginx to activate sites
   service: name=nginx state=restarted
 
-- name: add daily letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
+- name: add daily renewal
   cron:
-    name: "letsencrypt_renewal_{{ item.stdout }}"
-    minute: "0"
-    hour: "5,17"
-    job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt --agree-tos --email {{ step_acme_cert_contact }} && service nginx reload"
-  loop: "{{ extracted_domains.results }}"
-  when: item.stdout != ""
+    name: "letsencrypt_renewal"
+    special_time: "daily"
+    job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --force-renewal"

roles/static/tasks/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: clone static repo
+  git:
+    repo: https://git.simponic.xyz/simponic/static.simponic.xyz.git
+    dest: /var/www/html/static.simponic.xyz
+    clone: yes
+    update: yes

roles/webservers/files/levi/http.static.simponic.xyz.conf

@@ -0,0 +1,13 @@
+server {
+  listen 80;
+  server_name static.simponic.xyz;
+
+  location /.well-known/acme-challenge {
+    root /var/www/letsencrypt;
+    try_files $uri $uri/ =404;
+  }
+
+  location / {
+    rewrite ^ https://static.simponic.xyz$request_uri? permanent;
+  }
+}

roles/webservers/files/levi/https.static.simponic.xyz.conf

@@ -0,0 +1,25 @@
+server {
+  listen 443 ssl;
+  server_name static.simponic.xyz;
+
+  ssl_certificate         /etc/letsencrypt/live/static.simponic.xyz/fullchain.pem;
+  ssl_certificate_key     /etc/letsencrypt/live/static.simponic.xyz/privkey.pem;
+  ssl_trusted_certificate /etc/letsencrypt/live/static.simponic.xyz/fullchain.pem;
+
+  ssl_session_cache shared:SSL:50m;
+  ssl_session_timeout 5m;
+  ssl_stapling on;
+  ssl_stapling_verify on;
+
+  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+  ssl_dhparam /etc/nginx/dhparams.pem;
+  ssl_prefer_server_ciphers on;
+
+  root /var/www/html/static.simponic.xyz;
+
+  location / {
+    try_files $uri $uri/ $uri.html =404;
+  }
+}