[ansible][attitude-adjuster] https!

5 years ago · df63295ef9
parent 685d029806
commit df63295ef9
3 changed files with 87 additions and 10 deletions
--- a/ansible/attitude-adjuster/external.conf
+++ b/ansible/attitude-adjuster/external.conf
@ -0,0 +1,22 @@
+$HTTP["host"] == "{{ fqdn }}" {
+  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
+  setenv.add-environment = ("fqdn" => "true")
+
+  # Enable the SSL engine with a LE cert, only for this specific host
+  $SERVER["socket"] == ":443" {
+    ssl.engine = "enable"
+    ssl.pemfile = "/etc/letsencrypt/live/{{ fqdn }}/combined.pem"
+    ssl.ca-file =  "/etc/letsencrypt/live/{{ fqdn }}/fullchain.pem"
+    ssl.honor-cipher-order = "enable"
+    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
+    ssl.use-sslv2 = "disable"
+    ssl.use-sslv3 = "disable"
+  }
+
+  # Redirect HTTP to HTTPS
+  $HTTP["scheme"] == "http" {
+    $HTTP["host"] =~ ".*" {
+      url.redirect = (".*" => "https://%0$0")
+    }
+  }
+}
--- a/ansible/attitude-adjuster/main.yml
+++ b/ansible/attitude-adjuster/main.yml
@ -88,16 +88,7 @@
        name: fail2ban
        state: reloaded

-# Pi-Hole
-
- hosts: attitude-adjuster
-  tasks:
-
-    - name: clone the pi-hole repo
-      git:
-        repo: https://github.com/pi-hole/pi-hole.git
-        dest: ~/src/pi-hole
-        depth: 1
+- import_playbook: pihole.yml

 # ddclient

--- a/ansible/attitude-adjuster/pihole.yml
+++ b/ansible/attitude-adjuster/pihole.yml
@ -0,0 +1,64 @@
+# https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771
+
+- hosts: attitude-adjuster
+  vars_files:
+    - vars.yml.private
+  tasks:
+
+    - name: install certbot
+      package:
+        name: certbot
+        state: present
+      become: yes
+
+    - name: clone the pi-hole repo
+      git:
+        repo: https://github.com/pi-hole/pi-hole.git
+        dest: ~/src/pi-hole
+        depth: 1
+
+    - name: obtain ssl certificates
+      command: >-
+        certbot certonly
+        --webroot --webroot-path /var/www/html
+        -d {{ fqdn }}
+        -m alpha+lets.encrypt@kejadlen.dev
+        --agree-tos
+        --non-interactive
+      args:
+        creates: /etc/letsencrypt/live/{{ fqdn }}
+      become: yes
+
+    - name: create combined pemfile
+      shell: >-
+        cat /etc/letsencrypt/live/{{ fqdn }}/privkey.pem
+        /etc/letsencrypt/live/{{ fqdn }}/cert.pem >
+        /etc/letsencrypt/live/{{ fqdn }}/combined.pem
+      args:
+        creates: /etc/letsencrypt/live/{{ fqdn }}/combined.pem
+      become: yes
+
+    - name: let lighttpd read the pemfile
+      file:
+        path: /etc/letsencrypt/live/{{ fqdn }}
+        state: directory
+        recurse: yes
+        owner: www-data
+      become: yes
+
+    - name: update lighttpd configuration
+      template:
+        src: external.conf
+        dest: /etc/lighttpd/external.conf
+      become: yes
+      notify: restart lighttpd
+
+  handlers:
+    - name: restart lighttpd
+      service:
+        name: lighttpd
+        state: restarted
+      become: yes
+
+
+