[ansible][attitude-adjuster] https!

pull/28/head
Alpha Chen 5 years ago
parent 685d029806
commit df63295ef9

@ -0,0 +1,22 @@
$HTTP["host"] == "{{ fqdn }}" {
# Ensure the Pi-hole Block Page knows that this is not a blocked domain
setenv.add-environment = ("fqdn" => "true")
# Enable the SSL engine with a LE cert, only for this specific host
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/letsencrypt/live/{{ fqdn }}/combined.pem"
ssl.ca-file = "/etc/letsencrypt/live/{{ fqdn }}/fullchain.pem"
ssl.honor-cipher-order = "enable"
ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
ssl.use-sslv2 = "disable"
ssl.use-sslv3 = "disable"
}
# Redirect HTTP to HTTPS
$HTTP["scheme"] == "http" {
$HTTP["host"] =~ ".*" {
url.redirect = (".*" => "https://%0$0")
}
}
}

@ -88,16 +88,7 @@
name: fail2ban name: fail2ban
state: reloaded state: reloaded
# Pi-Hole - import_playbook: pihole.yml
- hosts: attitude-adjuster
tasks:
- name: clone the pi-hole repo
git:
repo: https://github.com/pi-hole/pi-hole.git
dest: ~/src/pi-hole
depth: 1
# ddclient # ddclient

@ -0,0 +1,64 @@
# https://discourse.pi-hole.net/t/enabling-https-for-your-pi-hole-web-interface/5771
- hosts: attitude-adjuster
vars_files:
- vars.yml.private
tasks:
- name: install certbot
package:
name: certbot
state: present
become: yes
- name: clone the pi-hole repo
git:
repo: https://github.com/pi-hole/pi-hole.git
dest: ~/src/pi-hole
depth: 1
- name: obtain ssl certificates
command: >-
certbot certonly
--webroot --webroot-path /var/www/html
-d {{ fqdn }}
-m alpha+lets.encrypt@kejadlen.dev
--agree-tos
--non-interactive
args:
creates: /etc/letsencrypt/live/{{ fqdn }}
become: yes
- name: create combined pemfile
shell: >-
cat /etc/letsencrypt/live/{{ fqdn }}/privkey.pem
/etc/letsencrypt/live/{{ fqdn }}/cert.pem >
/etc/letsencrypt/live/{{ fqdn }}/combined.pem
args:
creates: /etc/letsencrypt/live/{{ fqdn }}/combined.pem
become: yes
- name: let lighttpd read the pemfile
file:
path: /etc/letsencrypt/live/{{ fqdn }}
state: directory
recurse: yes
owner: www-data
become: yes
- name: update lighttpd configuration
template:
src: external.conf
dest: /etc/lighttpd/external.conf
become: yes
notify: restart lighttpd
handlers:
- name: restart lighttpd
service:
name: lighttpd
state: restarted
become: yes
Loading…
Cancel
Save