ansible: Improve SSL cert config

Author: Mauve Signweaver

ansible/roles/distributed_press/defaults/main.yml

@@ -14,11 +14,12 @@ distributed_press_host: "localhost"
 distributed_press_ipfs_provider: "builtin"
 
 distributed_press_git_repo: "https://github.com/hyphacoop/api.distributed.press.git"
-distributed_press_git_branch: "v2.1.4"
+distributed_press_git_branch: "v2.1.6"
 distributed_press_source: "{{distributed_press_home}}/api.distributed.press"
 
 distributed_press_domain: "example.com"
 distributed_press_letsencrypt_email: "[email protected]"
+distributed_press_cert_name: "{{distributed_press_domain}}-0001"
 
 # These will be used to be served over nginx along with letsencrypt certs
 distributed_press_served_sites: []

ansible/roles/distributed_press/tasks/main.yml

@@ -183,6 +183,28 @@
 - name: "Enable NGINX firewall"
   shell: "ufw allow 'Nginx Full'"
 
+- name: "Copy over default site config"
+  template:
+    src: nginx-default.j2
+    dest: "/etc/nginx/sites-enabled/default"
+
+- name: "Copy over site config"
+  template:
+    src: nginx-site.j2
+    dest: "/etc/nginx/sites-enabled/{{distributed_press_domain}}"
+
+- name: "Copy over social inbox site config"
+  when: social_inbox_enabled
+  template:
+    src: nginx-social-site.j2
+    dest: "/etc/nginx/sites-enabled/{{social_inbox_domain}}"
+
+- name: "Copy over static site configs"
+  template:
+    src: nginx-static.j2
+    dest: "/etc/nginx/sites-enabled/{{item}}"
+  loop: "{{distributed_press_served_sites}}"
+
 - name: "Reload NGINX"
   systemd:
     daemon_reload: true

ansible/roles/distributed_press/templates/nginx-site.j2

@@ -34,8 +34,8 @@ server {
 
   listen [::]:443 ssl ipv6only=on; # managed by Certbot
   listen 443 ssl; # managed by Certbot
-  ssl_certificate /etc/letsencrypt/live/{{distributed_press_domain}}/fullchain.pem; # managed by Certbot
-  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_domain}}/privkey.pem; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 

ansible/roles/distributed_press/templates/nginx-social-site.j2

@@ -37,8 +37,8 @@ server {
 
   listen [::]:443 ssl; # managed by Certbot
   listen 443 ssl; # managed by Certbot
-  ssl_certificate /etc/letsencrypt/live/{{distributed_press_domain}}/fullchain.pem; # managed by Certbot
-  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_domain}}/privkey.pem; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 

ansible/roles/distributed_press/templates/nginx-static.j2

@@ -36,8 +36,8 @@ server {
 
   listen [::]:443 ssl; # managed by Certbot
   listen 443 ssl; # managed by Certbot
-  ssl_certificate /etc/letsencrypt/live/{{distributed_press_domain}}/fullchain.pem; # managed by Certbot
-  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_domain}}/privkey.pem; # managed by Certbot
+  ssl_certificate /etc/letsencrypt/live/{{distributed_press_cert_name}}/fullchain.pem; # managed by Certbot
+  ssl_certificate_key /etc/letsencrypt/live/{{distributed_press_cert_name}}/privkey.pem; # managed by Certbot
   include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
   ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
 }