From 0410707a81452d01966a26a0250cbae544339a70 Mon Sep 17 00:00:00 2001 From: Joerg Lehmann Date: Wed, 14 Apr 2021 17:48:16 +0200 Subject: [PATCH] update repos --- README.md | 6 ++++++ ansible/production | 4 ++-- ansible/roles/common/tasks/main.yml | 8 ++++++++ ansible/roles/influxsw/tasks/main.yml | 11 +++++++---- .../telegraf.conf => templates/telegraf.conf.j2} | 2 +- ansible/roles/nginx/handlers/main.yml | 2 +- ansible/roles/nginx/tasks/main.yml | 10 ++++++++-- ansible/roles/nginx/templates/nginx.conf.j2 | 6 +++--- 8 files changed, 36 insertions(+), 13 deletions(-) rename ansible/roles/influxsw/{files/telegraf.conf => templates/telegraf.conf.j2} (87%) diff --git a/README.md b/README.md index 72510ea..a381ebd 100644 --- a/README.md +++ b/README.md @@ -57,18 +57,24 @@ Mailzugang muss auf mail.nbit.ch noch gegeben werden (main.cf)! # curl https://get.acme.sh | sh -s email=info@nbit.ch # systemctl stop nginx # acme.sh --issue -d wo-bisch.ch -d www.wo-bisch.ch -w /home/appuser/wo-bisch-web --standalone +# restorecon -irv /etc/letsencrypt [Sa Feb 27 17:27:34 CET 2021] Your cert is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.cer [Sa Feb 27 17:27:34 CET 2021] Your cert key is in /root/.acme.sh/wo-bisch.ch/wo-bisch.ch.key [Sa Feb 27 17:27:34 CET 2021] The intermediate CA cert is in /root/.acme.sh/wo-bisch.ch/ca.cer [Sa Feb 27 17:27:34 CET 2021] And the full chain certs is there: /root/.acme.sh/wo-bisch.ch/fullchain.cer + +Install Certificate: +# acme.sh --install-cert -d wo-bisch.ch --key-file /etc/letsencrypt/wo-bisch.ch/wo-bisch.ch.key --fullchain-file /etc/letsencrypt/wo-bisch.ch/fullchain.cer --reloadcmd "service nginx force-reload" ` ### Influxdb Users +Retention: 365 Tage + wobisch1: admin: admin7355 diff --git a/ansible/production b/ansible/production index 0953954..cd81c96 100644 --- a/ansible/production +++ b/ansible/production @@ -7,5 +7,5 @@ mail_forward_address=joerg.lehmann@nbit.ch document_root=/home/appuser/wo-bisch-web [wo_bisch_servers] -wobisch1.wo-bisch.ch letsEncryptDomain=dev.wo-bisch.ch -wobisch2.wo-bisch.ch letsEncryptDomain=wo-bisch.ch +wobisch1.wo-bisch.ch letsEncryptDomain=dev.wo-bisch.ch influx_token=PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg== +wobisch2.wo-bisch.ch letsEncryptDomain=wo-bisch.ch influx_token=Dl1ogBm4U9IgDgMqsHgFX04g4Rn9VyPqc94teQ9QzLztFUSttMTAwkch3TrdUk4c4vtr3eysZbsTaFrTQa-JqA== diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml index 77349fa..5c7d674 100644 --- a/ansible/roles/common/tasks/main.yml +++ b/ansible/roles/common/tasks/main.yml @@ -58,6 +58,14 @@ group: appuser mode: '0755' +- name: Create /home/appuser/wo-bisch-lorahandler + file: + path: /home/appuser/wo-bisch-lorahandler + state: directory + owner: appuser + group: appuser + mode: '0755' + - name: Allow apache to read files in /home/appuser/wo-bisch-web sefcontext: target: '/home/appuser/wo-bisch-web(/.*)?' diff --git a/ansible/roles/influxsw/tasks/main.yml b/ansible/roles/influxsw/tasks/main.yml index 6e79d77..4f72e2a 100644 --- a/ansible/roles/influxsw/tasks/main.yml +++ b/ansible/roles/influxsw/tasks/main.yml @@ -25,12 +25,15 @@ enabled: yes state: started -- name: copy telegraf config - copy: - src: telegraf.conf +- name: create telegraf config from template + template: + src: telegraf.conf.j2 dest: /etc/telegraf/telegraf.conf mode: '0644' notify: Restart telegraf - +- name: fix permission of /etc/logrotate.d/influxdb + file: + path: /etc/logrotate.d/influxdb + mode: 0644 diff --git a/ansible/roles/influxsw/files/telegraf.conf b/ansible/roles/influxsw/templates/telegraf.conf.j2 similarity index 87% rename from ansible/roles/influxsw/files/telegraf.conf rename to ansible/roles/influxsw/templates/telegraf.conf.j2 index 65ea379..04e105d 100644 --- a/ansible/roles/influxsw/files/telegraf.conf +++ b/ansible/roles/influxsw/templates/telegraf.conf.j2 @@ -26,6 +26,6 @@ # Configuration for sending metrics to InfluxDB 2.0 [[outputs.influxdb_v2]] urls = ["http://127.0.0.1:8086"] - token = "PWuleFEPB2YSduUkzkcW94V_-KFDK5Fi3MAeaA999Qe51OsGlJJSrcZ41pUAppCwF-z3rUNnyFQQJs8fCSTFzg==" + token = "{{ influx_token }}" organization = "wobischorg" bucket = "wobischbucket" diff --git a/ansible/roles/nginx/handlers/main.yml b/ansible/roles/nginx/handlers/main.yml index ffbdfe5..ed3a4b6 100644 --- a/ansible/roles/nginx/handlers/main.yml +++ b/ansible/roles/nginx/handlers/main.yml @@ -5,5 +5,5 @@ state=restarted - name: Restore selinux context - command: restorecon -irv /root/.acme.sh/wo-bisch.ch + command: restorecon -irv /etc/letsencrypt diff --git a/ansible/roles/nginx/tasks/main.yml b/ansible/roles/nginx/tasks/main.yml index d11ea36..fc14395 100644 --- a/ansible/roles/nginx/tasks/main.yml +++ b/ansible/roles/nginx/tasks/main.yml @@ -28,9 +28,9 @@ - wo-bisch-web.css - wo-bisch-web-custom.css -- name: Allow apache to read files in /root/.acme.sh/{{ letsEncryptDomain }} +- name: Allow apache to read files in /etc/letsencrypt/{{ letsEncryptDomain }} sefcontext: - target: '/root/.acme.sh/{{ letsEncryptDomain }}(/.*)?' + target: '/etc/letsencrypt/{{ letsEncryptDomain }}(/.*)?' setype: httpd_sys_content_t state: present notify: @@ -50,3 +50,9 @@ group: root mode: '0644' notify: Restart nginx + +- name: create certificate directory + file: + path: /etc/letsencrypt/{{ letsEncryptDomain }} + state: directory + diff --git a/ansible/roles/nginx/templates/nginx.conf.j2 b/ansible/roles/nginx/templates/nginx.conf.j2 index 25cf925..bb6bf7a 100644 --- a/ansible/roles/nginx/templates/nginx.conf.j2 +++ b/ansible/roles/nginx/templates/nginx.conf.j2 @@ -39,7 +39,7 @@ http { listen [::]:80 default_server; server_name _; - return 301 https://wo-bisch.ch$request_uri; + return 301 https://{{ letsEncryptDomain }}$request_uri; } @@ -67,8 +67,8 @@ http { listen [::]:443 ssl ipv6only=on; listen 443 ssl; - ssl_certificate /root/.acme.sh/{{ letsEncryptDomain }}/fullchain.cer; - ssl_certificate_key /root/.acme.sh/{{ letsEncryptDomain }}/{{ letsEncryptDomain }}.key; + ssl_certificate /etc/letsencrypt/{{ letsEncryptDomain }}/fullchain.cer; + ssl_certificate_key /etc/letsencrypt/{{ letsEncryptDomain }}/{{ letsEncryptDomain }}.key; } }