Add ssl conf and nft rule for certbot
This commit is contained in:
parent
e6c8aa3cee
commit
d403d0eef6
4 changed files with 28 additions and 9 deletions
|
|
@ -1 +1 @@
|
|||
tcp dport http accept comment "Allow http to all for certbot renewal"
|
||||
tcp dport http accept comment "Allow HTTP from all for certbot renewal"
|
||||
|
|
|
|||
1
roles/certbot/files/https.conf
Normal file
1
roles/certbot/files/https.conf
Normal file
|
|
@ -0,0 +1 @@
|
|||
tcp dport https accept comment "Allow HTTPS from all"
|
||||
6
roles/certbot/files/ssl-options.conf
Normal file
6
roles/certbot/files/ssl-options.conf
Normal file
|
|
@ -0,0 +1,6 @@
|
|||
<IfModule mod_ssl.c>
|
||||
SSLProtocol all -SSLv2 -SSLv3
|
||||
SSLHonorCipherOrder On
|
||||
SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:!DHE-RSA-AES128-GCM-SHA256:!DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:!DHE-RSA-AES128-SHA256:!DHE-RSA-AES128-SHA:!DHE-DSS-AES128-SHA256:!DHE-RSA-AES256-SHA256:!DHE-DSS-AES256-SHA:!DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:!DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA:!DHE-RSA-AES256-GCM-SHA384:!DHE-RSA-CAMELLIA256-SHA:!DHE-RSA-CAMELLIA128-SHA
|
||||
SSLCompression off
|
||||
</IfModule>
|
||||
|
|
@ -13,12 +13,6 @@
|
|||
state: directory
|
||||
mode: 0755
|
||||
|
||||
- name: Copy acme apache conf
|
||||
become: true
|
||||
copy:
|
||||
src: acme.conf
|
||||
dest: /etc/apache2/conf-available/acme.conf
|
||||
|
||||
- name: Enable modules
|
||||
become: true
|
||||
apache2_module:
|
||||
|
|
@ -29,9 +23,20 @@
|
|||
- ssl
|
||||
notify: Reload apache2 service
|
||||
|
||||
- name: Enable acme apache conf
|
||||
- name: Copy apache confs
|
||||
become: true
|
||||
command: a2enconf acme
|
||||
copy: src={{ item.src }} dest={{ item.dest }}
|
||||
with_items:
|
||||
- { src: 'acme.conf', dest: '/etc/apache2/conf-available/acme.conf' }
|
||||
- { src: 'ssl-options.conf', dest: '/etc/apache2/conf-available/ssl-options.conf' }
|
||||
|
||||
|
||||
- name: Enable apache confs
|
||||
become: true
|
||||
command: a2enconf {{ item }}
|
||||
with_items:
|
||||
- acme
|
||||
- ssl-options
|
||||
register: result
|
||||
changed_when: "'already enabled' not in result.stdout"
|
||||
notify: Reload apache2 service
|
||||
|
|
@ -42,3 +47,10 @@
|
|||
src: http-certbot.conf
|
||||
dest: /etc/nftables/input.d/http-certbot.conf
|
||||
notify: Reload nftables service
|
||||
|
||||
- name: Allow incoming HTTPS
|
||||
become: true
|
||||
copy:
|
||||
src: https.conf
|
||||
dest: /etc/nftables/input.d/https.conf
|
||||
notify: Reload nftables service
|
||||
|
|
|
|||
Loading…
Reference in a new issue