diff --git a/ansible/lemmy.yml b/ansible/lemmy.yml index 144479a..7026200 100644 --- a/ansible/lemmy.yml +++ b/ansible/lemmy.yml @@ -16,21 +16,25 @@ tasks: - name: install dependencies apt: - pkg: ['nginx', 'docker-compose', 'docker.io', 'certbot'] + pkg: ['nginx', 'docker-compose', 'docker.io', 'certbot', 'python-certbot-nginx'] + + - name: request initial letsencrypt certificate + command: certbot certonly --nginx --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' + args: + creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem' - name: create lemmy folder file: path={{item.path}} state=directory with_items: - { path: '/lemmy/' } - { path: '/lemmy/volumes/' } - - { path: '/var/www/certbot' } - name: add all template files template: src={{item.src}} dest={{item.dest}} with_items: - { src: 'templates/env', dest: '/lemmy/.env' } - { src: 'templates/docker-compose.yml', dest: '/lemmy/docker-compose.yml' } - - { src: 'templates/nginx.conf', dest: '/lemmy/nginx.conf' } + - { src: 'templates/nginx.conf', dest: '/etc/nginx/sites-enabled/lemmy.conf' } vars: postgres_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/postgres chars=ascii_letters,digits') }}" jwt_password: "{{ lookup('password', 'passwords/{{ inventory_hostname }}/jwt chars=ascii_letters,digits') }}" @@ -43,11 +47,6 @@ access_time: preserve modification_time: preserve - - name: request initial letsencrypt certificate - command: certbot certonly --standalone --agree-tos -d '{{ domain }}' -m '{{ letsencrypt_contact_email }}' - args: - creates: '/etc/letsencrypt/live/{{domain}}/privkey.pem' - - name: enable and start docker service systemd: name: docker @@ -56,13 +55,16 @@ - name: start docker-compose docker_compose: - project_src: /peertube/ + project_src: /lemmy/ state: present pull: yes + - name: reload nginx with new config + shell: nginx -s reload + - name: certbot renewal cronjob cron: special_time=daily - name=certbot-renew + name=certbot-renew-lemmy user=root - job="certbot certonly --webroot --webroot-path=/var/www/certbot -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'" + job="certbot certonly --nginx -d '{{ domain }}' --deploy-hook 'docker-compose -f /peertube/docker-compose.yml exec nginx nginx -s reload'" diff --git a/ansible/templates/docker-compose.yml b/ansible/templates/docker-compose.yml index 6904e6b..af61104 100644 --- a/ansible/templates/docker-compose.yml +++ b/ansible/templates/docker-compose.yml @@ -1,4 +1,4 @@ -version: '2.4' +version: "3.3" services: @@ -6,9 +6,9 @@ services: image: postgres:12-alpine restart: always environment: - POSTGRES_USER=lemmy - POSTGRES_PASSWORD=${DATABASE_PASSWORD} - POSTGRES_DB=lemmy + - POSTGRES_USER=lemmy + - POSTGRES_PASSWORD=${DATABASE_PASSWORD} + - POSTGRES_DB=lemmy volumes: - ./volumes/db:/var/lib/postgresql/data healthcheck: @@ -23,10 +23,9 @@ services: ports: - "8536:8536" environment: - LEMMY_FRONT_END_DIR=/app/dist - DATABASE_URL=postgres://rrr:rrr@db:5432/rrr - JWT_SECRET=${JWT_SECRET} - HOSTNAME=${DOMAIN} + - LEMMY_FRONT_END_DIR=/app/dist + - DATABASE_URL=${DATABASE_URL} + - JWT_SECRET=${JWT_SECRET} + - HOSTNAME=${DOMAIN} depends_on: - db: - condition: service_healthy + - db diff --git a/ansible/templates/env b/ansible/templates/env index e97aeef..12ff850 100644 --- a/ansible/templates/env +++ b/ansible/templates/env @@ -1,4 +1,4 @@ DOMAIN={{ domain }} DATABASE_PASSWORD={{ postgres_password }} -DATABASE_URL=postgres://lemmy:${DATABASE_PASSWORD}@db:5432/lemmy +DATABASE_URL=postgres://lemmy:{{ postgres_password }}@db:5432/lemmy JWT_SECRET={{ jwt_password }} diff --git a/ansible/templates/nginx.conf b/ansible/templates/nginx.conf index 4fc8bc3..21560b5 100644 --- a/ansible/templates/nginx.conf +++ b/ansible/templates/nginx.conf @@ -13,8 +13,8 @@ server { listen 443 ssl http2; server_name {{ domain }}; - ssl_certificate /certs/live/{{ domain }}/fullchain.pem; - ssl_certificate_key /certs/live/{{ domain }}/privkey.pem; + ssl_certificate /etc/letsencrypt/live/{{domain}}/fullchain.pem; + ssl_certificate_key /etc/letsencrypt/live/{{domain}}/privkey.pem; # Various TLS hardening settings # https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html