From 13f5dd06ba072c477ab4bc79709ad54129614a58 Mon Sep 17 00:00:00 2001 From: Matthew Evans Date: Thu, 26 Sep 2024 21:57:56 +0200 Subject: [PATCH] Fix SSL settings inside nginx container and update SSL role --- Dockerfile | 6 ------ ansible/playbook.yml | 9 +++++---- ansible/roles/ssl/tasks/main.yml | 10 +++++----- nginx/include/ssl-nginx.conf | 2 +- 4 files changed, 11 insertions(+), 16 deletions(-) diff --git a/Dockerfile b/Dockerfile index 030834e..a22dbe4 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,12 +8,6 @@ FROM ghcr.io/datalab-org/datalab-federation:latest AS federation FROM python:3.12-alpine AS builder ARG COMBINED_FILENAME="/app/combined.yaml" -RUN apk add --no-cache make openssl -RUN mkdir -p /app/nginx/ssl && \ - openssl req -x509 -nodes -days 365 -newkey rsa:2048 \ - -keyout /app/nginx/ssl/nginx.key \ - -out /app/nginx/ssl/nginx.crt \ - -subj "/C=FI/ST=Uusimaa/L=Helsinki/O=Datalab/CN=purl.datalab-org.io" WORKDIR /app RUN pip install uv diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 8d7430e..5c8eba6 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -3,10 +3,10 @@ hosts: all gather_facts: false - # roles: - # - role: ssl - # name: Setup certbot for automated renewal - # tags: [setup] + roles: + - role: ssl + name: Setup certbot for automated renewal + tags: [setup] vars: ghcr_token: !vault | @@ -57,6 +57,7 @@ name: datalab-purl image: ghcr.io/datalab-org/datalab-purl:latest state: started + restart_policy: always volumes: - certbot-conf:/etc/letsencrypt - certbot-www:/var/www/certbot diff --git a/ansible/roles/ssl/tasks/main.yml b/ansible/roles/ssl/tasks/main.yml index c389ba2..f1fb9d3 100644 --- a/ansible/roles/ssl/tasks/main.yml +++ b/ansible/roles/ssl/tasks/main.yml @@ -9,18 +9,18 @@ - name: Synchronize nginx files to remote ansible.posix.synchronize: src: "{{ role_path }}/files/" - dest: "/{{ ansible_user }}/nginx" + dest: /{{ ansible_user }}/nginx - name: Make directory for rendered configs ansible.builtin.file: state: directory - path: "/{{ ansible_user }}/nginx/rendered" + path: /{{ ansible_user }}/nginx/rendered mode: "0744" - name: Render templated certbot config ansible.builtin.template: src: certbot-docker.sh.j2 - dest: "/{{ ansible_user }}/nginx/rendered/certbot-docker.sh" + dest: /{{ ansible_user }}/nginx/rendered/certbot-docker.sh mode: "0744" - name: Build nginx image @@ -30,7 +30,7 @@ state: present force_source: true build: - path: "/{{ ansible_user }}/nginx" + path: /{{ ansible_user }}/nginx - name: Launch nginx container without services community.docker.docker_container: @@ -50,7 +50,7 @@ volumes: - certbot-conf:/etc/letsencrypt - certbot-www:/var/www/certbot - - "/{{ ansible_user }}/nginx/rendered/certbot-docker.sh:/opt/certbot-docker.sh" + - /{{ ansible_user }}/nginx/rendered/certbot-docker.sh:/opt/certbot-docker.sh restart_policy: false detach: true entrypoint: diff --git a/nginx/include/ssl-nginx.conf b/nginx/include/ssl-nginx.conf index 500032d..ec5feea 100644 --- a/nginx/include/ssl-nginx.conf +++ b/nginx/include/ssl-nginx.conf @@ -1,4 +1,4 @@ -ssl_certificate /etc/letsencrypt/live/purl.datalab-org.io/fullchain.pem +ssl_certificate /etc/letsencrypt/live/purl.datalab-org.io/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/purl.datalab-org.io/privkey.pem; ssl_session_cache shared:le_nginx_SSL:10m; ssl_session_timeout 1440m;