-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
6 changed files
with
134 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -4,3 +4,4 @@ datalab_purl: | |
| purl.datalab-org.io: | ||
| ansible_become_method: sudo | ||
| ansible_user: root | ||
| url: purl.datalab-org.io | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,10 @@ | ||
| FROM nginx:1.25.3 | ||
|
|
||
| WORKDIR /app | ||
|
|
||
| COPY nginx.conf /etc/nginx/nginx.conf | ||
| RUN rm -f /etc/nginx/conf.d/default.conf | ||
|
|
||
|
|
||
| EXPOSE 80 | ||
| EXPOSE 443 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| worker_processes 1; | ||
| user nobody nogroup; | ||
| # 'user nobody nobody;' for systems with 'nobody' as a group instead | ||
|
|
||
| pid /var/run/nginx.pid; | ||
|
|
||
| events { | ||
| worker_connections 1024; # increase if you have lots of clients | ||
| accept_mutex off; # set to 'on' if nginx worker_processes > 1 | ||
| # 'use epoll;' to enable for Linux 2.6+ | ||
| # 'use kqueue;' to enable for FreeBSD, OSX | ||
| } | ||
|
|
||
| http { | ||
| sendfile on; | ||
| include mime.types; | ||
|
|
||
| # Add some security headers | ||
| add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;"; | ||
| add_header X-Frame-Options "DENY"; | ||
| add_header X-XSS-Protection "1; mode=block;"; | ||
| add_header X-Content-Type-Options "nosniff;"; | ||
|
|
||
| server { | ||
| listen 80; | ||
| listen [::]:80; | ||
| server_name _; | ||
|
|
||
| # For certbot challenges | ||
| location ^~ /.well-known/acme-challenge { | ||
| root /var/www/certbot; | ||
| allow all; | ||
| } | ||
|
|
||
| location / { | ||
| return 301 https://$host$request_uri; | ||
| } | ||
| } | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,66 @@ | ||
| --- | ||
| - name: Build/pull certbot image | ||
| community.docker.docker_image: | ||
| name: certbot/certbot:latest | ||
| source: pull | ||
| state: present | ||
| force_source: true | ||
|
|
||
| - name: Synchronize nginx files to remote | ||
| ansible.posix.synchronize: | ||
| src: "{{ role_path }}/files/" | ||
| dest: "/{{ ansible_user }}/nginx" | ||
|
|
||
| - name: Make directory for rendered configs | ||
| ansible.builtin.file: | ||
| state: directory | ||
| path: "/{{ ansible_user }}/nginx/rendered" | ||
| mode: "0744" | ||
|
|
||
| - name: Render templated certbot config | ||
| ansible.builtin.template: | ||
| src: certbot-docker.sh.j2 | ||
| dest: "/{{ ansible_user }}/nginx/rendered/certbot-docker.sh" | ||
| mode: "0744" | ||
|
|
||
| - name: Build nginx image | ||
| community.docker.docker_image: | ||
| name: purl-nginx-ssl | ||
| source: build | ||
| state: present | ||
| force_source: true | ||
| build: | ||
| path: "/{{ ansible_user }}/nginx" | ||
|
|
||
| - name: Launch nginx container without services | ||
| community.docker.docker_container: | ||
| name: datalab-purl | ||
| image: purl-nginx-ssl | ||
| network_mode: host | ||
| volumes: | ||
| - certbot-conf:/etc/letsencrypt | ||
| - certbot-www:/var/www/certbot | ||
| restart_policy: false | ||
|
|
||
| - name: Launch certbot container | ||
| community.docker.docker_container: | ||
| name: datalab-certbot | ||
| image: certbot/certbot:latest | ||
| network_mode: host | ||
| volumes: | ||
| - certbot-conf:/etc/letsencrypt | ||
| - certbot-www:/var/www/certbot | ||
| - "/{{ ansible_user }}/nginx/rendered/certbot-docker.sh:/opt/certbot-docker.sh" | ||
| restart_policy: false | ||
| detach: true | ||
| entrypoint: | ||
| - /opt/certbot-docker.sh | ||
|
|
||
| - name: Scheduled SSL renewal with certbot | ||
| ansible.builtin.cron: | ||
| name: SSL renewal with certbot | ||
| minute: "38" | ||
| hour: "10" | ||
| day: "2" | ||
| month: "*" | ||
| job: docker run -v certbot-www:/var/www/certbot -v certbot-conf:/etc/letsencrypt certbot/certbot:latest renew |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,2 @@ | ||
| #!/bin/sh | ||
| certbot certonly --webroot -w /var/www/certbot --register-unsafely-without-email --no-eff-email --agree-tos -d {{ url }} |