From c49b8ba2f6a81b275dc19eed7c27903f3373ed21 Mon Sep 17 00:00:00 2001 From: patbec <29308797+patbec@users.noreply.github.com> Date: Sun, 5 Nov 2023 17:19:19 +0100 Subject: [PATCH] Refactoring of nginx and the cert management. --- README.md | 34 ++++++- playbook.yml => main.yml | 88 ++++++++----------- templates/{ => etc/nginx}/nginx.conf.j2 | 0 .../nginx/sites-available/proxmox.conf.j2} | 0 templates/{ => etc/systemd}/logind.conf.j2 | 0 .../system/nginx.service.d/override.conf.j2 | 16 ++++ templates/nginx.service.override.conf.j2 | 5 -- templates/nginx.watcher.conf.j2 | 5 -- templates/nginx.watcher.path.j2 | 9 -- 9 files changed, 84 insertions(+), 73 deletions(-) rename playbook.yml => main.yml (69%) rename templates/{ => etc/nginx}/nginx.conf.j2 (100%) rename templates/{nginx.proxmox.conf.j2 => etc/nginx/sites-available/proxmox.conf.j2} (100%) rename templates/{ => etc/systemd}/logind.conf.j2 (100%) create mode 100644 templates/etc/systemd/system/nginx.service.d/override.conf.j2 delete mode 100644 templates/nginx.service.override.conf.j2 delete mode 100644 templates/nginx.watcher.conf.j2 delete mode 100644 templates/nginx.watcher.path.j2 diff --git a/README.md b/README.md index bd1e4f0..eb0c83a 100644 --- a/README.md +++ b/README.md @@ -14,9 +14,35 @@ For the last point *(Web UI on port 443)* the recommendation from the [official ## Preparation -Configure on the Proxmox an **ACME Challenge** first, so the certificate `/etc/pve/local/pveproxy-ssl.pem` is created. The playbook checks if this file exists, the web server will not start otherwise. +Configure on the Proxmox an **ACME** first, so the certificate `/etc/pve/local/pveproxy-ssl.pem` is created. -> This project is intended for my home proxmox server and should not be used on production servers. +- If the certificate is renewed by Proxmox, the web server is **automatically reloaded**. This is made possible with the systemd option [`ReloadPropagatedFrom`](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#PropagatesReloadTo=). + +- If no ACME has been set up, the service is **ignored when booting**. This is controlled by the [`ConditionPathExists`](https://www.freedesktop.org/software/systemd/man/latest/systemd.unit.html#AssertArchitecture=) option. If the service has been ignored, it remains deactivated until Proxmox is restarted.
There is a check in the Ansible playbook if ACME has been set up, without a valid configuration the execution will be **aborted at the beginning**. + +- If an existing ACME configuration is deleted in the Proxmox interface, the old certificate files remain available. The NGINX web server remains active and will respond with an expired certificate. + +These options are stored in the NGINX extended service file under `/etc/systemd/system/nginx.service.d/override.conf`: +```ini +# {{ ansible_managed }} + +[Unit] +# The path /etc/pve/local is only available after this service. +Requires=pve-cluster.service +After=pve-cluster.service + +# The web server requires an existing certificate. The service is only +# activated if an automatic certificate management environment (ACME) +# has been set up in Promxox. +ConditionPathExists=/etc/pve/local/pveproxy-ssl.pem +ConditionPathExists=/etc/pve/local/pveproxy-ssl.key + +# When systemd reload the unit listed here, the action is +# propagated to this unit. This occurs when the certificate is updated. +ReloadPropagatedFrom=pveproxy.service +``` + +> You can edit this file directly for test purposes using the command `sudo systemctl edit nginx`. ## Versions @@ -24,6 +50,8 @@ The following versions were tested: โœ… Proxmox VE 7.4-xx +> This project is intended for my home proxmox server and should not be used on production servers. + ## Workspace Open the workspace file `proxmox.code-workspace` to access the predefined build tasks with Visual Studio Code. @@ -32,4 +60,4 @@ Predefined build tasks: | Task | Description | Command | | -------- | ------------------------------------------ | -----------------: | | ๐Ÿš€ Deploy | Run the main playbook with all tasks. | `ansible-playbook` | -| ๐Ÿงช Check | Check the code without making any changes. | `ansible-playbook` | +| ๐Ÿงช Check | Check the code without making any changes. | `ansible-playbook` | \ No newline at end of file diff --git a/playbook.yml b/main.yml similarity index 69% rename from playbook.yml rename to main.yml index 430b9ec..ce85b37 100644 --- a/playbook.yml +++ b/main.yml @@ -15,12 +15,12 @@ path: /etc/pve/local/pveproxy-ssl.key register: cert_key - - name: Ensure that ACME has been set up - ansible.builtin.assert: - that: - - cert_pem.stat.exists == true - - cert_key.stat.exists == true - fail_msg: "Certificate was not found, make sure ACME has been set up." + # - name: Ensure that ACME has been set up + # ansible.builtin.assert: + # that: + # - cert_pem.stat.exists == true + # - cert_key.stat.exists == true + # fail_msg: "Certificate was not found, make sure ACME has been set up." - name: Configure repositories block: @@ -38,35 +38,46 @@ state: present update_cache: true - - name: Template login manager configuration - ansible.builtin.template: - src: logind.conf.j2 - dest: /etc/systemd/logind.conf - owner: root - group: root - mode: "0644" - notify: - - Restart login manager + - name: Configure systemd + block: + - name: Update login manager configuration + ansible.builtin.template: + src: etc/systemd/logind.conf.j2 + dest: /etc/systemd/logind.conf + owner: root + group: root + mode: "0644" + notify: + - Restart login manager - name: Install nginx ansible.builtin.apt: name: - nginx-light - policy_rc_d: 101 # Prevent autostart + policy_rc_d: 101 # Prevent autostart - - name: Configure nginx + - name: Configure nginx application notify: - Stop nginx block: - - name: Template nginx site + - name: Template nginx configuration + ansible.builtin.template: + src: etc/nginx/nginx.conf.j2 + dest: /etc/nginx/nginx.conf + owner: root + group: root + mode: "0644" + validate: nginx -t -c "%s" + + - name: Template proxmox site ansible.builtin.template: - src: nginx.proxmox.conf.j2 + src: etc/nginx/sites-available/proxmox.conf.j2 dest: /etc/nginx/sites-available/proxmox.conf owner: root group: root mode: "0644" - - name: Enable nginx site + - name: Enable proxmox site ansible.builtin.file: src: /etc/nginx/sites-available/proxmox.conf dest: /etc/nginx/sites-enabled/proxmox.conf @@ -74,15 +85,10 @@ group: root state: link - - name: Template nginx configuration - ansible.builtin.template: - src: nginx.conf.j2 - dest: /etc/nginx/nginx.conf - owner: root - group: root - mode: "0644" - validate: nginx -t -c "%s" - + - name: Configure nginx service + notify: + - Stop nginx + block: - name: Ensure nginx override folder exists ansible.builtin.file: path: /etc/systemd/system/nginx.service.d @@ -91,28 +97,12 @@ - name: Template nginx override configuration ansible.builtin.template: - src: nginx.service.override.conf.j2 + src: etc/systemd/system/nginx.service.d/override.conf.j2 dest: /etc/systemd/system/nginx.service.d/override.conf owner: root group: root mode: "0644" - - name: Template nginx watcher configuration - ansible.builtin.template: - src: nginx.watcher.conf.j2 - dest: /etc/systemd/system/nginx.watcher.conf - owner: root - group: root - mode: "0644" - - - name: Template nginx watcher path - ansible.builtin.template: - src: nginx.watcher.path.j2 - dest: /etc/systemd/system/nginx.watcher.path - owner: root - group: root - mode: "0644" - - name: Stop nginx if configuration has changed ansible.builtin.meta: flush_handlers @@ -122,16 +112,12 @@ state: started enabled: true - - name: Ensure watcher is enabled - ansible.builtin.service: - name: nginx - enabled: true - handlers: - name: Stop nginx ansible.builtin.service: name: nginx state: stopped + daemon_reload: true - name: Restart login manager ansible.builtin.service: diff --git a/templates/nginx.conf.j2 b/templates/etc/nginx/nginx.conf.j2 similarity index 100% rename from templates/nginx.conf.j2 rename to templates/etc/nginx/nginx.conf.j2 diff --git a/templates/nginx.proxmox.conf.j2 b/templates/etc/nginx/sites-available/proxmox.conf.j2 similarity index 100% rename from templates/nginx.proxmox.conf.j2 rename to templates/etc/nginx/sites-available/proxmox.conf.j2 diff --git a/templates/logind.conf.j2 b/templates/etc/systemd/logind.conf.j2 similarity index 100% rename from templates/logind.conf.j2 rename to templates/etc/systemd/logind.conf.j2 diff --git a/templates/etc/systemd/system/nginx.service.d/override.conf.j2 b/templates/etc/systemd/system/nginx.service.d/override.conf.j2 new file mode 100644 index 0000000..0d123a9 --- /dev/null +++ b/templates/etc/systemd/system/nginx.service.d/override.conf.j2 @@ -0,0 +1,16 @@ +# {{ ansible_managed }} + +[Unit] +# The path /etc/pve/local is only available after this service. +Requires=pve-cluster.service +After=pve-cluster.service + +# The web server requires an existing certificate. The service is only +# activated if an automatic certificate management environment (ACME) +# has been set up in Promxox. +ConditionPathExists=/etc/pve/local/pveproxy-ssl.pem +ConditionPathExists=/etc/pve/local/pveproxy-ssl.key + +# When systemd reload the unit listed here, the action is +# propagated to this unit. This occurs when the certificate is updated. +ReloadPropagatedFrom=pveproxy.service \ No newline at end of file diff --git a/templates/nginx.service.override.conf.j2 b/templates/nginx.service.override.conf.j2 deleted file mode 100644 index 3ef39e3..0000000 --- a/templates/nginx.service.override.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -[Unit] -Requires=pve-cluster.service -After=pve-cluster.service \ No newline at end of file diff --git a/templates/nginx.watcher.conf.j2 b/templates/nginx.watcher.conf.j2 deleted file mode 100644 index f2674de..0000000 --- a/templates/nginx.watcher.conf.j2 +++ /dev/null @@ -1,5 +0,0 @@ -# {{ ansible_managed }} - -[Service] -Type=oneshot -ExecStart=/usr/bin/systemctl reload nginx.service \ No newline at end of file diff --git a/templates/nginx.watcher.path.j2 b/templates/nginx.watcher.path.j2 deleted file mode 100644 index 901f613..0000000 --- a/templates/nginx.watcher.path.j2 +++ /dev/null @@ -1,9 +0,0 @@ -# {{ ansible_managed }} - -[Path] -# Activates the unit whenever it changes. It is not activated on every write to the -# watched file but it is activated if the file which was open for writing gets closed. -PathChanged=/etc/pve/local/pveproxy-ssl.pem - -[Install] -WantedBy=multi-user.target \ No newline at end of file