Move all ACME in sites-enabled/letsencrypt-http

Federico Ceratto · Federico Ceratto · commit 8137d5bbc6ec · 2020-07-07T13:44:09.000+01:00
diff --git a/ansible/roles/countly/tasks/main.yml b/ansible/roles/countly/tasks/main.yml
@@ -6,9 +6,3 @@
     group: root
     mode: 0644
   notify: restart nginx
-
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify: restart nginx
diff --git a/ansible/roles/explorer/tasks/main.yml b/ansible/roles/explorer/tasks/main.yml
@@ -42,9 +42,4 @@
     user: "{{ user_group_id.stdout }}"
     restart_policy: unless-stopped
 
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify: reload nginx
 ...
diff --git a/ansible/roles/github-webhooks/tasks/main.yml b/ansible/roles/github-webhooks/tasks/main.yml
@@ -51,9 +51,4 @@
       - "/srv/github-webhooks:/srv/github-webhooks"
     restart_policy: unless-stopped
 
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify: reload nginx
 ...
diff --git a/ansible/roles/letsencrypt/templates/letsencrypt-http b/ansible/roles/letsencrypt/templates/letsencrypt-http
@@ -2,16 +2,17 @@
 # Generated by ansible
 # roles/letsencrypt/templates/letsencrypt-http
 
-{% for domain in letsencrypt_domains %}
-
-# Domain: {{ domain }}
 server {
+    # Listen on port 80 for *any* domain
     listen 80;
-    server_name {{ domain }};
+    server_name _;
 
+    # Serve ACME challenge from disk
     location /.well-known/acme-challenge {
         root /var/www/letsencrypt;
         try_files $uri $uri/ =404;
     }
+
+    # Redirect everything else to port 443 regardless of domain
+    return 301 https://$host$request_uri;
 }
-{% endfor %}
diff --git a/ansible/roles/ooni-bouncer/templates/ngx-bouncer b/ansible/roles/ooni-bouncer/templates/ngx-bouncer
@@ -36,10 +36,4 @@ server {
     location / {
         proxy_pass http://127.0.0.1:{{ bouncer_port }};
     }
-
-    location /.well-known/acme-challenge {
-        default_type "text/plain";
-        root /var/www/letsencrypt;
-        try_files $uri $uri/ =404;
-    }
 }
diff --git a/ansible/roles/ooni-collector/templates/ngx-collector b/ansible/roles/ooni-collector/templates/ngx-collector
@@ -37,10 +37,4 @@ server {
     location / {
         proxy_pass http://127.0.0.1:{{ collector_port }};
     }
-
-    location /.well-known/acme-challenge {
-        default_type "text/plain";
-        root /var/www/letsencrypt;
-        try_files $uri $uri/ =404;
-    }
 }
diff --git a/ansible/roles/ooni-measurements/tasks/main.yml b/ansible/roles/ooni-measurements/tasks/main.yml
@@ -59,11 +59,3 @@
     command: "gunicorn --config python:measurements.gunicorn_config --bind 0.0.0.0:{{ oomsm_backend_port }} --workers 20 --timeout 60 measurements.wsgi"
     # user: "oomsmweb:oomsmweb" XXX-UID
     restart_policy: unless-stopped
-
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify:
-  - test API nginx config
-  - reload API nginx
diff --git a/ansible/roles/ooni-orchestrate/templates/orchestra_nginx.conf.j2 b/ansible/roles/ooni-orchestrate/templates/orchestra_nginx.conf.j2
@@ -18,15 +18,3 @@ server {
     proxy_read_timeout 900;
   }
 }
-
-server {
-  server_name _;
-
-  listen 80;
-
-  location /.well-known/acme-challenge {
-    default_type "text/plain";
-    root /var/www/letsencrypt;
-    try_files $uri $uri/ =404;
-  }
-}
diff --git a/ansible/roles/ooni-run/tasks/main.yml b/ansible/roles/ooni-run/tasks/main.yml
@@ -48,9 +48,3 @@
     group: root
     mode: 0644
   notify: restart nginx
-
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify: restart nginx
diff --git a/ansible/roles/orchestra-frontend/tasks/main.yml b/ansible/roles/orchestra-frontend/tasks/main.yml
@@ -54,9 +54,3 @@
     group: root
     mode: 0644
   notify: restart nginx
-
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify: restart nginx
diff --git a/ansible/roles/probe-services/tasks/main.yml b/ansible/roles/probe-services/tasks/main.yml
@@ -11,12 +11,6 @@
   template: src=probe-services-nginx dest=/etc/nginx/sites-enabled/probe-services
   notify: reload nginx
 
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify: reload nginx
-
 - name: mkdir for config and data
   file:
     path: "{{ item }}"
diff --git a/ansible/roles/probe-services/templates/probe-services-nginx b/ansible/roles/probe-services/templates/probe-services-nginx
@@ -3,7 +3,6 @@
 {% import 'common.j2' as c %}
 
 server {
-    listen 80;
     listen 443 ssl;
     {{ c.ssl_letsencrypt(probe_services_domain) }}
 
diff --git a/ansible/roles/slackin/tasks/main.yml b/ansible/roles/slackin/tasks/main.yml
@@ -40,9 +40,3 @@
     group: root
     mode: 0644
   notify: restart nginx
-
-- name: delete letsencrypt nginx config
-  file:
-    state: absent
-    path: "/etc/nginx/sites-enabled/letsencrypt-http"
-  notify: reload nginx

Original file line number	Diff line number	Diff line change
`@@ -36,10 +36,4 @@ server {`
`36`	`36`	`location / {`
`37`	`37`	`proxy_pass http://127.0.0.1:{{ bouncer_port }};`
`38`	`38`	`}`
`39`		`-`
`40`		`- location /.well-known/acme-challenge {`
`41`		`- default_type "text/plain";`
`42`		`- root /var/www/letsencrypt;`
`43`		`- try_files $uri $uri/ =404;`
`44`		`- }`
`45`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -37,10 +37,4 @@ server {`
`37`	`37`	`location / {`
`38`	`38`	`proxy_pass http://127.0.0.1:{{ collector_port }};`
`39`	`39`	`}`
`40`		`-`
`41`		`- location /.well-known/acme-challenge {`
`42`		`- default_type "text/plain";`
`43`		`- root /var/www/letsencrypt;`
`44`		`- try_files $uri $uri/ =404;`
`45`		`- }`
`46`	`40`	`}`