ansible-nginx-supervisor/tasks/lets_encrypt.yaml

---
# Support HTTPS setup using Let's Encrypt

# TODO: Transition over to letsencrypt module once released for Ansible 2.2 - See http://docs.ansible.com/ansible/letsencrypt_module.html
- name: verify if rust is installed
  stat: path=/usr/local/bin/cargo
  register: cargo_binary

- name: fetch rust installer via site
  get_url: url=https://static.rust-lang.org/rustup.sh dest=/root/rustup.sh mode=0740
  when: cargo_binary.stat.exists == false

- name: install rust via installer
  shell: /root/rustup.sh
  when: cargo_binary.stat.exists == false

- name: verify if letsencrypt-rs is installed
  stat: path=/usr/local/bin/letsencrypt-rs
  register: letsencrypt_binary

- name: install the dev dependencies for letsencrypt-rs client
  apt: name=libssl-dev state=present
  when: letsencrypt_binary.stat.exists == false

- name: install the letsencrypt-rs client
  command: cargo install letsencrypt-rs --root /usr/local
  when: letsencrypt_binary.stat.exists == false

#- name: retrieve the certificate
#  command: letsencrypt certonly --webroot --email {{ nsbase_letsencrypt_email }} --agree-tos --non-interactive \
#    --domain {{ nsbase_app_hostname }} --webroot {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
- name: setup webapp ssl challenges
  file: path={{ item }} state=directory
        owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774
  with_items:
      - "{{ nsbase_letsencrypt_challenges_dir }}"
      - "{{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}"
  when: nsbase_letsencrypt_enable_ssl

- name: retrieve the certificate
  command: sudo -u www-data letsencrypt-rs sign \
    --email {{ nsbase_letsencrypt_email }} \
    --domain {{ nsbase_app_hostname }} \
    --public-dir {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}

#- name: ensure nginx has basic ssl settings
#  lineinfile: dest=/etc/nginx/conf.d/ssl.conf state=present line={{ item }} insertafter="http {"
#  with_items:
#    - ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
#    - ssl_prefer_server_ciphers on;
#    - ssl_session_cache shared:SSL:50m;
#    - ssl_session_timeout 5m;
#  notify: restart nginx

# TODO: Add in individual certificate for site setup.

# TODO: Add in supervisor configuration to renew the certificate every 2 days.
Work on experimental support for Lets Encrypt. 2016-10-02 15:50:38 -04:00			`---`
			`# Support HTTPS setup using Let's Encrypt`

			`# TODO: Transition over to letsencrypt module once released for Ansible 2.2 - See http://docs.ansible.com/ansible/letsencrypt_module.html`
			`- name: verify if rust is installed`
			`stat: path=/usr/local/bin/cargo`
			`register: cargo_binary`

			`- name: fetch rust installer via site`
			`get_url: url=https://static.rust-lang.org/rustup.sh dest=/root/rustup.sh mode=0740`
			`when: cargo_binary.stat.exists == false`

			`- name: install rust via installer`
			`shell: /root/rustup.sh`
			`when: cargo_binary.stat.exists == false`

			`- name: verify if letsencrypt-rs is installed`
			`stat: path=/usr/local/bin/letsencrypt-rs`
			`register: letsencrypt_binary`

			`- name: install the dev dependencies for letsencrypt-rs client`
			`apt: name=libssl-dev state=present`
			`when: letsencrypt_binary.stat.exists == false`

			`- name: install the letsencrypt-rs client`
			`command: cargo install letsencrypt-rs --root /usr/local`
			`when: letsencrypt_binary.stat.exists == false`

			`#- name: retrieve the certificate`
			`# command: letsencrypt certonly --webroot --email {{ nsbase_letsencrypt_email }} --agree-tos --non-interactive \`
			`# --domain {{ nsbase_app_hostname }} --webroot {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}`
			`- name: setup webapp ssl challenges`
			`file: path={{ item }} state=directory`
			`owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774`
			`with_items:`
			`- "{{ nsbase_letsencrypt_challenges_dir }}"`
			`- "{{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}"`
			`when: nsbase_letsencrypt_enable_ssl`

			`- name: retrieve the certificate`
			`command: sudo -u www-data letsencrypt-rs sign \`
			`--email {{ nsbase_letsencrypt_email }} \`
			`--domain {{ nsbase_app_hostname }} \`
			`--public-dir {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}`

			`#- name: ensure nginx has basic ssl settings`
			`# lineinfile: dest=/etc/nginx/conf.d/ssl.conf state=present line={{ item }} insertafter="http {"`
			`# with_items:`
			`# - ssl_protocols TLSv1 TLSv1.1 TLSv1.2;`
			`# - ssl_prefer_server_ciphers on;`
			`# - ssl_session_cache shared:SSL:50m;`
			`# - ssl_session_timeout 5m;`
			`# notify: restart nginx`

			`# TODO: Add in individual certificate for site setup.`

			`# TODO: Add in supervisor configuration to renew the certificate every 2 days.`