Work on experimental support for Lets Encrypt.

2016-10-02 15:50:38 -04:00 · 2016-10-02 15:50:38 -04:00 · b151175966
parent 76882a8c1f
commit b151175966
9 changed files with 74 additions and 18 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -11,3 +11,7 @@ nsbase_app_root_path: "{{ nsbase_web_root_path }}/{{ nsbase_app_name }}_webapp"
 # NGINX
 nsbase_app_hostname: localhost
 nsbase_app_static_path: "{{ nsbase_app_root_path }}/{{ nsbase_app_name }}/static/"
+
+# Optional setup of SSL/HTTPS
+nsbase_letsencrypt_enable_ssl: false
+nsbase_letsencrypt_email: user@example.com
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -2,16 +2,12 @@
 # handlers file for ansible-nginx-uwsgi-supervisor
 - name: start supervisord
  service: name=supervisor state=started
-  sudo: yes

 - name: start supervisord
  service: name=supervisor state=started
-  sudo: yes

 - name: restart supervisord
  service: name=supervisor state=restarted
-  sudo: yes

 - name: restart nginx
  service: name=nginx state=restarted
-  sudo: yes
--- a/tasks/lets_encrypt.yaml
+++ b/tasks/lets_encrypt.yaml
@ -0,0 +1,57 @@
+---
+# Support HTTPS setup using Let's Encrypt
+
+# TODO: Transition over to letsencrypt module once released for Ansible 2.2 - See http://docs.ansible.com/ansible/letsencrypt_module.html
+- name: verify if rust is installed
+  stat: path=/usr/local/bin/cargo
+  register: cargo_binary
+
+- name: fetch rust installer via site
+  get_url: url=https://static.rust-lang.org/rustup.sh dest=/root/rustup.sh mode=0740
+  when: cargo_binary.stat.exists == false
+
+- name: install rust via installer
+  shell: /root/rustup.sh
+  when: cargo_binary.stat.exists == false
+
+- name: verify if letsencrypt-rs is installed
+  stat: path=/usr/local/bin/letsencrypt-rs
+  register: letsencrypt_binary
+
+- name: install the dev dependencies for letsencrypt-rs client
+  apt: name=libssl-dev state=present
+  when: letsencrypt_binary.stat.exists == false
+
+- name: install the letsencrypt-rs client
+  command: cargo install letsencrypt-rs --root /usr/local
+  when: letsencrypt_binary.stat.exists == false
+
+#- name: retrieve the certificate
+#  command: letsencrypt certonly --webroot --email {{ nsbase_letsencrypt_email }} --agree-tos --non-interactive \
+#    --domain {{ nsbase_app_hostname }} --webroot {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
+- name: setup webapp ssl challenges
+  file: path={{ item }} state=directory
+        owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774
+  with_items:
+      - "{{ nsbase_letsencrypt_challenges_dir }}"
+      - "{{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}"
+  when: nsbase_letsencrypt_enable_ssl
+
+- name: retrieve the certificate
+  command: sudo -u www-data letsencrypt-rs sign \
+    --email {{ nsbase_letsencrypt_email }} \
+    --domain {{ nsbase_app_hostname }} \
+    --public-dir {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
+
+#- name: ensure nginx has basic ssl settings
+#  lineinfile: dest=/etc/nginx/conf.d/ssl.conf state=present line={{ item }} insertafter="http {"
+#  with_items:
+#    - ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+#    - ssl_prefer_server_ciphers on;
+#    - ssl_session_cache shared:SSL:50m;
+#    - ssl_session_timeout 5m;
+#  notify: restart nginx
+
+# TODO: Add in individual certificate for site setup.
+
+# TODO: Add in supervisor configuration to renew the certificate every 2 days.
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -3,3 +3,4 @@
 - include: nginx.yaml
 - include: supervisor.yaml
 - include: web_data_folders.yaml
+- { include: lets_encrypt.yaml, when: nsbase_letsencrypt_enable_ssl == true }
--- a/tasks/nginx.yaml
+++ b/tasks/nginx.yaml
@ -1,21 +1,17 @@
 ---
 - name: install nginx webserver
  apt: pkg=nginx-full state=present
-  sudo: yes

 - name: configure nginx
  template: src=app_nginx.conf dest=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }}
-  sudo: yes

 - name: link to enable nginx configuration
  file: state=link
        src=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }}
        path=/etc/nginx/sites-enabled/{{ nsbase_app_nginx_config }}
-  sudo: yes

 - name: disable default configuration
  file: state=absent path=/etc/nginx/sites-enabled/default
-  sudo: yes
  notify: restart nginx

 - name: set nginx directories permissions
@ -26,7 +22,6 @@
      - /etc/nginx
      - /etc/nginx/sites-available
      - /etc/nginx/sites-enabled
-  sudo: yes

 - name: set nginx logs permissions
  file: path=/var/log/nginx/{{ item }} state=file
@ -34,4 +29,3 @@
  with_items:
      - access.log
      - error.log
-  sudo: yes
--- a/tasks/supervisor.yaml
+++ b/tasks/supervisor.yaml
@ -1,7 +1,6 @@
 ---
 - name: install supervisord
  apt: name=supervisor state=present
-  sudo: yes

 - name: set permissions on supervisor config and log directories
  file: path={{ item }} group={{ nsbase_web_server_group }} state=directory mode=0755
@ -9,7 +8,6 @@
     - /etc/supervisor
     - /etc/supervisor/conf.d
     - /var/log/supervisor
-  sudo: yes

 - name: modify supervisor configuration
  ini_file: dest=/etc/supervisor/supervisord.conf section=unix_http_server
@ -17,9 +15,7 @@
  with_dict:
      chmod: "0770"
      chown: root:{{ nsbase_web_server_group }}
-  sudo: yes

 - name: upload supervisor configuration to web server home
  template: src=app_supervisor.conf dest=/etc/supervisor/conf.d/{{ nsbase_app_supervisor_config }}
-  sudo: yes
  notify: start supervisord
--- a/tasks/web_data_folders.yaml
+++ b/tasks/web_data_folders.yaml
@ -2,7 +2,6 @@
 - name: setup webapp deployment folder with the correct permissions
  file: path={{ nsbase_web_root_path }} state=directory
        owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774
-  sudo: yes

 - name: setup webapp deployment configuration + log folders with the correct permissions
  file: path={{ nsbase_web_root_path }}/{{ item }} state=directory
@ -12,7 +11,6 @@
      - config/uwsgi
      - logs
      - virtualenvs
-  sudo: yes

 - name: link remote folders with webapp home folder
  file: state=link
@ -24,8 +22,6 @@
      /etc/supervisor: config/supervisor
      /var/log/nginx: logs/nginx
      /var/log/supervisor: logs/supervisor
-  sudo: yes

 - name: add user to webserver group
  user: name={{ nsbase_web_user }} append=yes groups={{ nsbase_web_server_group }}
-  sudo: yes
--- a/templates/app_nginx.conf
+++ b/templates/app_nginx.conf
@ -11,6 +11,14 @@ server {
    location / {
        try_files   $uri @{{ nsbase_app_name }}_app;
    }
+
+{% if nsbase_letsencrypt_enable_ssl %}
+    location /.well-known/acme-challenge/ {
+        # alias {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }};
+        alias {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}/.well-known/acme-challenge/;
+    }
+
+{% endif %}
    location @{{ nsbase_app_name }}_app {
        # Include your setup to connect to the webapp setup here.
    }
--- a/vars/main.yml
+++ b/vars/main.yml
@ -14,3 +14,7 @@ nsbase_app_supervisor_config: "{{ nsbase_app_name }}_supervisor.conf"
 nsbase_app_service_name: "{{ nsbase_app_name }}"
 nsbase_app_service_command: "echo {{ nsbase_app_name }}"
 nsbase_app_service_stop_signal: QUIT
+
+# SSL specific settings
+nsbase_letsencrypt_version: "0.7.0"
+nsbase_letsencrypt_challenges_dir: "{{ nsbase_web_root_path }}/ssl"