diff --git a/defaults/main.yml b/defaults/main.yml index 94c1b01..d6de31d 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -11,3 +11,7 @@ nsbase_app_root_path: "{{ nsbase_web_root_path }}/{{ nsbase_app_name }}_webapp" # NGINX nsbase_app_hostname: localhost nsbase_app_static_path: "{{ nsbase_app_root_path }}/{{ nsbase_app_name }}/static/" + +# Optional setup of SSL/HTTPS +nsbase_letsencrypt_enable_ssl: false +nsbase_letsencrypt_email: user@example.com diff --git a/handlers/main.yml b/handlers/main.yml index 112f236..4445be0 100644 --- a/handlers/main.yml +++ b/handlers/main.yml @@ -2,16 +2,12 @@ # handlers file for ansible-nginx-uwsgi-supervisor - name: start supervisord service: name=supervisor state=started - sudo: yes - name: start supervisord service: name=supervisor state=started - sudo: yes - name: restart supervisord service: name=supervisor state=restarted - sudo: yes - name: restart nginx service: name=nginx state=restarted - sudo: yes diff --git a/tasks/lets_encrypt.yaml b/tasks/lets_encrypt.yaml new file mode 100644 index 0000000..eb1c426 --- /dev/null +++ b/tasks/lets_encrypt.yaml @@ -0,0 +1,57 @@ +--- +# Support HTTPS setup using Let's Encrypt + +# TODO: Transition over to letsencrypt module once released for Ansible 2.2 - See http://docs.ansible.com/ansible/letsencrypt_module.html +- name: verify if rust is installed + stat: path=/usr/local/bin/cargo + register: cargo_binary + +- name: fetch rust installer via site + get_url: url=https://static.rust-lang.org/rustup.sh dest=/root/rustup.sh mode=0740 + when: cargo_binary.stat.exists == false + +- name: install rust via installer + shell: /root/rustup.sh + when: cargo_binary.stat.exists == false + +- name: verify if letsencrypt-rs is installed + stat: path=/usr/local/bin/letsencrypt-rs + register: letsencrypt_binary + +- name: install the dev dependencies for letsencrypt-rs client + apt: name=libssl-dev state=present + when: letsencrypt_binary.stat.exists == false + +- name: install the letsencrypt-rs client + command: cargo install letsencrypt-rs --root /usr/local + when: letsencrypt_binary.stat.exists == false + +#- name: retrieve the certificate +# command: letsencrypt certonly --webroot --email {{ nsbase_letsencrypt_email }} --agree-tos --non-interactive \ +# --domain {{ nsbase_app_hostname }} --webroot {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }} +- name: setup webapp ssl challenges + file: path={{ item }} state=directory + owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774 + with_items: + - "{{ nsbase_letsencrypt_challenges_dir }}" + - "{{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}" + when: nsbase_letsencrypt_enable_ssl + +- name: retrieve the certificate + command: sudo -u www-data letsencrypt-rs sign \ + --email {{ nsbase_letsencrypt_email }} \ + --domain {{ nsbase_app_hostname }} \ + --public-dir {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }} + +#- name: ensure nginx has basic ssl settings +# lineinfile: dest=/etc/nginx/conf.d/ssl.conf state=present line={{ item }} insertafter="http {" +# with_items: +# - ssl_protocols TLSv1 TLSv1.1 TLSv1.2; +# - ssl_prefer_server_ciphers on; +# - ssl_session_cache shared:SSL:50m; +# - ssl_session_timeout 5m; +# notify: restart nginx + +# TODO: Add in individual certificate for site setup. + +# TODO: Add in supervisor configuration to renew the certificate every 2 days. diff --git a/tasks/main.yml b/tasks/main.yml index 67c67b4..380ae80 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -3,3 +3,4 @@ - include: nginx.yaml - include: supervisor.yaml - include: web_data_folders.yaml +- { include: lets_encrypt.yaml, when: nsbase_letsencrypt_enable_ssl == true } diff --git a/tasks/nginx.yaml b/tasks/nginx.yaml index 205d897..5cc2efa 100644 --- a/tasks/nginx.yaml +++ b/tasks/nginx.yaml @@ -1,21 +1,17 @@ --- - name: install nginx webserver apt: pkg=nginx-full state=present - sudo: yes - name: configure nginx template: src=app_nginx.conf dest=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }} - sudo: yes - name: link to enable nginx configuration file: state=link src=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }} path=/etc/nginx/sites-enabled/{{ nsbase_app_nginx_config }} - sudo: yes - name: disable default configuration file: state=absent path=/etc/nginx/sites-enabled/default - sudo: yes notify: restart nginx - name: set nginx directories permissions @@ -26,7 +22,6 @@ - /etc/nginx - /etc/nginx/sites-available - /etc/nginx/sites-enabled - sudo: yes - name: set nginx logs permissions file: path=/var/log/nginx/{{ item }} state=file @@ -34,4 +29,3 @@ with_items: - access.log - error.log - sudo: yes diff --git a/tasks/supervisor.yaml b/tasks/supervisor.yaml index 78a60de..2721430 100644 --- a/tasks/supervisor.yaml +++ b/tasks/supervisor.yaml @@ -1,7 +1,6 @@ --- - name: install supervisord apt: name=supervisor state=present - sudo: yes - name: set permissions on supervisor config and log directories file: path={{ item }} group={{ nsbase_web_server_group }} state=directory mode=0755 @@ -9,7 +8,6 @@ - /etc/supervisor - /etc/supervisor/conf.d - /var/log/supervisor - sudo: yes - name: modify supervisor configuration ini_file: dest=/etc/supervisor/supervisord.conf section=unix_http_server @@ -17,9 +15,7 @@ with_dict: chmod: "0770" chown: root:{{ nsbase_web_server_group }} - sudo: yes - name: upload supervisor configuration to web server home template: src=app_supervisor.conf dest=/etc/supervisor/conf.d/{{ nsbase_app_supervisor_config }} - sudo: yes notify: start supervisord diff --git a/tasks/web_data_folders.yaml b/tasks/web_data_folders.yaml index c4f339f..6100067 100644 --- a/tasks/web_data_folders.yaml +++ b/tasks/web_data_folders.yaml @@ -2,7 +2,6 @@ - name: setup webapp deployment folder with the correct permissions file: path={{ nsbase_web_root_path }} state=directory owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774 - sudo: yes - name: setup webapp deployment configuration + log folders with the correct permissions file: path={{ nsbase_web_root_path }}/{{ item }} state=directory @@ -12,7 +11,6 @@ - config/uwsgi - logs - virtualenvs - sudo: yes - name: link remote folders with webapp home folder file: state=link @@ -24,8 +22,6 @@ /etc/supervisor: config/supervisor /var/log/nginx: logs/nginx /var/log/supervisor: logs/supervisor - sudo: yes - name: add user to webserver group user: name={{ nsbase_web_user }} append=yes groups={{ nsbase_web_server_group }} - sudo: yes diff --git a/templates/app_nginx.conf b/templates/app_nginx.conf index 31ba803..a8c9a4f 100644 --- a/templates/app_nginx.conf +++ b/templates/app_nginx.conf @@ -11,6 +11,14 @@ server { location / { try_files $uri @{{ nsbase_app_name }}_app; } + +{% if nsbase_letsencrypt_enable_ssl %} + location /.well-known/acme-challenge/ { + # alias {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}; + alias {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}/.well-known/acme-challenge/; + } + +{% endif %} location @{{ nsbase_app_name }}_app { # Include your setup to connect to the webapp setup here. } diff --git a/vars/main.yml b/vars/main.yml index 5011f92..407fa05 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -14,3 +14,7 @@ nsbase_app_supervisor_config: "{{ nsbase_app_name }}_supervisor.conf" nsbase_app_service_name: "{{ nsbase_app_name }}" nsbase_app_service_command: "echo {{ nsbase_app_name }}" nsbase_app_service_stop_signal: QUIT + +# SSL specific settings +nsbase_letsencrypt_version: "0.7.0" +nsbase_letsencrypt_challenges_dir: "{{ nsbase_web_root_path }}/ssl"