Work on experimental support for Lets Encrypt.

This commit is contained in:
Dorian 2016-10-02 15:50:38 -04:00
parent 76882a8c1f
commit b151175966
9 changed files with 74 additions and 18 deletions

View File

@ -11,3 +11,7 @@ nsbase_app_root_path: "{{ nsbase_web_root_path }}/{{ nsbase_app_name }}_webapp"
# NGINX # NGINX
nsbase_app_hostname: localhost nsbase_app_hostname: localhost
nsbase_app_static_path: "{{ nsbase_app_root_path }}/{{ nsbase_app_name }}/static/" nsbase_app_static_path: "{{ nsbase_app_root_path }}/{{ nsbase_app_name }}/static/"
# Optional setup of SSL/HTTPS
nsbase_letsencrypt_enable_ssl: false
nsbase_letsencrypt_email: user@example.com

View File

@ -2,16 +2,12 @@
# handlers file for ansible-nginx-uwsgi-supervisor # handlers file for ansible-nginx-uwsgi-supervisor
- name: start supervisord - name: start supervisord
service: name=supervisor state=started service: name=supervisor state=started
sudo: yes
- name: start supervisord - name: start supervisord
service: name=supervisor state=started service: name=supervisor state=started
sudo: yes
- name: restart supervisord - name: restart supervisord
service: name=supervisor state=restarted service: name=supervisor state=restarted
sudo: yes
- name: restart nginx - name: restart nginx
service: name=nginx state=restarted service: name=nginx state=restarted
sudo: yes

57
tasks/lets_encrypt.yaml Normal file
View File

@ -0,0 +1,57 @@
---
# Support HTTPS setup using Let's Encrypt
# TODO: Transition over to letsencrypt module once released for Ansible 2.2 - See http://docs.ansible.com/ansible/letsencrypt_module.html
- name: verify if rust is installed
stat: path=/usr/local/bin/cargo
register: cargo_binary
- name: fetch rust installer via site
get_url: url=https://static.rust-lang.org/rustup.sh dest=/root/rustup.sh mode=0740
when: cargo_binary.stat.exists == false
- name: install rust via installer
shell: /root/rustup.sh
when: cargo_binary.stat.exists == false
- name: verify if letsencrypt-rs is installed
stat: path=/usr/local/bin/letsencrypt-rs
register: letsencrypt_binary
- name: install the dev dependencies for letsencrypt-rs client
apt: name=libssl-dev state=present
when: letsencrypt_binary.stat.exists == false
- name: install the letsencrypt-rs client
command: cargo install letsencrypt-rs --root /usr/local
when: letsencrypt_binary.stat.exists == false
#- name: retrieve the certificate
# command: letsencrypt certonly --webroot --email {{ nsbase_letsencrypt_email }} --agree-tos --non-interactive \
# --domain {{ nsbase_app_hostname }} --webroot {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
- name: setup webapp ssl challenges
file: path={{ item }} state=directory
owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774
with_items:
- "{{ nsbase_letsencrypt_challenges_dir }}"
- "{{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}"
when: nsbase_letsencrypt_enable_ssl
- name: retrieve the certificate
command: sudo -u www-data letsencrypt-rs sign \
--email {{ nsbase_letsencrypt_email }} \
--domain {{ nsbase_app_hostname }} \
--public-dir {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
#- name: ensure nginx has basic ssl settings
# lineinfile: dest=/etc/nginx/conf.d/ssl.conf state=present line={{ item }} insertafter="http {"
# with_items:
# - ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# - ssl_prefer_server_ciphers on;
# - ssl_session_cache shared:SSL:50m;
# - ssl_session_timeout 5m;
# notify: restart nginx
# TODO: Add in individual certificate for site setup.
# TODO: Add in supervisor configuration to renew the certificate every 2 days.

View File

@ -3,3 +3,4 @@
- include: nginx.yaml - include: nginx.yaml
- include: supervisor.yaml - include: supervisor.yaml
- include: web_data_folders.yaml - include: web_data_folders.yaml
- { include: lets_encrypt.yaml, when: nsbase_letsencrypt_enable_ssl == true }

View File

@ -1,21 +1,17 @@
--- ---
- name: install nginx webserver - name: install nginx webserver
apt: pkg=nginx-full state=present apt: pkg=nginx-full state=present
sudo: yes
- name: configure nginx - name: configure nginx
template: src=app_nginx.conf dest=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }} template: src=app_nginx.conf dest=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }}
sudo: yes
- name: link to enable nginx configuration - name: link to enable nginx configuration
file: state=link file: state=link
src=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }} src=/etc/nginx/sites-available/{{ nsbase_app_nginx_config }}
path=/etc/nginx/sites-enabled/{{ nsbase_app_nginx_config }} path=/etc/nginx/sites-enabled/{{ nsbase_app_nginx_config }}
sudo: yes
- name: disable default configuration - name: disable default configuration
file: state=absent path=/etc/nginx/sites-enabled/default file: state=absent path=/etc/nginx/sites-enabled/default
sudo: yes
notify: restart nginx notify: restart nginx
- name: set nginx directories permissions - name: set nginx directories permissions
@ -26,7 +22,6 @@
- /etc/nginx - /etc/nginx
- /etc/nginx/sites-available - /etc/nginx/sites-available
- /etc/nginx/sites-enabled - /etc/nginx/sites-enabled
sudo: yes
- name: set nginx logs permissions - name: set nginx logs permissions
file: path=/var/log/nginx/{{ item }} state=file file: path=/var/log/nginx/{{ item }} state=file
@ -34,4 +29,3 @@
with_items: with_items:
- access.log - access.log
- error.log - error.log
sudo: yes

View File

@ -1,7 +1,6 @@
--- ---
- name: install supervisord - name: install supervisord
apt: name=supervisor state=present apt: name=supervisor state=present
sudo: yes
- name: set permissions on supervisor config and log directories - name: set permissions on supervisor config and log directories
file: path={{ item }} group={{ nsbase_web_server_group }} state=directory mode=0755 file: path={{ item }} group={{ nsbase_web_server_group }} state=directory mode=0755
@ -9,7 +8,6 @@
- /etc/supervisor - /etc/supervisor
- /etc/supervisor/conf.d - /etc/supervisor/conf.d
- /var/log/supervisor - /var/log/supervisor
sudo: yes
- name: modify supervisor configuration - name: modify supervisor configuration
ini_file: dest=/etc/supervisor/supervisord.conf section=unix_http_server ini_file: dest=/etc/supervisor/supervisord.conf section=unix_http_server
@ -17,9 +15,7 @@
with_dict: with_dict:
chmod: "0770" chmod: "0770"
chown: root:{{ nsbase_web_server_group }} chown: root:{{ nsbase_web_server_group }}
sudo: yes
- name: upload supervisor configuration to web server home - name: upload supervisor configuration to web server home
template: src=app_supervisor.conf dest=/etc/supervisor/conf.d/{{ nsbase_app_supervisor_config }} template: src=app_supervisor.conf dest=/etc/supervisor/conf.d/{{ nsbase_app_supervisor_config }}
sudo: yes
notify: start supervisord notify: start supervisord

View File

@ -2,7 +2,6 @@
- name: setup webapp deployment folder with the correct permissions - name: setup webapp deployment folder with the correct permissions
file: path={{ nsbase_web_root_path }} state=directory file: path={{ nsbase_web_root_path }} state=directory
owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774 owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774
sudo: yes
- name: setup webapp deployment configuration + log folders with the correct permissions - name: setup webapp deployment configuration + log folders with the correct permissions
file: path={{ nsbase_web_root_path }}/{{ item }} state=directory file: path={{ nsbase_web_root_path }}/{{ item }} state=directory
@ -12,7 +11,6 @@
- config/uwsgi - config/uwsgi
- logs - logs
- virtualenvs - virtualenvs
sudo: yes
- name: link remote folders with webapp home folder - name: link remote folders with webapp home folder
file: state=link file: state=link
@ -24,8 +22,6 @@
/etc/supervisor: config/supervisor /etc/supervisor: config/supervisor
/var/log/nginx: logs/nginx /var/log/nginx: logs/nginx
/var/log/supervisor: logs/supervisor /var/log/supervisor: logs/supervisor
sudo: yes
- name: add user to webserver group - name: add user to webserver group
user: name={{ nsbase_web_user }} append=yes groups={{ nsbase_web_server_group }} user: name={{ nsbase_web_user }} append=yes groups={{ nsbase_web_server_group }}
sudo: yes

View File

@ -11,6 +11,14 @@ server {
location / { location / {
try_files $uri @{{ nsbase_app_name }}_app; try_files $uri @{{ nsbase_app_name }}_app;
} }
{% if nsbase_letsencrypt_enable_ssl %}
location /.well-known/acme-challenge/ {
# alias {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }};
alias {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}/.well-known/acme-challenge/;
}
{% endif %}
location @{{ nsbase_app_name }}_app { location @{{ nsbase_app_name }}_app {
# Include your setup to connect to the webapp setup here. # Include your setup to connect to the webapp setup here.
} }

View File

@ -14,3 +14,7 @@ nsbase_app_supervisor_config: "{{ nsbase_app_name }}_supervisor.conf"
nsbase_app_service_name: "{{ nsbase_app_name }}" nsbase_app_service_name: "{{ nsbase_app_name }}"
nsbase_app_service_command: "echo {{ nsbase_app_name }}" nsbase_app_service_command: "echo {{ nsbase_app_name }}"
nsbase_app_service_stop_signal: QUIT nsbase_app_service_stop_signal: QUIT
# SSL specific settings
nsbase_letsencrypt_version: "0.7.0"
nsbase_letsencrypt_challenges_dir: "{{ nsbase_web_root_path }}/ssl"