58 lines
2.2 KiB
YAML
58 lines
2.2 KiB
YAML
---
|
|
# Support HTTPS setup using Let's Encrypt
|
|
|
|
# TODO: Transition over to letsencrypt module once released for Ansible 2.2 - See http://docs.ansible.com/ansible/letsencrypt_module.html
|
|
- name: verify if rust is installed
|
|
stat: path=/usr/local/bin/cargo
|
|
register: cargo_binary
|
|
|
|
- name: fetch rust installer via site
|
|
get_url: url=https://static.rust-lang.org/rustup.sh dest=/root/rustup.sh mode=0740
|
|
when: cargo_binary.stat.exists == false
|
|
|
|
- name: install rust via installer
|
|
shell: /root/rustup.sh
|
|
when: cargo_binary.stat.exists == false
|
|
|
|
- name: verify if letsencrypt-rs is installed
|
|
stat: path=/usr/local/bin/letsencrypt-rs
|
|
register: letsencrypt_binary
|
|
|
|
- name: install the dev dependencies for letsencrypt-rs client
|
|
apt: name=libssl-dev state=present
|
|
when: letsencrypt_binary.stat.exists == false
|
|
|
|
- name: install the letsencrypt-rs client
|
|
command: cargo install letsencrypt-rs --root /usr/local
|
|
when: letsencrypt_binary.stat.exists == false
|
|
|
|
#- name: retrieve the certificate
|
|
# command: letsencrypt certonly --webroot --email {{ nsbase_letsencrypt_email }} --agree-tos --non-interactive \
|
|
# --domain {{ nsbase_app_hostname }} --webroot {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
|
|
- name: setup webapp ssl challenges
|
|
file: path={{ item }} state=directory
|
|
owner={{ nsbase_web_server_group }} group={{ nsbase_web_server_group }} mode=0774
|
|
with_items:
|
|
- "{{ nsbase_letsencrypt_challenges_dir }}"
|
|
- "{{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}"
|
|
when: nsbase_letsencrypt_enable_ssl
|
|
|
|
- name: retrieve the certificate
|
|
command: sudo -u www-data letsencrypt-rs sign \
|
|
--email {{ nsbase_letsencrypt_email }} \
|
|
--domain {{ nsbase_app_hostname }} \
|
|
--public-dir {{ nsbase_letsencrypt_challenges_dir }}/{{ nsbase_app_name }}
|
|
|
|
#- name: ensure nginx has basic ssl settings
|
|
# lineinfile: dest=/etc/nginx/conf.d/ssl.conf state=present line={{ item }} insertafter="http {"
|
|
# with_items:
|
|
# - ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
|
|
# - ssl_prefer_server_ciphers on;
|
|
# - ssl_session_cache shared:SSL:50m;
|
|
# - ssl_session_timeout 5m;
|
|
# notify: restart nginx
|
|
|
|
# TODO: Add in individual certificate for site setup.
|
|
|
|
# TODO: Add in supervisor configuration to renew the certificate every 2 days.
|