roles/nginx: Rework Let's Encrypt stuff

Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt.
2016-06-27 23:52:39 +03:00 · 2016-06-27 23:52:39 +03:00 · 0cd2735c82
commit 0cd2735c82
parent 1254cea195
6 changed files with 54 additions and 13 deletions
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -19,6 +19,9 @@ nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
 # Directory root for Let's Encrypt certs
 letsencrypt_root: /etc/letsencrypt/live

+# Location of Let's Encrypt's certbot script
+letsencrypt_certbot_dest: /opt/certbot-auto
+
 # stable is 1.10.x
 # mainline is 1.11.x
 nginx_version: mainline
--- a/roles/nginx/files/renew-letsencrypt.timer
+++ b/roles/nginx/files/renew-letsencrypt.timer
@ -0,0 +1,12 @@
+[Unit]
+Description=Daily renewal of Let's Encrypt's certificates
+
+[Timer]
+# twice a day, at midnight and noon
+OnCalendar=*-*-* 00,12:00:00
+# Add a random delay of 0–3600 seconds
+RandomizedDelaySec=3600
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/roles/nginx/tasks/letsencrypt.yml
+++ b/roles/nginx/tasks/letsencrypt.yml
@ -0,0 +1,22 @@
+---
+
+- name: Copy systemd service to renew Let's Encrypt certs
+  template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root
+  register: letsencrypt_service
+
+- name: Copy systemd timer to renew Let's Encrypt certs
+  copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root
+  register: letsencrypt_timer
+
+# need to reload to pick up service/timer changes
+- name: Reload systemd daemon
+  command: /bin/systemctl daemon-reload
+  when: letsencrypt_service|changed or letsencrypt_timer|changed
+
+- name: Start and enable systemd timer to renew Let's Encrypt certs
+  service: name=renew-letsencrypt.timer state=started enabled=yes
+
+- name: Download certbot
+  get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700
+
+# vim: set ts=2 sw=2:
--- a/roles/nginx/tasks/vhosts.yml
+++ b/roles/nginx/tasks/vhosts.yml
@ -32,4 +32,8 @@
  with_items: "{{ nginx_vhosts }}"
  tags: wordpress

+- include: letsencrypt.yml
+  when: use_letsencrypt == 'yes'
+  tags: letsencrypt
+
 # vim: set ts=2 sw=2:
--- a/roles/nginx/templates/https.j2
+++ b/roles/nginx/templates/https.j2
@ -2,28 +2,22 @@
 {% set domain_name       = item.domain_name %}
 {# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
 {% set enable_hsts       = item.enable_hsts | default("no") %}
-{# assume a vhost is not using Let's Encrypt unless it explicitly sets it to "yes" #}
-{% set use_letsencrypt = item.use_letsencrypt | default("no") %}

-    {% if use_letsencrypt == "yes" %}
-
-    # concatenated key + cert
-    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
-    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
-    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
-
-    {% elif item.tls_certificate_path and item.tls_key_path %}
+    {# first, check if the current vhost has a custom cert (perhaps self-signed) #}
+    {% if item.tls_certificate_path and item.tls_key_path %}

    # concatenated key + cert
    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
    ssl_certificate {{ item.tls_certificate_path }};
    ssl_certificate_key {{ item.tls_key_path }};

+    {# otherwise, assume host is using letsencrypt #}
    {% else %}

-    # "snakeoil" certificate (self signed!)
-    ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
-    ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
+    # concatenated key + cert
+    # See: http://nginx.org/en/docs/http/configuring_https_servers.html
+    ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
+    ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;

    {% endif %}

--- a/roles/nginx/templates/renew-letsencrypt.service.j2
+++ b/roles/nginx/templates/renew-letsencrypt.service.j2
@ -0,0 +1,6 @@
+[Unit]
+Description=Let's Encrypt renewal
+
+[Service]
+Type=oneshot
+ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"