roles/nginx: Rework Let's Encrypt stuff

Take an opinionated stance on HTTPS and assume that hosts are using
HTTPS for all vhosts. This can either be via custom TLS cert/key
pairs defined in the host's variables (could even be self-signed
certificates on dev boxes) or via Let's Encrypt.
This commit is contained in:
Alan Orth 2016-06-27 23:52:39 +03:00
parent 1254cea195
commit 0cd2735c82
Signed by: alanorth
GPG Key ID: 0FB860CC9C45B1B9
6 changed files with 54 additions and 13 deletions

View File

@ -19,6 +19,9 @@ nginx_ssl_protocols: 'TLSv1 TLSv1.1 TLSv1.2'
# Directory root for Let's Encrypt certs
letsencrypt_root: /etc/letsencrypt/live
# Location of Let's Encrypt's certbot script
letsencrypt_certbot_dest: /opt/certbot-auto
# stable is 1.10.x
# mainline is 1.11.x
nginx_version: mainline

View File

@ -0,0 +1,12 @@
[Unit]
Description=Daily renewal of Let's Encrypt's certificates
[Timer]
# twice a day, at midnight and noon
OnCalendar=*-*-* 00,12:00:00
# Add a random delay of 03600 seconds
RandomizedDelaySec=3600
Persistent=true
[Install]
WantedBy=timers.target

View File

@ -0,0 +1,22 @@
---
- name: Copy systemd service to renew Let's Encrypt certs
template: src=renew-letsencrypt.service.j2 dest=/etc/systemd/system/renew-letsencrypt.service mode=0644 owner=root group=root
register: letsencrypt_service
- name: Copy systemd timer to renew Let's Encrypt certs
copy: src=renew-letsencrypt.timer dest=/etc/systemd/system/renew-letsencrypt.timer mode=0644 owner=root group=root
register: letsencrypt_timer
# need to reload to pick up service/timer changes
- name: Reload systemd daemon
command: /bin/systemctl daemon-reload
when: letsencrypt_service|changed or letsencrypt_timer|changed
- name: Start and enable systemd timer to renew Let's Encrypt certs
service: name=renew-letsencrypt.timer state=started enabled=yes
- name: Download certbot
get_url: dest={{ letsencrypt_certbot_dest }} url=https://dl.eff.org/certbot-auto mode=700
# vim: set ts=2 sw=2:

View File

@ -32,4 +32,8 @@
with_items: "{{ nginx_vhosts }}"
tags: wordpress
- include: letsencrypt.yml
when: use_letsencrypt == 'yes'
tags: letsencrypt
# vim: set ts=2 sw=2:

View File

@ -2,28 +2,22 @@
{% set domain_name = item.domain_name %}
{# assume HSTS is off unless a vhost explicitly sets it to "yes" #}
{% set enable_hsts = item.enable_hsts | default("no") %}
{# assume a vhost is not using Let's Encrypt unless it explicitly sets it to "yes" #}
{% set use_letsencrypt = item.use_letsencrypt | default("no") %}
{% if use_letsencrypt == "yes" %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
{% elif item.tls_certificate_path and item.tls_key_path %}
{# first, check if the current vhost has a custom cert (perhaps self-signed) #}
{% if item.tls_certificate_path and item.tls_key_path %}
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ item.tls_certificate_path }};
ssl_certificate_key {{ item.tls_key_path }};
{# otherwise, assume host is using letsencrypt #}
{% else %}
# "snakeoil" certificate (self signed!)
ssl_certificate /etc/ssl/certs/nginx-snakeoil.crt;
ssl_certificate_key /etc/ssl/private/nginx-snakeoil.key;
# concatenated key + cert
# See: http://nginx.org/en/docs/http/configuring_https_servers.html
ssl_certificate {{ letsencrypt_root }}/{{ domain_name }}/fullchain.pem;
ssl_certificate_key {{ letsencrypt_root }}/{{ domain_name }}/privkey.pem;
{% endif %}

View File

@ -0,0 +1,6 @@
[Unit]
Description=Let's Encrypt renewal
[Service]
Type=oneshot
ExecStart={{ letsencrypt_certbot_dest }} renew --standalone --pre-hook "/bin/systemctl stop nginx" --post-hook "/bin/systemctl start nginx"