From 0562d72eaafaedf0f10414e0b42fa92d248c60f3 Mon Sep 17 00:00:00 2001 From: Joshua Hull Date: Sun, 15 Jan 2023 10:49:21 +0100 Subject: sky: certbot: configure certbot esmil: - don't install cron job, just use the packaged timer - install deploy hook to reload nginx when certificates are updated --- roles/sky/tasks/certbot.yml | 71 ++++++++++++++++++++++++++++++++ roles/sky/tasks/main.yml | 3 ++ roles/sky/templates/certbot-nginx.sh.j2 | 9 ++++ roles/sky/templates/letsencrypt.nginx.j2 | 14 +++++++ roles/sky/vars/main.yml | 4 ++ 5 files changed, 101 insertions(+) create mode 100644 roles/sky/tasks/certbot.yml create mode 100755 roles/sky/templates/certbot-nginx.sh.j2 create mode 100644 roles/sky/templates/letsencrypt.nginx.j2 (limited to 'roles/sky') diff --git a/roles/sky/tasks/certbot.yml b/roles/sky/tasks/certbot.yml new file mode 100644 index 0000000..1ff4f03 --- /dev/null +++ b/roles/sky/tasks/certbot.yml @@ -0,0 +1,71 @@ +--- +- name: Create letsencrypt www directory + file: + name: '/var/www/letsencrypt' + state: directory + owner: root + group: root + mode: 0755 + +- name: Install nginx site for letsencrypt requests + template: + dest: '/etc/nginx/sites-enabled/letsencrypt' + src: letsencrypt.nginx.j2 + owner: root + group: root + mode: 0644 + register: letsencrypt_site + tags: + - nginx + +# We need to have the letsencrypt site loaded in the +# running nginx before creating the certificate below +# so we can't wait for the regular handler to run +- name: Reload nginx + systemd: + name: nginx.service + state: reloaded + when: letsencrypt_site is changed + +- name: 'Create {{ domain_name }} certificate' + command: + argv: + - '/usr/bin/certbot' + - 'certonly' + - '--non-interactive' + - '--agree-tos' + - '--max-log-backups' + - '99' + - '--webroot' + - '--webroot-path' + - '/var/www/letsencrypt' + - '--preferred-challenges' + - 'http' + - '--key-type' + - 'rsa' + - '-m' + - '{{ letsencrypt_email }}' + - '-d' + - '{{ domain_name }}' + - '-d' + - 'www.labitat.dk' + creates: '/etc/letsencrypt/renewal/{{ domain_name }}.conf' + notify: + - reload nginx + +- name: Enable certbot renewal timer + systemd: + name: certbot.timer + enabled: yes + masked: no + state: started + +- name: Add deploy hook to reload nginx + template: + dest: '/etc/letsencrypt/renewal-hooks/deploy/nginx.sh' + src: certbot-nginx.sh.j2 + owner: root + group: root + mode: 0755 + +# vim: set ts=2 sw=2 et: diff --git a/roles/sky/tasks/main.yml b/roles/sky/tasks/main.yml index 0e0e54e..6144e82 100644 --- a/roles/sky/tasks/main.yml +++ b/roles/sky/tasks/main.yml @@ -9,4 +9,7 @@ tags: - networkd +- import_tasks: certbot.yml + tags: certbot + # vim: set ts=2 sw=2 et: diff --git a/roles/sky/templates/certbot-nginx.sh.j2 b/roles/sky/templates/certbot-nginx.sh.j2 new file mode 100755 index 0000000..96ffe6d --- /dev/null +++ b/roles/sky/templates/certbot-nginx.sh.j2 @@ -0,0 +1,9 @@ +#!/bin/sh + +case "$RENEWED_LINEAGE" in +*'/{{ domain_name }}') + exec systemctl reload nginx.service + ;; +esac + +# vim: set ts=2 sw=2 et: diff --git a/roles/sky/templates/letsencrypt.nginx.j2 b/roles/sky/templates/letsencrypt.nginx.j2 new file mode 100644 index 0000000..a04f58c --- /dev/null +++ b/roles/sky/templates/letsencrypt.nginx.j2 @@ -0,0 +1,14 @@ +server { + listen *:80; + listen [::]:80; + server_name {{ domain_name }} www.labitat.dk; + + location /.well-known/acme-challenge { + root /var/www/letsencrypt; + try_files $uri $uri/ =404; + } + + location / { + return 301 https://$host$request_uri; + } +} diff --git a/roles/sky/vars/main.yml b/roles/sky/vars/main.yml index cd85db3..ecdaefa 100644 --- a/roles/sky/vars/main.yml +++ b/roles/sky/vars/main.yml @@ -34,6 +34,7 @@ apt_sources_role: apt_packages_role: 'nginx': present + 'certbot': present journald_conf_role: 'Journal.Storage': 'persistent' @@ -50,4 +51,7 @@ users: 'ast': sudo 'joshbuddy': sudo +domain_name: 'new.labitat.dk' +letsencrypt_email: 'josh@fireflop.com' + # vim: set ts=2 sw=2 et: -- cgit v1.2.1