Add HTTPS Let's Encrypt example using geerlingguy.certbot role.

2024-05-19 06:50:03 +00:00 · 2018-09-15 22:38:08 -05:00
parent 58ca936579
commit df05b1219c
11 changed files with 143 additions and 2 deletions
--- a/https-letsencrypt/.gitignore
+++ b/https-letsencrypt/.gitignore
@@ -0,0 +1,2 @@
+inventory
+roles/geerlingguy.*
--- a/https-letsencrypt/README.md
+++ b/https-letsencrypt/README.md
@@ -0,0 +1,34 @@
+# HTTPS Let's Encrypt Demo
+
+This demonstrates generating valid TLS certificates using Let's Encrypt and Certbot on a public web server.
+
+## Quick Start Guide
+
+### 1 - Install dependencies
+
+  1. Install [Ansible](http://docs.ansible.com/intro_installation.html).
+  2. Install role dependencies: `ansible-galaxy install -r requirements.yml`
+
+### 2 - Create a publicly-accessible VM/VPS
+
+  1. Create a publicly-accessible VM running Ubuntu 18.04 (on your favorite cloud provider, like AWS, DigitalOcean, etc.).
+  2. Point a valid domain name at this server's IP address (e.g. using Route53 or your DNS provider).
+  3. Make sure your SSH key is added to the root user account.
+  4. Make sure you can SSH into the server using `ssh root@domain.example.com` (where `domain.example.com` is the domain name you have pointed at the server's IP address).
+
+### 3 - Configure the inventory
+
+Copy the `inventory.example` to `inventory`, and change:
+
+  1. The server name under the `[letsencrypt]` group to the domain name pointed at your new server.
+  2. The value for `letsencrypt_email` to an email address you control.
+
+### 4 - Run the playbook
+
+Run the Ansible playbook to automatically generate a Let's Encrypt certificate and use it in an example Nginx configuration:
+
+    ansible-playbook -i inventory main.yml
+
+## About the Author
+
+This project was created by [Jeff Geerling](https://www.jeffgeerling.com/) as an example for [Ansible for DevOps](https://www.ansiblefordevops.com/).
--- a/https-letsencrypt/ansible.cfg
+++ b/https-letsencrypt/ansible.cfg
@@ -0,0 +1,9 @@
+[defaults]
+host_key_checking = False
+roles_path = ./roles
+nocows = 1
+retry_files_enabled = False
+
+[ssh_connection]
+control_path = %(directory)s/%%h-%%p-%%r
+pipelining = True
--- a/https-letsencrypt/files/index.html
+++ b/https-letsencrypt/files/index.html
@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+  <title>HTTPS Let's Encrypt Test</title>
+  <style>* { font-family: Helvetica, Arial, sans-serif }</style>
+</head>
+<body>
+  <h1>HTTPS Let's Encrypt Test</h1>
+    <p>If you can see this message, it worked!</p>
+</body>
+</html>
--- a/https-letsencrypt/inventory.example
+++ b/https-letsencrypt/inventory.example
@@ -0,0 +1,2 @@
+[letsencrypt]
+domain.example.com ansible_ssh_user=root letsencrypt_email=webmaster@example.com
--- a/https-letsencrypt/main.yml
+++ b/https-letsencrypt/main.yml
@@ -0,0 +1,41 @@
+---
+- hosts: all
+  gather_facts: no
+
+  vars_files:
+    - vars/main.yml
+
+  pre_tasks:
+    - name: Install Python if not already present.
+      raw: test -e /usr/bin/python || (apt -y update && apt install -y python-minimal)
+      changed_when: False
+
+    - name: Gather facts after Python is definitely present.
+      setup:
+
+    - name: Ensure apt cache is updated.
+      apt: update_cache=yes cache_valid_time=600
+
+  roles:
+    - geerlingguy.firewall
+    - geerlingguy.nginx
+    - geerlingguy.certbot
+
+  tasks:
+    - name: Ensure docroot exists.
+      file:
+        path: "{{ nginx_docroot }}"
+        state: directory
+
+    - name: Copy example index.html file in place.
+      copy:
+        src: files/index.html
+        dest: "{{ nginx_docroot }}/index.html"
+        mode: 0755
+
+    - name: Copy Nginx server configuration in place.
+      template:
+        src: templates/https-letsencrypt.conf.j2
+        dest: /etc/nginx/sites-enabled/https-letsencrypt.conf
+        mode: 0644
+      notify: restart nginx
--- a/https-letsencrypt/requirements.yml
+++ b/https-letsencrypt/requirements.yml
@@ -0,0 +1,4 @@
+---
+- src: geerlingguy.firewall
+- src: geerlingguy.certbot
+- src: geerlingguy.nginx
--- a/https-letsencrypt/templates/https-letsencrypt.conf.j2
+++ b/https-letsencrypt/templates/https-letsencrypt.conf.j2
@@ -0,0 +1,19 @@
+# HTTPS server configuration.
+
+# Redirect HTTP traffic to HTTPS.
+server {
+    listen 80 default_server;
+    server_name _;
+    index index.html;
+    return 301 https://$host$request_uri;
+}
+
+# Serve HTTPS traffic using the self-signed certificate created by Ansible.
+server {
+    listen 443 ssl default_server;
+    server_name {{ inventory_hostname }};
+    root {{ nginx_docroot }};
+
+    ssl_certificate /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem;
+}
--- a/https-letsencrypt/vars/main.yml
+++ b/https-letsencrypt/vars/main.yml
@@ -0,0 +1,20 @@
+---
+# Firewall settings.
+firewall_allowed_tcp_ports:
+  - "22"
+  - "80"
+  - "443"
+
+# Nginx settings.
+nginx_vhosts: []
+nginx_remove_default_vhost: True
+nginx_ppa_use: True
+nginx_ppa_version: stable
+nginx_docroot: /var/www/html
+
+# Let's Encrypt certificate settings.
+certbot_create_if_missing: yes
+certbot_admin_email: "{{ letsencrypt_email }}"
+certbot_certs:
+  - domains:
+      - "{{ inventory_hostname }}"