rails-ansible
rails-ansible copied to clipboard
cupnoodle
WIP: Add Let's Encrypt via certbot-nginx plugin
This PR is completely independent of the proposed changes in https://github.com/cupnoodle/rails-ansible/pull/1.
Implementation actually turned out to be fairly simple, mainly following the instructions in https://linuxbuz.com/linuxhowto/install-letsencrypt-ssl-ansible (with a few tweaks to simplify it and combine it with the existing playbook).
- The user can specify one or more domains in
vars/vars.ymlalong with an email address to register with - Certbot gets installed via apt
- The domains from step 1 get merged into the Nginx config template (
templates/nginx_app.conf.j2) - The domains and email address get used in one task to configure certbot and create the certificate
- Another Ansible task adds a cron task to renew the certificates as required
woah, thanks for this PR! It is possible to add a if statement to check if the user has domain variables set? So that it won't call letsencrypt if there is no domain set, as I sometimes will spin up a server quickly to test some stuff out without needing a domain.
Great idea! That should be very doable! I’ll take a look at that tonight.
On 13 Dec 2020, at 2:46 pm, Axel Kee [email protected] wrote:
woah, thanks for this PR! It is possible to add a if statement to check if the user has domain variables set? So that it won't call letsencrypt if there is no domain set, as I sometimes will spin up a server quickly to test some stuff out without needing a domain.
— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/cupnoodle/rails-ansible/pull/2#issuecomment-743969187, or unsubscribe https://github.com/notifications/unsubscribe-auth/AEU645MMAZZ4HBLQYJL2J43SURWNJANCNFSM4UYBRSJA.
I was trying to figure out a fancy way to detect if the domain list was defined and if so to do different things in the playbook and the template.
While writing out a StackOverflow question it dawned on me there was a much simpler (and clearer) way...
Add a boolean that tells it whether to do those steps or not.
If we set the default to false in the source and people don't change the default, the existing playbook runs identically to before the change (almost, in this version python3-certbot-nginx always gets installed, even if you aren't using it).
We'd just need to document that if you change that value to true, you are responsible for:
- registering DNS entries for the domains
- adding the domains and a valid email to var/vars.yml
- not running afoul of the Let's Encrypt rate limits (which can happen if you run this playbook repeatedly in testing... or if you have too many different servers all registering certificates for the same parent domain)
This also doesn't work if you have an existing wildcard certificate and want to reuse that... perhaps that can be a future enhancement 😉
P.S. I haven't tested the changes I made at all yet... there may be face-palmingly obvious syntax errors... but I think the approach makes sense. What do you think of the general approach?