final touches

certbot
eric 2019-01-31 14:29:02 -05:00
parent 8d7c7f0c23
commit 79007dcf4b
5 changed files with 35 additions and 7 deletions

View File

@ -4,6 +4,8 @@ The current provisioning setup uses [Ansible](https://www.ansible.com/resources/
## Pre-requisites
Before attempting to deploy, ensure you have done the following:
1. git checkout https://github.com/EbookFoundation/regluit-provisioning
1. create `certs` and `decrypted` directories in `private`
1. Install `ansible` on your local machine
1. Obtain the `ansible-vault` password and save it to a file
1. Set the path to the `ansible-vault` file via environment variable e.g. `export NSIBLE_VAULT_PASSWORD_FILE=[path]`
@ -17,7 +19,7 @@ Before attempting to deploy, ensure you have done the following:
## Deploy
Deploying is as simple as running the `setup-prod` ansible playbook.
Navigate to the `provisioning/` directory and run the following:
Navigate to the `regluit-provisioning/` directory and run the following:
```
$ ansible-playbook -i hosts setup-prod.yml
```
@ -27,7 +29,7 @@ If you successfully completed all the pre-requisite steps, the playbook should b
## Additional Configuration
### Variables and Secrets
The necessary variables are pulled from `provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`.
The necessary variables are pulled from `regluit-provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`.
The variables are split into two files to still allow for searching references in playbook tasks.
To add or view secret values, you must decrypt the file first: `$ ansible-vault decrypt vault.yml` however **always remember to encrypt secret files before pushing to git**. This is done in a similar manner: `$ ansible-vault encrypt vault.yml`.

View File

@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv"
wsgi_python_path: "/opt/regluit/venv/bin/python"
git_repo: "https://github.com/Gluejar/regluit.git"
git_branch: "production"
le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
### Variables in settings.prod.py ###
mysql_db_name: "{{ vault_mysql_db_name }}"

View File

@ -12,6 +12,9 @@ wsgi_home: "/opt/regluit/venv"
wsgi_python_path: "/opt/regluit/venv/bin/python"
git_repo: "https://github.com/Gluejar/regluit.git"
git_branch: "master"
le_endpoint: https://acme-v02.api.letsencrypt.org/directory
#le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
### Variables in settings.prod.py ###
mysql_db_name: "{{ vault_mysql_db_name }}"

View File

@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv"
wsgi_python_path: "/opt/regluit/venv/bin/python"
git_repo: "https://github.com/Gluejar/regluit.git"
git_branch: "production"
le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
### Variables in settings.prod.py ###
mysql_db_name: "{{ vault_mysql_db_name }}"

View File

@ -8,10 +8,22 @@
#
# create a code signing request by hand on ansible host with (for example)
# openssl req -new -sha256 -key private/{{ server_name }}.key -out {{ server_name }}.csr -subj /CN=m.unglue.it
#
# make sure you have private/decrypted/ and private/certs/
- name: Decrypt files
copy:
src: private/{{ item }}
dest: private/decrypted/{{ item }}
with_items:
- 'letsencrypt_account.key'
- '{{ server_name }}.csr'
delegate_to: 127.0.0.1
- name: Make sure account exists and has given contacts. We agree to TOS.
acme_account:
account_key_src: private/letsencrypt_account.key
account_key_src: private/decrypted/letsencrypt_account.key
acme_directory: "{{ le_endpoint }}"
acme_version: 2
state: present
@ -35,12 +47,12 @@
- name: Create a challenge for server_name using a account key file.
acme_certificate:
account_key_src: private/letsencrypt_account.key
account_key_src: private/decrypted/letsencrypt_account.key
acme_directory: "{{ le_endpoint }}"
acme_version: 2
remaining_days: 45
select_crypto_backend: openssl
csr: "csrs/{{ server_name }}.csr"
csr: "private/decrypted/{{ server_name }}.csr"
dest: private/certs/{{ server_name }}.crt
fullchain_dest: private/certs/{{ server_name }}.ca-bundle
delegate_to: 127.0.0.1
@ -72,12 +84,12 @@
- name: Create a challenge for server_name using a account key file.
acme_certificate:
account_key_src: private/letsencrypt_account.key
account_key_src: private/decrypted/letsencrypt_account.key
acme_directory: "{{ le_endpoint }}"
acme_version: 2
remaining_days: 45
select_crypto_backend: openssl
csr: "csrs/{{ server_name }}.csr"
csr: "private/decrypted/{{ server_name }}.csr"
dest: private/certs/{{ server_name }}.crt
fullchain_dest: private/certs/{{ server_name }}.ca-bundle
data: "{{ acme_challenge }}"
@ -111,3 +123,12 @@
- restart apache
tags:
- certs
- name: delete decrypted files
file:
path: private/decrypted/{{ item }}
state: absent
with_items:
- 'letsencrypt_account.key'
- '{{ server_name }}.csr'
delegate_to: 127.0.0.1