EbookFoundation
/
regluit-provisioning
mirror of https://github.com/EbookFoundation/regluit-provisioning.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

final touches

certbot
eric 2019-01-31 14:29:02 -05:00
parent 8d7c7f0c23
commit 79007dcf4b
5 changed files with 35 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
README.md
View File

@ -4,6 +4,8 @@ The current provisioning setup uses [Ansible](https://www.ansible.com/resources/
## Pre-requisites ## Pre-requisites
Before attempting to deploy, ensure you have done the following: Before attempting to deploy, ensure you have done the following:
1. git checkout https://github.com/EbookFoundation/regluit-provisioning
1. create `certs` and `decrypted` directories in `private`
1. Install `ansible` on your local machine 1. Install `ansible` on your local machine
1. Obtain the `ansible-vault` password and save it to a file 1. Obtain the `ansible-vault` password and save it to a file
1. Set the path to the `ansible-vault` file via environment variable e.g. `export NSIBLE_VAULT_PASSWORD_FILE=[path]` 1. Set the path to the `ansible-vault` file via environment variable e.g. `export NSIBLE_VAULT_PASSWORD_FILE=[path]`
@ -17,7 +19,7 @@ Before attempting to deploy, ensure you have done the following:
## Deploy ## Deploy
Deploying is as simple as running the `setup-prod` ansible playbook. Deploying is as simple as running the `setup-prod` ansible playbook.
Navigate to the `provisioning/` directory and run the following: Navigate to the `regluit-provisioning/` directory and run the following:
``` ```
$ ansible-playbook -i hosts setup-prod.yml $ ansible-playbook -i hosts setup-prod.yml
``` ```
@ -27,7 +29,7 @@ If you successfully completed all the pre-requisite steps, the playbook should b
## Additional Configuration ## Additional Configuration
### Variables and Secrets ### Variables and Secrets
The necessary variables are pulled from `provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`. The necessary variables are pulled from `regluit-provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`.
The variables are split into two files to still allow for searching references in playbook tasks. The variables are split into two files to still allow for searching references in playbook tasks.
To add or view secret values, you must decrypt the file first: `$ ansible-vault decrypt vault.yml` however **always remember to encrypt secret files before pushing to git**. This is done in a similar manner: `$ ansible-vault encrypt vault.yml`. To add or view secret values, you must decrypt the file first: `$ ansible-vault decrypt vault.yml` however **always remember to encrypt secret files before pushing to git**. This is done in a similar manner: `$ ansible-vault encrypt vault.yml`.

1
group_vars/batterup/vars.yml
View File

@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv"
wsgi_python_path: "/opt/regluit/venv/bin/python" wsgi_python_path: "/opt/regluit/venv/bin/python"
git_repo: "https://github.com/Gluejar/regluit.git" git_repo: "https://github.com/Gluejar/regluit.git"
git_branch: "production" git_branch: "production"
le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
### Variables in settings.prod.py ### ### Variables in settings.prod.py ###
mysql_db_name: "{{ vault_mysql_db_name }}" mysql_db_name: "{{ vault_mysql_db_name }}"

3
group_vars/ondeck/vars.yml
View File

@ -12,6 +12,9 @@ wsgi_home: "/opt/regluit/venv"
wsgi_python_path: "/opt/regluit/venv/bin/python" wsgi_python_path: "/opt/regluit/venv/bin/python"
git_repo: "https://github.com/Gluejar/regluit.git" git_repo: "https://github.com/Gluejar/regluit.git"
git_branch: "master" git_branch: "master"
le_endpoint: https://acme-v02.api.letsencrypt.org/directory
#le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
### Variables in settings.prod.py ### ### Variables in settings.prod.py ###
mysql_db_name: "{{ vault_mysql_db_name }}" mysql_db_name: "{{ vault_mysql_db_name }}"

1
group_vars/production/vars.yml
View File

@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv"
wsgi_python_path: "/opt/regluit/venv/bin/python" wsgi_python_path: "/opt/regluit/venv/bin/python"
git_repo: "https://github.com/Gluejar/regluit.git" git_repo: "https://github.com/Gluejar/regluit.git"
git_branch: "production" git_branch: "production"
le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
### Variables in settings.prod.py ### ### Variables in settings.prod.py ###
mysql_db_name: "{{ vault_mysql_db_name }}" mysql_db_name: "{{ vault_mysql_db_name }}"

31
roles/regluit_prod/tasks/certs.yml
View File

@ -8,10 +8,22 @@
# #
# create a code signing request by hand on ansible host with (for example) # create a code signing request by hand on ansible host with (for example)
# openssl req -new -sha256 -key private/{{ server_name }}.key -out {{ server_name }}.csr -subj /CN=m.unglue.it # openssl req -new -sha256 -key private/{{ server_name }}.key -out {{ server_name }}.csr -subj /CN=m.unglue.it
#
# make sure you have private/decrypted/ and private/certs/
- name: Decrypt files
copy:
src: private/{{ item }}
dest: private/decrypted/{{ item }}
with_items:
- 'letsencrypt_account.key'
- '{{ server_name }}.csr'
delegate_to: 127.0.0.1
- name: Make sure account exists and has given contacts. We agree to TOS. - name: Make sure account exists and has given contacts. We agree to TOS.
acme_account: acme_account:
account_key_src: private/letsencrypt_account.key account_key_src: private/decrypted/letsencrypt_account.key
acme_directory: "{{ le_endpoint }}" acme_directory: "{{ le_endpoint }}"
acme_version: 2 acme_version: 2
state: present state: present
@ -35,12 +47,12 @@
- name: Create a challenge for server_name using a account key file. - name: Create a challenge for server_name using a account key file.
acme_certificate: acme_certificate:
account_key_src: private/letsencrypt_account.key account_key_src: private/decrypted/letsencrypt_account.key
acme_directory: "{{ le_endpoint }}" acme_directory: "{{ le_endpoint }}"
acme_version: 2 acme_version: 2
remaining_days: 45 remaining_days: 45
select_crypto_backend: openssl select_crypto_backend: openssl
csr: "csrs/{{ server_name }}.csr" csr: "private/decrypted/{{ server_name }}.csr"
dest: private/certs/{{ server_name }}.crt dest: private/certs/{{ server_name }}.crt
fullchain_dest: private/certs/{{ server_name }}.ca-bundle fullchain_dest: private/certs/{{ server_name }}.ca-bundle
delegate_to: 127.0.0.1 delegate_to: 127.0.0.1
@ -72,12 +84,12 @@
- name: Create a challenge for server_name using a account key file. - name: Create a challenge for server_name using a account key file.
acme_certificate: acme_certificate:
account_key_src: private/letsencrypt_account.key account_key_src: private/decrypted/letsencrypt_account.key
acme_directory: "{{ le_endpoint }}" acme_directory: "{{ le_endpoint }}"
acme_version: 2 acme_version: 2
remaining_days: 45 remaining_days: 45
select_crypto_backend: openssl select_crypto_backend: openssl
csr: "csrs/{{ server_name }}.csr" csr: "private/decrypted/{{ server_name }}.csr"
dest: private/certs/{{ server_name }}.crt dest: private/certs/{{ server_name }}.crt
fullchain_dest: private/certs/{{ server_name }}.ca-bundle fullchain_dest: private/certs/{{ server_name }}.ca-bundle
data: "{{ acme_challenge }}" data: "{{ acme_challenge }}"
@ -111,3 +123,12 @@
- restart apache - restart apache
tags: tags:
- certs - certs
- name: delete decrypted files
file:
path: private/decrypted/{{ item }}
state: absent
with_items:
- 'letsencrypt_account.key'
- '{{ server_name }}.csr'
delegate_to: 127.0.0.1