with letsencrypt support

defaults/main.yml

@@ -7,6 +7,9 @@ osp_worker_timeout: 30
 # should not be edited
 osp_worker_worker: 1
 
+osp_tls_enabled: False
+osp_hostname: "{{ inventory_hostname }}"
+
 osp_http_user: "http"
 osp_http_group: "http"
 osp_http_path: "/var/www"
@@ -24,5 +27,5 @@ osp_secret_key: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_s
 osp_password_salt: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_password_salt length=8 chars=digits') }}"
 osp_allow_registration: yes
 osp_require_email_registration: yes
-osp_ejabberd_domain: "CHANGEME"
+osp_ejabberd_domain: "{{ osp_hostname }}"
 osp_ejabberd_password: "{{ lookup('password', 'credentials/'+inventory_hostname+'/osp_ejabberd_password length=8 chars=digits') }}"

handlers/main.yml

@@ -14,6 +14,9 @@
     name: nginx
     state: reloaded
 
+- name: dehydrated
+  command: /usr/bin/dehydrated -c
+
 - name: restart osp
   systemd:
     name: osp.target

tasks/main.yml

@@ -108,6 +108,10 @@
     - live-adapt
     - stream-thumb
 
+- name: tls
+  import_tasks: tls.yml
+  when: osp_tls_enabled
+
 - name: Nginx
   systemd:
     name: nginx
@@ -134,12 +138,12 @@
     requirements: /opt/osp/setup/requirements.txt
     virtualenv: /opt/osp-venv
 
-- name: Create cache directory
-  file:
-    path: /var/cache/osp
-    owner: "{{ osp_http_user }}"
-    group: "{{ osp_http_group }}"
-    state: directory
+#- name: Create cache directory
+#  file:
+#    path: /var/cache/osp
+#    owner: "{{ osp_http_user }}"
+#    group: "{{ osp_http_group }}"
+#    state: directory
 
 - name: Create logging directory
   file:

tasks/tls.yml

@@ -0,0 +1,43 @@
+- name: Install
+  package:
+    name: dehydrated
+
+- name: create folders
+  file:
+    path: "{{ item }}"
+    state: directory
+  with_items:
+  - /etc/nginx/sites.d
+  - /etc/nginx/local.d
+  - /etc/nginx/snippets
+
+- name: create folders
+  file:
+    path: "/srv/http/.well-known/acme-challenge"
+    state: directory
+
+- name: templates
+  notify: reload nginx
+  template:
+    src: "{{ item.file }}"
+    dest: "/etc/nginx/{{ item.path }}"
+  with_items:
+  - file: letsencrypt.nginx
+    path: snippets/letsencrypt.conf
+
+- name: config dehydrated
+  template:
+    src: dehydrated
+    dest: /etc/dehydrated/config
+
+- name: get let's encrypt account 
+  command: /usr/bin/dehydrated --register --accept-terms
+  args:
+    creates: /etc/dehydrated/accounts
+
+- name: get inventory_hostname cert
+  notify: dehydrated
+  lineinfile:
+    path: /etc/dehydrated/domains.txt
+    line: "{{ osp_hostname }}"
+    create: yes

templates/dehydrated

@@ -0,0 +1,2 @@
+WELLKNOWN=/srv/http/.well-known/acme-challenge
+CONTACT_EMAIL={{ webserver_dehydrated_email  }}

templates/letsencrypt.nginx

@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge {
+	alias /srv/http/.well-known/acme-challenge;
+	allow all;
+}

templates/nginx.conf

@@ -17,7 +17,7 @@ http {
     include       mime.types;
     default_type  application/octet-stream;
 
-    proxy_cache_path    /var/cache/osp levels=1:2 keys_zone=auth_cache:5m max_size=1g inactive=24h;
+    proxy_cache_path    /tmp/osp levels=1:2 keys_zone=auth_cache:5m max_size=1g inactive=24h;
 
     sendfile        on;
     tcp_nopush      on;
@@ -92,11 +92,32 @@ http {
             root /opt/osp/static;
         }
     }
+{% if osp_tls_enabled %}
+    server {
+        listen [::]:80;
+        listen 80;
+        location / {
+            return 301 https://$host$request_uri;
+        }
+
+        include snippets/letsencrypt.conf;
+    }
+{% endif %}
 
     # NGINX to OSP Gunicorn Processes Reverse Proxy
     server {
+{% if osp_tls_enabled %}
+	listen [::]:443 ssl http2;
+	listen 443 ssl http2;
+
+	server_name {{ osp_hostname }};
+
+	ssl_certificate /etc/dehydrated/certs/{{ osp_hostname }}/fullchain.pem;
+	ssl_certificate_key /etc/dehydrated/certs/{{ osp_hostname }}/privkey.pem;
+{% else %}
         listen       80;
         listen       [::]:80;
+{% endif %}
 
         # set client body size to 16M #
         client_max_body_size 16M;
@@ -110,7 +131,9 @@ http {
             proxy_set_header   X-Forwarded-For      $proxy_add_x_forwarded_for;
             proxy_set_header   X-Forwarded-Proto    $scheme;
         }
-
+{% if osp_tls_enabled %}
+	include snippets/letsencrypt.conf;
+{% endif %}
         include osp-socketio.conf;
         include osp-redirects.conf;