certs

roles/web/tasks/main.yml

@@ -71,3 +71,37 @@
     fstype: nfs
     state: mounted
 
+- name: Install certbot
+  get_url:
+    url: https://dl.eff.org/certbot-auto
+    dest: /usr/local/bin/certbot-auto
+    mode: u=rwx,g=r,o=r
+    owner: root
+    group: root
+
+- name: Install pip
+  apt:
+    name: python-pip
+    state: present
+
+- name: Install certbot's cloudflare plugin
+  pip:
+    name: certbot-dns-cloudflare
+    extra_args: --user
+
+- name: Write example cloudflare secrets file
+  copy:
+    src: templates/web/cloudflare.ini.example
+    dest: /root/cloudflare.ini.example
+    mode: "0700"
+    owner: root
+    group: root
+
+- name: Run certbot
+  shell: certbot renew --dns-cloudflare --dns-cloudflare-credentials /root/cloudflare.ini -d jibby.org,\*.jibby.org --preferred-challenges dns-01
+
+- name: Schedule certbot renewal cronjobs and copying of static cert files (for sharing with Docker)
+  cron:
+    name: "renew certs and copy"
+    special_time: weekly
+    job: '/usr/local/bin/certbot renew --post-hook "cp -L /etc/letsencrypt/live/jibby.org/cert.pem /static_certs/jibby.org.crt && cp -L /etc/letsencrypt/live/jibby.org/privkey.pem /static_certs/jibby.org.key && cp -L /etc/letsencrypt/live/jibby.org-0001/cert.pem /static_certs/shared.crt && cp -L /etc/letsencrypt/live/jibby.org-0001/privkey.pem /static_certs/shared.key && systemctl restart nginx"'

templates/web/cloudflare.ini.example

@@ -0,0 +1,2 @@
+dns_cloudflare_email = [email protected]
+dns_cloudflare_api_key = 0123456789abcdef0123456789abcdef01234567

templates/web/compose/docker-compose.yaml

@@ -15,7 +15,13 @@ services:
       # Helps with stability of large uploads
       - ./conf.d/proxy_timeout.conf:/etc/nginx/conf.d/proxy_timeout.conf:ro
       - ./conf.d/real_ip.conf:/etc/nginx/conf.d/real_ip.conf:ro
+      # Password-protect some subdomains
       - ./htpasswd:/etc/nginx/htpasswd
+      # Certs for the top level domain & subdomains
+      - ${TOP_DOMAIN_CERT}:/etc/nginx/certs/jibby.org.crt
+      - ${TOP_DOMAIN_KEY}:/etc/nginx/certs/jibby.org.key
+      - ${WC_DOMAIN_CERT}:/etc/nginx/certs/shared.crt
+      - ${WC_DOMAIN_KEY}:/etc/nginx/certs/shared.key
     environment:
       - DEFAULT_HOST=jibby.org
     restart: always
@@ -29,6 +35,7 @@ services:
       - ./conf.d/static.conf:/etc/nginx/conf.d/default.conf
     environment:
       - VIRTUAL_HOST=camera.jibby.org
+      - CERT_NAME=shared
     restart: always
 
   postgres:
@@ -79,6 +86,7 @@ services:
     environment:
       - VIRTUAL_HOST=nextcloud.jibby.org
       - VIRTUAL_PORT=80
+      - CERT_NAME=shared
     restart: always
 
   gogs:
@@ -92,6 +100,7 @@ services:
     environment:
       - VIRTUAL_HOST=gogs.jibby.org
       - VIRTUAL_PORT=3000
+      - CERT_NAME=shared
     restart: always
 
   matrix:
@@ -126,6 +135,7 @@ services:
       - VIRTUAL_HOST=keeweb.jibby.org
       - VIRTUAL_PROTO=https
       - VIRTUAL_PORT=443
+      - CERT_NAME=shared
     restart: always
 
   netdata:
@@ -142,6 +152,7 @@ services:
     environment:
       - VIRTUAL_HOST=netdata.jibby.org
       - VIRTUAL_PORT=19999
+      - CERT_NAME=shared
       - SMTP_TO=${LETSENCRYPT_EMAIL}
       - SMTP_FROM=${SMTP_USER}
       - SMTP_USER=${SMTP_USER}
@@ -159,6 +170,7 @@ services:
     environment:
       - VIRTUAL_HOST=selfoss.jibby.org
       - VIRTUAL_PORT=8888
+      - CERT_NAME=shared
     restart: always
 
   jellyfin:
@@ -171,6 +183,7 @@ services:
     environment:
       - VIRTUAL_HOST=jellyfin.jibby.org
       - VIRTUAL_PORT=8096
+      - CERT_NAME=shared
     restart: always
 
   # Currently unused container configs: