letsencrypt: Syncs the doc with reality

jupyterhub/tasks/main.yml

 - name: install apt dependencies
-  apt: pkg={{ item }}
+  apt: pkg={{ item }} update_cache=yes cache_valid_time=1800
   with_items:
     - npm
     - nodejs-legacy
+    - virtualenv
+    - python3-dev
 
 - name: create dedicated user
-  user: name=jupyterhub home=/opt/jupyterhub
+  user:
+    name: jupyterhub
+    home: /opt/jupyterhub
 
-- name: install jupyterhub
-  pip: name=jupyterhub virtualenv=/opt/jupyterhub/venv
+- name: ensure jupyterhub-users group exists
+  group:
+    name: jupyterhub-users
+    state: present
+
+- name: install pip dependencies
+  pip:
+    name: "{{ item }}"
+    virtualenv: /opt/jupyterhub/venv
+    virtualenv_python: python3
+  with_items:
+    - jupyterhub
+    - sudospawner
   become: jupyterhub
   notify: restart jupyterhub
 
+- name: Install npm deps
+  npm:
+    name: configurable-http-proxy
+    global: yes
+
+- name: Authorize jupyterhub to spawn notebooks for jupyterhub-users members
+  copy:
+    content: "jupyterhub ALL = (%jupyterhub-users) NOPASSWD: /opt/jupyterhub/venv/bin/sudospawner\n"
+    dest: /etc/sudoers.d/50-jupyterhub
+    mode: 0440
+    validate: visudo -cf %s
+
+# Adding jupyterhub to shadow group would not be the right thing, as it gives
+# too much power.
+- name: authorize jupyterhub to do PAM auth
+  acl:
+    path: /etc/shadow
+    entry: "user:jupyterhub:r"
+    state: present
+
 - name: systemd script is in place
   template:
     src: jupyterhub.service.j2
     dest: /etc/systemd/system/jupyterhub.service
-  notify: restart jupyterhub
+  notify:
+    - restart jupyterhub
+    - reload systemd
+
+- name: jupyterhub is started
+  service: name=jupyterhub state=started
\ No newline at end of file

jupyterhub/templates/jupyterhub.service.j2

@@ -4,7 +4,8 @@ After=network.target
 
 [Service]
 WorkingDirectory=/opt/jupyterhub/
-ExecStart=/opt/jupyter/venv/bin/jupyterhub
+ExecStart=/opt/jupyterhub/venv/bin/jupyterhub --JupyterHub.spawner_class=sudospawner.SudoSpawner
+User=jupyterhub
 
 [Install]
 WantedBy=multi-user.target

letsencrypt/README.md

-# ansible-letsencrypt
+# letsencrypt
+
+An ansible role to obtain and renew SSL certs from letsencrypt, using webroot
+authenticator.
 
 *see also: nginx*
 
-An ansible role to generate TLS certificates and get them signed by Let's Encrypt.
 
-Currently attempts first to use the `webroot` authenticator, then if that fails to create certificates,
-it will use the standalone authenticator. This is handy for generating certs on a fresh machine before
-the web server has been configured or even installed.
+Dependencies
+------------
+
+*nginx* role, with *letsencrypt-check* feature enabled on the domains you want
+to get a letsencrypt cert for.
+
+Process to obtain and setup certs:
+
+1. setup correctly vars for nginx (mind *letsencrypt-check*) and letsencrypt roles.
+2. run nginx role
+3. run letsencrypt role
+4. run nginx role again (so that it detects the new certs, use them, and restart)
 
-I've tested this on a couple of Debian Jessie boxes with nginx, if you test it on other things please let me know
-the results (positive or otherwise) so I can document them here/fix the issue.
+Renewing is automatic. nginx is restarted after renewal.
 
-It restarts **nginx** https after renewal.
 
-# Usage
-First, read Let's Encrypt's TOS and EULA. Only proceed if you agree to them.
+Vars
+----
 
-The following variables are available:
+Example:
 
-`letsencrypt_webroot_path` is the root path that gets served by your web server. Defaults to `/var/www`.
 
-`letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
+     letsencrypt_webroot_path: /var/www/html
+     letsencrypt_email: user@example.net
+     letsencrypt_cert_domains:
+      - www.example.net
+      - example.net
 
-`letsencrypt_rsa_key_size` allows to specify a size for the generated key.
 
-`letsencrypt_cert_domains` is a list of domains you wish to get a certificate for. It defaults to a single item with the value of `{{ ansible_fqdn }}`.
+### Required
 
-`letsencrypt_install_directory` should probably be left alone, but if you set it, it will change where the letsencrypt program is installed.
+None ! If you set nothing, letsencyrpt will make a cert for the server fqdn.
 
-`letsencrypt_server` sets the auth server. Set to `https://acme-staging.api.letsencrypt.org/directory` to use the staging server (far higher rate limits, but certs are not trusted, intended for testing)
+### Optional
 
-The [Let's Encrypt client](https://github.com/letsencrypt/letsencrypt) will put the certificate and accessories in `/etc/letsencrypt/live/<first listed domain>/`. For more info, see the [Let's Encrypt documentation](https://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates).
+- `letsencrypt_cert_domains` a list of domains you want a LE cert for (they
+  require to have a nginx vhost configured with *letsencryt-check* enabled on
+  plain HTTP)
+- `letsencrypt_webroot_path` is the root path that gets served by your web
+  server. Defaults to `/var/www`.
+- `letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
+ - `letsencrypt_renewal_frequency` has 3 properties : `day`, `hour` and
+   `minute`, which are cron time selector (defaults to
+   `{day: *, hour: 0, minute: 0}`)
 
-# Example Playbook
-```
----
- - hosts: tls_servers
-   user: root
-   roles:
-     - role: letsencrypt
-       letsencrypt_webroot_path: /var/www/html
-       letsencrypt_email: user@example.net
-       letsencrypt_cert_domains:
-        - www.example.net
-        - example.net
-```
+Renewing
+--------