Commit f31e8630 by Jocelyn Delalande

letsencrypt: Syncs the doc with reality

parent 7464fd9c
- name: install apt dependencies
apt: pkg={{ item }}
apt: pkg={{ item }} update_cache=yes cache_valid_time=1800
with_items:
- npm
- nodejs-legacy
- virtualenv
- python3-dev
- name: create dedicated user
user: name=jupyterhub home=/opt/jupyterhub
user:
name: jupyterhub
home: /opt/jupyterhub
- name: install jupyterhub
pip: name=jupyterhub virtualenv=/opt/jupyterhub/venv
- name: ensure jupyterhub-users group exists
group:
name: jupyterhub-users
state: present
- name: install pip dependencies
pip:
name: "{{ item }}"
virtualenv: /opt/jupyterhub/venv
virtualenv_python: python3
with_items:
- jupyterhub
- sudospawner
become: jupyterhub
notify: restart jupyterhub
- name: Install npm deps
npm:
name: configurable-http-proxy
global: yes
- name: Authorize jupyterhub to spawn notebooks for jupyterhub-users members
copy:
content: "jupyterhub ALL = (%jupyterhub-users) NOPASSWD: /opt/jupyterhub/venv/bin/sudospawner\n"
dest: /etc/sudoers.d/50-jupyterhub
mode: 0440
validate: visudo -cf %s
# Adding jupyterhub to shadow group would not be the right thing, as it gives
# too much power.
- name: authorize jupyterhub to do PAM auth
acl:
path: /etc/shadow
entry: "user:jupyterhub:r"
state: present
- name: systemd script is in place
template:
src: jupyterhub.service.j2
dest: /etc/systemd/system/jupyterhub.service
notify: restart jupyterhub
notify:
- restart jupyterhub
- reload systemd
- name: jupyterhub is started
service: name=jupyterhub state=started
\ No newline at end of file
......@@ -4,7 +4,8 @@ After=network.target
[Service]
WorkingDirectory=/opt/jupyterhub/
ExecStart=/opt/jupyter/venv/bin/jupyterhub
ExecStart=/opt/jupyterhub/venv/bin/jupyterhub --JupyterHub.spawner_class=sudospawner.SudoSpawner
User=jupyterhub
[Install]
WantedBy=multi-user.target
# ansible-letsencrypt
# letsencrypt
An ansible role to obtain and renew SSL certs from letsencrypt, using webroot
authenticator.
*see also: nginx*
An ansible role to generate TLS certificates and get them signed by Let's Encrypt.
Currently attempts first to use the `webroot` authenticator, then if that fails to create certificates,
it will use the standalone authenticator. This is handy for generating certs on a fresh machine before
the web server has been configured or even installed.
Dependencies
------------
*nginx* role, with *letsencrypt-check* feature enabled on the domains you want
to get a letsencrypt cert for.
Process to obtain and setup certs:
1. setup correctly vars for nginx (mind *letsencrypt-check*) and letsencrypt roles.
2. run nginx role
3. run letsencrypt role
4. run nginx role again (so that it detects the new certs, use them, and restart)
I've tested this on a couple of Debian Jessie boxes with nginx, if you test it on other things please let me know
the results (positive or otherwise) so I can document them here/fix the issue.
Renewing is automatic. nginx is restarted after renewal.
It restarts **nginx** https after renewal.
# Usage
First, read Let's Encrypt's TOS and EULA. Only proceed if you agree to them.
Vars
----
The following variables are available:
Example:
`letsencrypt_webroot_path` is the root path that gets served by your web server. Defaults to `/var/www`.
`letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
letsencrypt_webroot_path: /var/www/html
letsencrypt_email: user@example.net
letsencrypt_cert_domains:
- www.example.net
- example.net
`letsencrypt_rsa_key_size` allows to specify a size for the generated key.
`letsencrypt_cert_domains` is a list of domains you wish to get a certificate for. It defaults to a single item with the value of `{{ ansible_fqdn }}`.
### Required
`letsencrypt_install_directory` should probably be left alone, but if you set it, it will change where the letsencrypt program is installed.
None ! If you set nothing, letsencyrpt will make a cert for the server fqdn.
`letsencrypt_server` sets the auth server. Set to `https://acme-staging.api.letsencrypt.org/directory` to use the staging server (far higher rate limits, but certs are not trusted, intended for testing)
### Optional
The [Let's Encrypt client](https://github.com/letsencrypt/letsencrypt) will put the certificate and accessories in `/etc/letsencrypt/live/<first listed domain>/`. For more info, see the [Let's Encrypt documentation](https://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates).
- `letsencrypt_cert_domains` a list of domains you want a LE cert for (they
require to have a nginx vhost configured with *letsencryt-check* enabled on
plain HTTP)
- `letsencrypt_webroot_path` is the root path that gets served by your web
server. Defaults to `/var/www`.
- `letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
- `letsencrypt_renewal_frequency` has 3 properties : `day`, `hour` and
`minute`, which are cron time selector (defaults to
`{day: *, hour: 0, minute: 0}`)
# Example Playbook
```
---
- hosts: tls_servers
user: root
roles:
- role: letsencrypt
letsencrypt_webroot_path: /var/www/html
letsencrypt_email: user@example.net
letsencrypt_cert_domains:
- www.example.net
- example.net
```
Renewing
--------
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment