Commit f31e8630 by Jocelyn Delalande

letsencrypt: Syncs the doc with reality

parent 7464fd9c
- name: install apt dependencies
apt: pkg={{ item }}
apt: pkg={{ item }} update_cache=yes cache_valid_time=1800
with_items:
- npm
- nodejs-legacy
- virtualenv
- python3-dev
- name: create dedicated user
user: name=jupyterhub home=/opt/jupyterhub
user:
name: jupyterhub
home: /opt/jupyterhub
- name: install jupyterhub
pip: name=jupyterhub virtualenv=/opt/jupyterhub/venv
- name: ensure jupyterhub-users group exists
group:
name: jupyterhub-users
state: present
- name: install pip dependencies
pip:
name: "{{ item }}"
virtualenv: /opt/jupyterhub/venv
virtualenv_python: python3
with_items:
- jupyterhub
- sudospawner
become: jupyterhub
notify: restart jupyterhub
- name: Install npm deps
npm:
name: configurable-http-proxy
global: yes
- name: Authorize jupyterhub to spawn notebooks for jupyterhub-users members
copy:
content: "jupyterhub ALL = (%jupyterhub-users) NOPASSWD: /opt/jupyterhub/venv/bin/sudospawner\n"
dest: /etc/sudoers.d/50-jupyterhub
mode: 0440
validate: visudo -cf %s
# Adding jupyterhub to shadow group would not be the right thing, as it gives
# too much power.
- name: authorize jupyterhub to do PAM auth
acl:
path: /etc/shadow
entry: "user:jupyterhub:r"
state: present
- name: systemd script is in place
template:
src: jupyterhub.service.j2
dest: /etc/systemd/system/jupyterhub.service
notify: restart jupyterhub
notify:
- restart jupyterhub
- reload systemd
- name: jupyterhub is started
service: name=jupyterhub state=started
\ No newline at end of file
......@@ -4,7 +4,8 @@ After=network.target
[Service]
WorkingDirectory=/opt/jupyterhub/
ExecStart=/opt/jupyter/venv/bin/jupyterhub
ExecStart=/opt/jupyterhub/venv/bin/jupyterhub --JupyterHub.spawner_class=sudospawner.SudoSpawner
User=jupyterhub
[Install]
WantedBy=multi-user.target
# ansible-letsencrypt
# letsencrypt
*see also: nginx*
An ansible role to generate TLS certificates and get them signed by Let's Encrypt.
Currently attempts first to use the `webroot` authenticator, then if that fails to create certificates,
it will use the standalone authenticator. This is handy for generating certs on a fresh machine before
the web server has been configured or even installed.
An ansible role to obtain and renew SSL certs from letsencrypt, using webroot
authenticator.
I've tested this on a couple of Debian Jessie boxes with nginx, if you test it on other things please let me know
the results (positive or otherwise) so I can document them here/fix the issue.
*see also: nginx*
It restarts **nginx** https after renewal.
# Usage
First, read Let's Encrypt's TOS and EULA. Only proceed if you agree to them.
Dependencies
------------
The following variables are available:
*nginx* role, with *letsencrypt-check* feature enabled on the domains you want
to get a letsencrypt cert for.
`letsencrypt_webroot_path` is the root path that gets served by your web server. Defaults to `/var/www`.
Process to obtain and setup certs:
`letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
1. setup correctly vars for nginx (mind *letsencrypt-check*) and letsencrypt roles.
2. run nginx role
3. run letsencrypt role
4. run nginx role again (so that it detects the new certs, use them, and restart)
`letsencrypt_rsa_key_size` allows to specify a size for the generated key.
Renewing is automatic. nginx is restarted after renewal.
`letsencrypt_cert_domains` is a list of domains you wish to get a certificate for. It defaults to a single item with the value of `{{ ansible_fqdn }}`.
`letsencrypt_install_directory` should probably be left alone, but if you set it, it will change where the letsencrypt program is installed.
Vars
----
`letsencrypt_server` sets the auth server. Set to `https://acme-staging.api.letsencrypt.org/directory` to use the staging server (far higher rate limits, but certs are not trusted, intended for testing)
Example:
The [Let's Encrypt client](https://github.com/letsencrypt/letsencrypt) will put the certificate and accessories in `/etc/letsencrypt/live/<first listed domain>/`. For more info, see the [Let's Encrypt documentation](https://letsencrypt.readthedocs.org/en/latest/using.html#where-are-my-certificates).
# Example Playbook
```
---
- hosts: tls_servers
user: root
roles:
- role: letsencrypt
letsencrypt_webroot_path: /var/www/html
letsencrypt_email: user@example.net
letsencrypt_cert_domains:
- www.example.net
- example.net
```
### Required
None ! If you set nothing, letsencyrpt will make a cert for the server fqdn.
### Optional
- `letsencrypt_cert_domains` a list of domains you want a LE cert for (they
require to have a nginx vhost configured with *letsencryt-check* enabled on
plain HTTP)
- `letsencrypt_webroot_path` is the root path that gets served by your web
server. Defaults to `/var/www`.
- `letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
- `letsencrypt_renewal_frequency` has 3 properties : `day`, `hour` and
`minute`, which are cron time selector (defaults to
`{day: *, hour: 0, minute: 0}`)
Renewing
--------
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment