Commit f31e8630 authored by Jocelyn Delalande's avatar Jocelyn Delalande

letsencrypt: Syncs the doc with reality

parent 7464fd9c
- name: install apt dependencies
apt: pkg={{ item }}
apt: pkg={{ item }} update_cache=yes cache_valid_time=1800
- npm
- nodejs-legacy
- virtualenv
- python3-dev
- name: create dedicated user
user: name=jupyterhub home=/opt/jupyterhub
name: jupyterhub
home: /opt/jupyterhub
- name: install jupyterhub
pip: name=jupyterhub virtualenv=/opt/jupyterhub/venv
- name: ensure jupyterhub-users group exists
name: jupyterhub-users
state: present
- name: install pip dependencies
name: "{{ item }}"
virtualenv: /opt/jupyterhub/venv
virtualenv_python: python3
- jupyterhub
- sudospawner
become: jupyterhub
notify: restart jupyterhub
- name: Install npm deps
name: configurable-http-proxy
global: yes
- name: Authorize jupyterhub to spawn notebooks for jupyterhub-users members
content: "jupyterhub ALL = (%jupyterhub-users) NOPASSWD: /opt/jupyterhub/venv/bin/sudospawner\n"
dest: /etc/sudoers.d/50-jupyterhub
mode: 0440
validate: visudo -cf %s
# Adding jupyterhub to shadow group would not be the right thing, as it gives
# too much power.
- name: authorize jupyterhub to do PAM auth
path: /etc/shadow
entry: "user:jupyterhub:r"
state: present
- name: systemd script is in place
src: jupyterhub.service.j2
dest: /etc/systemd/system/jupyterhub.service
notify: restart jupyterhub
- restart jupyterhub
- reload systemd
- name: jupyterhub is started
service: name=jupyterhub state=started
\ No newline at end of file
......@@ -4,7 +4,8 @@
ExecStart=/opt/jupyterhub/venv/bin/jupyterhub --JupyterHub.spawner_class=sudospawner.SudoSpawner
# ansible-letsencrypt
# letsencrypt
*see also: nginx*
An ansible role to generate TLS certificates and get them signed by Let's Encrypt.
Currently attempts first to use the `webroot` authenticator, then if that fails to create certificates,
it will use the standalone authenticator. This is handy for generating certs on a fresh machine before
the web server has been configured or even installed.
An ansible role to obtain and renew SSL certs from letsencrypt, using webroot
I've tested this on a couple of Debian Jessie boxes with nginx, if you test it on other things please let me know
the results (positive or otherwise) so I can document them here/fix the issue.
*see also: nginx*
It restarts **nginx** https after renewal.
# Usage
First, read Let's Encrypt's TOS and EULA. Only proceed if you agree to them.
The following variables are available:
*nginx* role, with *letsencrypt-check* feature enabled on the domains you want
to get a letsencrypt cert for.
`letsencrypt_webroot_path` is the root path that gets served by your web server. Defaults to `/var/www`.
Process to obtain and setup certs:
`letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
1. setup correctly vars for nginx (mind *letsencrypt-check*) and letsencrypt roles.
2. run nginx role
3. run letsencrypt role
4. run nginx role again (so that it detects the new certs, use them, and restart)
`letsencrypt_rsa_key_size` allows to specify a size for the generated key.
Renewing is automatic. nginx is restarted after renewal.
`letsencrypt_cert_domains` is a list of domains you wish to get a certificate for. It defaults to a single item with the value of `{{ ansible_fqdn }}`.
`letsencrypt_install_directory` should probably be left alone, but if you set it, it will change where the letsencrypt program is installed.
`letsencrypt_server` sets the auth server. Set to `` to use the staging server (far higher rate limits, but certs are not trusted, intended for testing)
The [Let's Encrypt client]( will put the certificate and accessories in `/etc/letsencrypt/live/<first listed domain>/`. For more info, see the [Let's Encrypt documentation](
# Example Playbook
- hosts: tls_servers
user: root
- role: letsencrypt
letsencrypt_webroot_path: /var/www/html
### Required
None ! If you set nothing, letsencyrpt will make a cert for the server fqdn.
### Optional
- `letsencrypt_cert_domains` a list of domains you want a LE cert for (they
require to have a nginx vhost configured with *letsencryt-check* enabled on
plain HTTP)
- `letsencrypt_webroot_path` is the root path that gets served by your web
server. Defaults to `/var/www`.
- `letsencrypt_email` needs to be set to your email address. Let's Encrypt wants it. Defaults to `webmaster@{{ ansible_fqdn }}`.
- `letsencrypt_renewal_frequency` has 3 properties : `day`, `hour` and
`minute`, which are cron time selector (defaults to
`{day: *, hour: 0, minute: 0}`)
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment