-
Notifications
You must be signed in to change notification settings - Fork 5
/
playbook-letsencrypt.yml
93 lines (71 loc) · 3.02 KB
/
playbook-letsencrypt.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
# Let's encrypt example that install myapp tutorial git repository on Amazon EC2 server
#
# Requirements:
#
# ansible-galaxy install -r requirements-letsencrypt.yml
#
- hosts: letsencrypt-test
gather_facts: true
vars:
- package_name: my.app
- package_path: my/app
- site_id: myapp
# Do we create Let's Encrypt HTTPS certificate for the site
- letsenrypt: on
# Websocket is only needed to connect to IPython Notebook running on the server
- websocket: off
# Install Postfix for email out
- smtp: on
# Is HTTPS traffic terminated by Nginx
- ssl: on
# Do we install Celery worker and beat to run background tasks
- celery: off
# Is the site proxied by Cloudflare security service
- cloudflare: off
# Do we need to support New Relic monitoring
- new_relic: off
# Do we enable Linux firewall
- firewall: off
# Do we set up Duplicity backup tasks
- backup: off
- git_repository: [email protected]:websauna/myapp.git
- git_branch: master
- site_mode: production
- ini_secrets_file: ../myapp/myapp/conf/production-secrets.ini
# Configured outbound domain for Postfix
- server_email_domain: opensourcehacker.net
# System outgoing email address (cron others)
- server_email: [email protected]
# Receive messages from Cron and system scripts to this address
- notify_email: [email protected]
# Let's encrypt parameters
- server_name: example.com # Your server fully qualified domain name
- letsencrypt_webroot_path: /var/www/html
- letsencrypt_email: [email protected]
- letsencrypt_cert_domains:
- "{{ server_name }}"
# TODO: This command is verbose and sends out cron email even if certificates have not changed
- letsencrypt_renewal_command_args: '--renew-hook "service nginx restart"' # Ubuntu 14.04 nginx restart
- nginx_ssl_certificate_path: "/etc/letsencrypt/live/{{ server_name }}/cert.pem"
- nginx_ssl_certificate_path_key: "/etc/letsencrypt/live/{{ server_name }}/privkey.pem"
pre_tasks:
# Point to websauna.ansible/default.yml
- include_vars: default.yml
tags: site, smtp, psql, uwsgi, nginx
# Point to your secrets file
- include_vars: secrets.yml
tags: site, smtp, sql
roles:
- { role: websauna.preflight, tags: ['site'] }
- websauna.users
- { role: websauna.ssh, tags: ['site'] } # Needed to setup SSH auth socket for github/bitbucket
- websauna.shell
- websauna.harden
- websauna.smtp
- { role: ANXS.postgresql, become: yes, become_user: root, tags: ['psql'] }
- { role: Stouts.nginx, become: yes, become_user: root, tags: ['site'] } # websauna.site may override Nginx config
- { role: Stouts.redis, become: yes, become_user: root, tags: redis }
- { role: Stouts.python, become: yes, become_user: root }
- {role: ansible-letsencrypt, tags: 'letsencrypt'}
- { role: websauna.site, tags: ['site'] } # Core site update logic
- { role: websauna.postflight, tags: ['site'] } # Finalize: send out email, update motd