From 4655cbf3a4596af8f79781355f840394be60772e Mon Sep 17 00:00:00 2001
From: Anton Vakhrushev <anwinged@ya.ru>
Date: Sun, 27 Aug 2017 11:31:02 +0300
Subject: [PATCH] Add configuration fot lets encrypt

---
 Makefile                              |  3 ++
 ansible/configuration.yml             | 44 +++++++++++++++++++++++----
 ansible/requirements.yml              |  4 +++
 ansible/templates/notes-acme.vhost.j2 | 15 +++++++++
 ansible/templates/notes.vhost.j2      | 18 ++++++++++-
 5 files changed, 77 insertions(+), 7 deletions(-)
 create mode 100644 ansible/templates/notes-acme.vhost.j2

diff --git a/Makefile b/Makefile
index f39a8a1..cdbe9e9 100644
--- a/Makefile
+++ b/Makefile
@@ -1,2 +1,5 @@
 configure:
 	ansible-playbook --inventory "ansible/hosts_prod" --user=av --ask-become-pass ansible/configuration.yml
+
+install-roles:
+	ansible-galaxy install -r "ansible/requirements.yml"
diff --git a/ansible/configuration.yml b/ansible/configuration.yml
index 2f20744..457fa0f 100644
--- a/ansible/configuration.yml
+++ b/ansible/configuration.yml
@@ -29,9 +29,6 @@
     # nginx settings
 
     nginx_remove_default_vhost: true
-    nginx_vhosts:
-      - server_name: notes.anwinged.ru
-        template: "{{ playbook_dir }}/templates/notes.vhost.j2"
 
     # php settings
 
@@ -49,7 +46,7 @@
     php_webserver_daemon: nginx
     php_enable_php_fpm: true
     php_date_timezone: "{{ timezone }}"
-    php_fpm_listen: /run/php/php{{ php_version }}-fpm.sock
+    php_fpm_listen: /var/run/php{{ php_version }}-fpm.sock
 
     # mysql settings
 
@@ -61,6 +58,11 @@
         password: "{{ apps.notes.dbpassword }}"
         priv: "{{ apps.notes.dbname }}.*:ALL"
 
+    letsencrypt_webroot_path: /var/www/letsencrypt
+    letsencrypt_email: anwinged@ya.ru
+    letsencrypt_cert_domains:
+      - notes.anwinged.ru
+
   pre_tasks:
     - name: Ensure that PHP PPA is added.
       apt_repository: repo=ppa:ondrej/php state=present
@@ -99,13 +101,43 @@
       static_site_name: s2photo
       static_site_domain: s2photo.ru
 
-  post_tasks:
+  tasks:
     - name: Create system environment variables.
       lineinfile:
-        path: /etc/environment
+        dest: /etc/environment
         regexp: '^{{ item.key }}='
         line: '{{ item.key }}="{{ item.value }}"'
       with_dict: "{{ app_envs }}"
+
+    - name: Generate dhparams.
+      shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+      args:
+        creates: /etc/nginx/dhparams.pem
+
+    - name: Create letsencrypt directory.
+      file:
+        name: /var/www/letsencrypt
+        state: directory
+
+    - name: Copy notes acme server config.
+      template:
+        src: notes-acme.vhost.j2
+        dest: "/etc/nginx/sites-enabled/notes-acme.conf"
+      notify: restart nginx
+
+    - name: Restart nginx.
+      service: name=nginx state=restarted
+
+    - name: Configure Lest Encrypt certificate.
+      include_role:
+        name: thefinn93.ansible-letsencrypt
+
+    - name: Copy notes server config.
+      template:
+        src: notes.vhost.j2
+        dest: "/etc/nginx/sites-enabled/notes.conf"
+      notify: restart nginx
+
     - name: 'Create folder for {{ apps.notes.name }}.'
       file:
         path: "{{ apps.notes.www }}"
diff --git a/ansible/requirements.yml b/ansible/requirements.yml
index 26a64d7..88be046 100644
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@@ -13,3 +13,7 @@
 
 - src: geerlingguy.mysql
   version: 2.8.0
+
+- name: thefinn93.ansible-letsencrypt
+  src: https://github.com/thefinn93/ansible-letsencrypt
+  version: origin/master
diff --git a/ansible/templates/notes-acme.vhost.j2 b/ansible/templates/notes-acme.vhost.j2
new file mode 100644
index 0000000..150dc0b
--- /dev/null
+++ b/ansible/templates/notes-acme.vhost.j2
@@ -0,0 +1,15 @@
+server {
+    listen 80;
+    server_name notes.anwinged.ru;
+
+    # For Lets Encrypt verify
+    # include acme;
+    location /.well-known {
+        root /var/www/letsencrypt;
+        try_files $uri $uri/ =404;
+    }
+
+    location / {
+        rewrite ^ https://$host$request_uri? permanent;
+    }
+}
diff --git a/ansible/templates/notes.vhost.j2 b/ansible/templates/notes.vhost.j2
index ce8c14b..4f1ac76 100644
--- a/ansible/templates/notes.vhost.j2
+++ b/ansible/templates/notes.vhost.j2
@@ -1,7 +1,23 @@
 server {
-
+    listen 443 ssl http2 deferred;
     server_name notes.anwinged.ru;
 
+    ssl on;
+    ssl_certificate         /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/notes.anwinged.ru/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/notes.anwinged.ru/fullchain.pem;
+
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 5m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
+
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+    ssl_dhparam /etc/nginx/dhparams.pem;
+    ssl_prefer_server_ciphers on;
+
     root /var/www/notes/current/web;
 
     location / {