ssl: add initial letsencrypt setup

Signed-off-by: Mattia Rizzolo <mattia@debian.org>

roles/ssl-keys/defaults/main.yml

 ---
 
 letsencrypt_email: false
+local_webserver: false
 ssl_home: /etc/ssl

roles/ssl-keys/tasks/letsencrypt.yml

 ---
+
+- name: Be sure the dehydrated client is installed
+  apt: name=dehydrated state=present
+
+- name: Copy dehydrated config file
+  template: src=letsencrypt/config
+            dest=/etc/dehydrated/conf.d/config.sh
+            owner=root
+            group=root
+            mode=0644
+
+- name: Copy the hooks cript
+  template: src=letsencrypt/hooks.sh
+            dest=/etc/dehydrated/hooks.sh
+            owner=root
+            group=root
+            mode=0755
+
+- name: Install the cronjob
+  cron:
+    cron_file: ssl
+    state: present
+    user: letsencrypt
+    special_time: weekly
+    env: "{{ item.env }}"
+    name: "{{ item.name }}"
+    job: "{{ item.job }}"
+  with_items:
+    - env: true
+      name: MAILTO
+      job: root
+    - env: false
+      name: ssl-keys
+      job: chronic dehydrated -c
+
+- name: Install the apache configuration
+  apt: name=dehydrated-apache2 state=present
+  when:
+    - local_webserver == 'apache'
+
+- name: Install the nginx configuration
+  template:
+    src: letsencrypt/nginx.conf
+    dest: /etc/nginx/snippets/dehydrated.conf
+    owner: root
+    group: root
+    mode: 0444
+  when:
+    - local_webserver == 'nginx'
+
+- name: Create the acme-challenges directory
+  file: path=/var/lib/dehydrated/acme-challenges
+        owner=ssl-keys
+        group=ssl-keys
+        mode=0755
+        state=directory
+
+- name: change owner of /var/lib/dehydrated to ssl-keys:ssl-cert
+  command: dpkg-statoverride --update --force --add ssl-keys ssl-cert 755 /var/lib/{{ item }}
+  changed_when: false
+  with_items:
+    - dehydrated
+    - dehydrated/acme-challenges

roles/ssl-keys/templates/letsencrypt/config

+#
+# {{ ansible_managed }}
+#
+
+PRIVATE_KEY_RENEW="no"
+HOOK="/etc/dehydrated/hook.sh"
+CONTACT_EMAIL=" {{ letsencrypt_email }}"
+
+DOMAINS_TXT = "{{ ssl_home }}/domains"
+CERTDIR = "{{ ssl_home }}/localcerts"

roles/ssl-keys/templates/letsencrypt/hooks.sh

+#!/bin/bash
+#
+# {{ ansible_managed }}
+
+set -eu
+
+OP=$1
+
+_log () {
+    echo " + ($OP) $*"
+}
+
+reload_apache () {
+    _log "Reloading apache..."
+    sudo apache2ctl graceful
+    # the next cert challenge verification would timeout if attempted right after
+    # not sure what's wrong with it (I observe this behaviour only on magog), so
+    # let's just sleep a bit for now
+    sleep 10
+}
+
+reload_nginx () {
+    _log "Reloading nginx..."
+    sudo service nginx reload
+}
+
+reload_postfix () {
+    _log "Reloading postfix..."
+    sudo service postfix reload
+}
+
+
+case "$OP" in
+    deploy_cert)
+        DOMAIN="$1"
+{% if local_webserver == 'nginx' %}
+        reload_ngnix
+{% elif local_webserver == 'apache' %}
+        reload_apache
+{% endif %}
+        if [ "${DOMAIN}" = "$(hostname -f)" ]; then
+            reload_postfix
+        fi
+        ;;
+    *)
+        ;;
+esac
+

roles/ssl-keys/templates/letsencrypt/nginx.conf

+#
+# {{ ansible_managed }}
+#
+
+location /.well-known/acme-challenge/ {
+    alias /var/lib/dehydrated/acme-challenges/;
+    disable_symlinks off;
+    autoindex off;
+}