Initial work for Let's Encrypt by TJ Keemon (Hackathon 2016)

playbooks/example_lets_encrypt.yml

+---
+- hosts: localhost
+  gather_facts: False
+  vars:
+    EDXAPP_LMS_NGINX_PORT: '80'
+    EDXAPP_LMS_NGINX_PORT: '80'
+  roles: 
+    - role: nginx
+      nginx_sites:
+      - lms
+      - cms
+      nginx_default_site:
+      - lms
+    - lets_encrypt
+

playbooks/roles/lets_encrypt/defaults/main.yml

+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://openedx.atlassian.net/wiki/display/OpenOPS
+# code style: https://openedx.atlassian.net/wiki/display/OpenOPS/Ansible+Code+Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+##
+# Defaults for role lets_encrypt
+# 
+
+
+LETS_ENCRYPT_DOMAINS: []
+LETS_ENCRYPT_EMAIL: !!null
+
+#
+# OS packages
+#
+
+lets_encrypt_debian_pkgs: ['git', 'bc']
+
+lets_encrypt_redhat_pkgs: []

playbooks/roles/lets_encrypt/handlers/main.yml

+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded

playbooks/roles/lets_encrypt/meta/main.yml

+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://openedx.atlassian.net/wiki/display/OpenOPS
+# code style: https://openedx.atlassian.net/wiki/display/OpenOPS/Ansible+Code+Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+##
+# Role includes for role lets_encrupt
+# 
+# Example:
+#
+# dependencies:
+#   - {
+#   role: my_role 
+#   my_role_var0: "foo"
+#   my_role_var1: "bar"
+# }

playbooks/roles/lets_encrypt/tasks/main.yml

+---
+#
+# edX Configuration
+#
+# github:     https://github.com/edx/configuration
+# wiki:       https://openedx.atlassian.net/wiki/display/OpenOPS
+# code style: https://openedx.atlassian.net/wiki/display/OpenOPS/Ansible+Code+Conventions
+# license:    https://github.com/edx/configuration/blob/master/LICENSE.TXT
+#
+#
+#
+# Tasks for role lets_encrupt
+# 
+# Overview:
+# 
+#
+# Dependencies:
+#
+# 
+# Example play:
+#
+#
+
+- name: check domains
+  fail:
+    msg: "Domain list is empty"
+  when: LETS_ENCRYPT_DOMAINS|length < 1
+
+- name: install deps
+  debug: TODO
+
+- name: "Install let's encrypt"
+  git:
+    repo: https://github.com/letsencrypt/letsencrypt
+    dest: /opt/letsencrypt
+
+- name: create .well-known directory
+  file:
+    path: /usr/share/nginx/www/.well-known
+    state: directory
+    owner: www-data
+    group: www-data
+
+- name: "render let's encrypt script"
+  template:
+    src: run_lets_encrypt.sh.j2
+    dest: /tmp/run_lets_encrypt.sh
+    mode: u+x
+
+- name: "run let's encrypt"
+  command: /tmp/run_lets_encrypt.sh
+
+- name: create auto-renew cron job
+  debug: Ask the intern
+
+- name: reload nginx config
+  service:
+    name: nginx
+    state: reloaded

playbooks/roles/lets_encrypt/templates/run_lets_encrypt.sh.j2

+#!/bin/bash
+/opt/letsencrypt/letsencrypt-auto certonly -a webroot --webroot-path=/usr/share/nginx/www --non-interactive --email {{ LETS_ENCRYPT_EMAIL }} --agree-tos {% for domain in LETS_ENCRYPT_DOMAINS -%} -d {{ domain }} {%- endfor -%}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/cms.j2

@@ -104,6 +104,8 @@ error_page {{ k }} {{ v }};
     proxy_pass http://cms-backend;
   }
 
+{% include "lets_encrypt.j2" %}
+
   location / {
     {% if EDXAPP_CMS_ENABLE_BASIC_AUTH|bool %}
       {% include "basic-auth.j2" %}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lets_encrypt.j2

+location ~ /.well-known {
+      allow all;
+      root /usr/share/nginx/www;
+}

playbooks/roles/nginx/templates/edx/app/nginx/sites-available/lms.j2

@@ -27,6 +27,8 @@ limit_req_zone {{ "$limit_bot_" ~ agent.alias }} zone=agents:10m rate={{ agent.r
 
 {%- endif %}
 
+{% include "lets_encrypt.j2" %}
+
 
 {% if NGINX_EDXAPP_EMBARGO_CIDRS %}
   {%- if NGINX_SET_X_FORWARDED_HEADERS %}