first attempt at certbot role

Signed-off-by: Ricky Elrod <codeblock@fedoraproject.org>

3 files changed, 38 insertions, 0 deletions

diff --git a/roles/certbot/README b/roles/certbot/README
new file mode 100644
index 000000000..6e44d28e4
--- /dev/null
+++ b/roles/certbot/README
@@ -0,0 +1,22 @@
+First go at a certbot/letsencrypt role for Fedora Infra
+
+To use it:
+
+1) Include the role in your playbook. This will install certbot and put a
+   tiny bit of Apache config in place, along with a monthly cron to attempt to
+   renew certificates.
+2) Add the following lines to your Apache virthost:
+
+  RewriteEngine on
+  RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
+
+2) ssh to the relevant box
+
+  # TODO: Fix selinux stuff - the cron won't work until it's fixed either.
+  service httpd graceful
+  setenforce 0
+  certbot certonly --manual-public-ip-logging-ok --webroot -w \
+    /srv/web/acme-challenge/ -d YOURINSTANCE.fedorainfracloud.org
+  setenforce 1
+
+
diff --git a/roles/certbot/files/acme-challenge.conf b/roles/certbot/files/acme-challenge.conf
new file mode 100644
index 000000000..e5bbc747c
--- /dev/null
+++ b/roles/certbot/files/acme-challenge.conf
@@ -0,0 +1,3 @@
+<Directory "/srv/web/acme-challenge/">
+  Require all granted
+</Directory>
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
new file mode 100644
index 000000000..04999260d
--- /dev/null
+++ b/roles/certbot/tasks/main.yml
@@ -0,0 +1,13 @@
+- name: Install the needed packages
+  yum: pkg={{item}} state=present
+  with_items:
+  - certbot
+
+- name: Create directory for ACME challenge
+  file: dest=/srv/web/acme-challenge state=directory
+
+- name: Allow httpd to see ACME challenge directory
+  copy: src=acme-challenge.conf dest=/etc/httpd/conf.d/acme-challenge.conf
+
+- name: Certbot renewal cron
+  cron: special_time=monthly job="certbot renew"