mattiaslundberg · May 14, 2025 21:35 · Nov 13, 2016 · Sep 4, 2016 · Aug 21, 2016 · Aug 21, 2016
diff --git a/playbook.yml b/playbook.yml
@@ -55,5 +55,6 @@
 
     - name: Add letsencrypt cronjob for cert renewal
       cron:
+        name: letsencrypt_renewal
         special_time: weekly
         job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload
diff --git a/playbook.yml b/playbook.yml
@@ -56,4 +56,4 @@
     - name: Add letsencrypt cronjob for cert renewal
       cron:
         special_time: weekly
-        job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} && service nginx reload
+        job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }} && service nginx reload
diff --git a/README.mda → Ansible Let's Encrypt Nginx setup b/README.mda → Ansible Let's Encrypt Nginx setup
diff --git a/README.md → README.mda b/README.md → README.mda
diff --git a/README.md b/README.md
@@ -1,12 +1,12 @@
 Ansible playbook to setup HTTPS using Let's encrypt on nginx.
 
 The Ansible playbook installs everything needed to serve static files from a nginx server over HTTPS.
-The server pass `A` rating on [SSL Labs](https://www.ssllabs.com/).
+The server pass A rating on [SSL Labs](https://www.ssllabs.com/).
 
 To use:
  1. Install [Ansible](https://www.ansible.com/)
  2. Setup an Ubuntu 16.04 server accessible over ssh
- 3. Create /etc/ansible/hosts according to template below and change example.com to your domain
+ 3. Create `/etc/ansible/hosts` according to template below and change example.com to your domain
  4. Copy the rest of the files to an empty directory (`playbook.yml` in the root of that folder and the rest in the `templates` subfolder)
  5. Run `ansible-playbook playbook.yml`
  6. Copy your (static HTML) code to `/var/www/example.com` (`example.com` replaced with your domain)

diff --git a/README.md b/README.md
@@ -1,11 +1,13 @@
 Ansible playbook to setup HTTPS using Let's encrypt on nginx.
 
-This provides a server capable of serving static files using HTTPS.
+The Ansible playbook installs everything needed to serve static files from a nginx server over HTTPS.
+The server pass `A` rating on [SSL Labs](https://www.ssllabs.com/).
 
 To use:
  1. Install [Ansible](https://www.ansible.com/)
- 2. Setup a server accessible over ssh
+ 2. Setup an Ubuntu 16.04 server accessible over ssh
  3. Create /etc/ansible/hosts according to template below and change example.com to your domain
  4. Copy the rest of the files to an empty directory (`playbook.yml` in the root of that folder and the rest in the `templates` subfolder)
  5. Run `ansible-playbook playbook.yml`
- 6. Copy your (static HTML) code to `/var/www/example.com` (`example.com` replaced with your domain)
+ 6. Copy your (static HTML) code to `/var/www/example.com` (`example.com` replaced with your domain)
+ 7. Restart nginx (`systemctl restart nginx`)
diff --git a/README.md b/README.md
@@ -1 +1,11 @@
-Ansible playbook to setup HTTPS using Let's encrypt on nginx.
+Ansible playbook to setup HTTPS using Let's encrypt on nginx.
+
+This provides a server capable of serving static files using HTTPS.
+
+To use:
+ 1. Install [Ansible](https://www.ansible.com/)
+ 2. Setup a server accessible over ssh
+ 3. Create /etc/ansible/hosts according to template below and change example.com to your domain
+ 4. Copy the rest of the files to an empty directory (`playbook.yml` in the root of that folder and the rest in the `templates` subfolder)
+ 5. Run `ansible-playbook playbook.yml`
+ 6. Copy your (static HTML) code to `/var/www/example.com` (`example.com` replaced with your domain)
diff --git a/etc ansible hosts b/etc ansible hosts
@@ -1,2 +1,2 @@
-[example.com]
+[letsencrypt]
 example.com ansible_user=root [email protected] domain_name=example.com
diff --git a/playbook.yml b/playbook.yml
@@ -1,5 +1,5 @@
 ---
-- hosts: example.com
+- hosts: letsencrypt
   become: true
   gather_facts: no
 

diff --git a/templates nginx-http.j2 b/templates nginx-http.j2
@@ -1,15 +1,16 @@
 server_tokens off;
 
 server {
-	listen 80 default_server;
-	server_name {{ domain_name }};
+    listen 80 default_server;
+    server_name {{ domain_name }};
 
     location /.well-known/acme-challenge {
         root /var/www/letsencrypt;
-		try_files $uri $uri/ =404;
+        try_files $uri $uri/ =404;
     }
 
     location / {
         rewrite ^ https://{{ domain_name }}$request_uri? permanent;
     }
 }
+
diff --git a/templates nginx-le.j2 b/templates nginx-le.j2
@@ -7,29 +7,29 @@ add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsaf
 # HTTPS server
 #
 server {
-	listen 443 ssl default deferred;
-	server_name {{ domain_name }};
+    listen 443 ssl default deferred;
+    server_name {{ domain_name }};
 
-	ssl on;
+    ssl on;
     ssl_certificate         /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
     ssl_certificate_key     /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
     ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
 
-	ssl_session_cache shared:SSL:50m;
-	ssl_session_timeout 5m;
-	ssl_stapling on;
-	ssl_stapling_verify on;
+    ssl_session_cache shared:SSL:50m;
+    ssl_session_timeout 5m;
+    ssl_stapling on;
+    ssl_stapling_verify on;
 
-	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+    ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
 
-	ssl_dhparam /etc/nginx/dhparams.pem;
-	ssl_prefer_server_ciphers on;
+    ssl_dhparam /etc/nginx/dhparams.pem;
+    ssl_prefer_server_ciphers on;
 
-	root /var/www/{{ domain_name }};
-	index index.html index.htm;
+    root /var/www/{{ domain_name }};
+    index index.html index.htm;
 
-	location / {
-		try_files $uri $uri/ =404;
-	}
+    location / {
+        try_files $uri $uri/ =404;
+    }
 }
diff --git a/templates nginx.conf b/templates nginx.conf
@@ -3,71 +3,25 @@ worker_processes 4;
 pid /run/nginx.pid;
 
 events {
-	worker_connections 768;
-	# multi_accept on;
+    worker_connections 768;
 }
 
 http {
 
-	##
-	# Basic Settings
-	##
+    sendfile on;
+    tcp_nopush on;
+    tcp_nodelay on;
+    keepalive_timeout 65;
+    types_hash_max_size 2048;
+    include /etc/nginx/mime.types;
+    default_type application/octet-stream;
 
-	sendfile on;
-	tcp_nopush on;
-	tcp_nodelay on;
-	keepalive_timeout 65;
-	types_hash_max_size 2048;
-	# server_tokens off;
+    access_log /var/log/nginx/access.log;
+    error_log /var/log/nginx/error.log;
 
-	# server_names_hash_bucket_size 64;
-	# server_name_in_redirect off;
+    gzip on;
+    gzip_disable "msie6";
 
-	include /etc/nginx/mime.types;
-	default_type application/octet-stream;
-
-	##
-	# Logging Settings
-	##
-
-	access_log /var/log/nginx/access.log;
-	error_log /var/log/nginx/error.log;
-
-	##
-	# Gzip Settings
-	##
-
-	gzip on;
-	gzip_disable "msie6";
-
-	# gzip_vary on;
-	# gzip_proxied any;
-	# gzip_comp_level 6;
-	# gzip_buffers 16 8k;
-	# gzip_http_version 1.1;
-	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
-
-	##
-	# nginx-naxsi config
-	##
-	# Uncomment it if you installed nginx-naxsi
-	##
-
-	#include /etc/nginx/naxsi_core.rules;
-
-	##
-	# nginx-passenger config
-	##
-	# Uncomment it if you installed nginx-passenger
-	##
-
-	#passenger_root /usr;
-	#passenger_ruby /usr/bin/ruby;
-
-	##
-	# Virtual Host Configs
-	##
-
-	include /etc/nginx/conf.d/*.conf;
-	include /etc/nginx/sites-enabled/*;
+    include /etc/nginx/conf.d/*.conf;
+    include /etc/nginx/sites-enabled/*;
 }
diff --git a/README.md b/README.md
@@ -0,0 +1 @@
+Ansible playbook to setup HTTPS using Let's encrypt on nginx.
diff --git a/etc ansible hosts b/etc ansible hosts
@@ -0,0 +1,2 @@
+[example.com]
+example.com ansible_user=root [email protected] domain_name=example.com
diff --git a/playbook.yml b/playbook.yml
@@ -0,0 +1,59 @@
+---
+- hosts: example.com
+  become: true
+  gather_facts: no
+
+  pre_tasks:
+    - raw: apt-get install -y python-simplejson
+
+  tasks:
+    - name: Upgrade system
+      apt: upgrade=dist update_cache=yes
+
+    - name: Install nginx
+      apt: name=nginx state=latest
+
+    - name: install letsencrypt
+      apt: name=letsencrypt state=latest
+
+    - name: create letsencrypt directory
+      file: name=/var/www/letsencrypt state=directory
+
+    - name: Remove default nginx config
+      file: name=/etc/nginx/sites-enabled/default state=absent
+
+    - name: Install system nginx config
+      template:
+        src: templates/nginx.conf.j2
+        dest: /etc/nginx/nginx.conf
+
+    - name: Install nginx site for letsencrypt requests
+      template:
+        src: templates/nginx-http.j2
+        dest: /etc/nginx/sites-enabled/http
+
+    - name: Reload nginx to activate letsencrypt site
+      service: name=nginx state=restarted
+
+    - name: Create letsencrypt certificate
+      shell: letsencrypt certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} --agree-tos -d {{ domain_name }}
+      args:
+        creates: /etc/letsencrypt/live/{{ domain_name }}
+
+    - name: Generate dhparams
+      shell: openssl dhparam -out /etc/nginx/dhparams.pem 2048
+      args:
+        creates: /etc/nginx/dhparams.pem
+
+    - name: Install nginx site for specified site
+      template:
+        src: templates/nginx-le.j2
+        dest: /etc/nginx/sites-enabled/le
+
+    - name: Reload nginx to activate specified site
+      service: name=nginx state=restarted
+
+    - name: Add letsencrypt cronjob for cert renewal
+      cron:
+        special_time: weekly
+        job: letsencrypt --renew certonly -n --webroot -w /var/www/letsencrypt -m {{ letsencrypt_email }} && service nginx reload
diff --git a/templates nginx-http.j2 b/templates nginx-http.j2
@@ -0,0 +1,15 @@
+server_tokens off;
+
+server {
+	listen 80 default_server;
+	server_name {{ domain_name }};
+
+    location /.well-known/acme-challenge {
+        root /var/www/letsencrypt;
+		try_files $uri $uri/ =404;
+    }
+
+    location / {
+        rewrite ^ https://{{ domain_name }}$request_uri? permanent;
+    }
+}
diff --git a/templates nginx-le.j2 b/templates nginx-le.j2
@@ -0,0 +1,35 @@
+add_header X-Frame-Options SAMEORIGIN;
+add_header X-Content-Type-Options nosniff;
+add_header X-XSS-Protection "1; mode=block";
+add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' https://www.google-analytics.com; img-src 'self' data: https://www.google-analytics.com; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'none'; object-src 'none'";
+
+
+# HTTPS server
+#
+server {
+	listen 443 ssl default deferred;
+	server_name {{ domain_name }};
+
+	ssl on;
+    ssl_certificate         /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
+    ssl_certificate_key     /etc/letsencrypt/live/{{ domain_name }}/privkey.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/{{ domain_name }}/fullchain.pem;
+
+	ssl_session_cache shared:SSL:50m;
+	ssl_session_timeout 5m;
+	ssl_stapling on;
+	ssl_stapling_verify on;
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+	ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
+
+	ssl_dhparam /etc/nginx/dhparams.pem;
+	ssl_prefer_server_ciphers on;
+
+	root /var/www/{{ domain_name }};
+	index index.html index.htm;
+
+	location / {
+		try_files $uri $uri/ =404;
+	}
+}
diff --git a/templates nginx.conf b/templates nginx.conf
@@ -0,0 +1,73 @@
+user www-data;
+worker_processes 4;
+pid /run/nginx.pid;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	tcp_nodelay on;
+	keepalive_timeout 65;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+	error_log /var/log/nginx/error.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+	gzip_disable "msie6";
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# nginx-naxsi config
+	##
+	# Uncomment it if you installed nginx-naxsi
+	##
+
+	#include /etc/nginx/naxsi_core.rules;
+
+	##
+	# nginx-passenger config
+	##
+	# Uncomment it if you installed nginx-passenger
+	##
+
+	#passenger_root /usr;
+	#passenger_ruby /usr/bin/ruby;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1 @@
		Ansible playbook to setup HTTPS using Let's encrypt on nginx.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		[example.com]
		example.com ansible_user=root [email protected] domain_name=example.com