Https enabled and letsencrypt working

2026-06-03 18:58:55 +02:00 · 2026-06-03 18:58:55 +02:00 · ade85961e6
parent 9ae1cb6572
commit ade85961e6
6 changed files with 103 additions and 6 deletions
--- a/ansible/inventories/automotive.yaml
+++ b/ansible/inventories/automotive.yaml
@ -4,4 +4,5 @@ automotive:
    web:
      hosts:
        automotive.sse.cloud.isti.cnr.it:
+          ansible_host: 146.48.29.251 
        #automotive2.sse.cloud.isti.cnr.it:
--- a/ansible/inventories/group_vars/automotive/automotive.yaml
+++ b/ansible/inventories/group_vars/automotive/automotive.yaml
@ -1,6 +1,10 @@
 ---
+#Common Docker 
 docker_network_name: wp_net
+docker_base_volume_path: /usr/data/wp

+
+# MYSQL Docker 
 mysql_docker_tag: 9.7.0
 docker_mysql_hostname: web_db

@ -10,13 +14,26 @@ db_password:  "{{ automotive_mysql_user_password }}"
 db_root_password: "{{ automotive_mysql_root_password }}"


+#NGINX Docker 
 nginx_docker_tag: 1.31.1
 nginx_server_name: automotive.sse.cloud.isti.cnr.it
 ssl: true

+#WORDPRESS Docker
 wordpress_docker_tag: 7.0.0-php8.2-apache
-
-docker_base_volume_path: /usr/data/wp
 docker_wordpress_hostname: automotive_test

-certbot_docker_tag: v5.6.0
+#CERTBOT for letsencrypt
+certbot_create_method: webroot
+certbot_create_if_missing: true
+certbot_admin_email: fabio.sinibaldi@isti.cnr.it
+
+certbot_webroot: "{{ docker_base_volume_path }}/wordpress"
+certbot_certs:
+  - name: "automotive"
+    domains: 
+    - "{{ nginx_server_name }}"
+
+#Certbot verbose level
+certbot_create_extra_args: "-v"
+certbot_testmode: false
--- a/ansible/playbooks/templates/nginx.j2
+++ b/ansible/playbooks/templates/nginx.j2
@ -3,9 +3,22 @@ server {
    listen [::]:80;
    server_name {{ nginx_server_name }};

+    location / {
+        return 301 https://$host$request_uri;
+    }
+}
+
+server {
+    listen 443 ssl;
+    server_name {{ nginx_server_name }};
+
    root   /var/www/html;
    index  index.php;

+    ssl_certificate /etc/nginx/ssl/fullchain.pem;
+    ssl_certificate_key /etc/nginx/ssl/privatekey.pem;
+    {# ssl_trusted_certificate /etc/nginx/ssl/intermediatecertificate.pem; #}
+
    location / {
        proxy_pass http://{{ docker_wordpress_hostname }}:80;
        proxy_set_header Host $host;
@ -13,4 +26,4 @@ server {
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
-} 
+}
--- a/ansible/playbooks/templates/nginx.j2_http
+++ b/ansible/playbooks/templates/nginx.j2_http
@ -0,0 +1,16 @@
+server {
+    listen 80;
+    listen [::]:80;
+    server_name {{ nginx_server_name }};
+
+    root   /var/www/html;
+    index  index.php;
+
+    location / {
+        proxy_pass http://{{ docker_wordpress_hostname }}:80;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+    }
+} 
--- a/ansible/playbooks/wordpress.yaml
+++ b/ansible/playbooks/wordpress.yaml
@ -10,5 +10,53 @@
    - chrissayon.wordpress_docker.network
    - chrissayon.wordpress_docker.mysql
    - chrissayon.wordpress_docker.wordpress
-    - docker-certbot
-    - chrissayon.wordpress_docker.nginx
+
+
+  tasks:
+    # Need to stop using port 80 for certbot webroot validation
+    - name: Gathering NGINX container state
+      docker_container_info:
+        name: nginx
+      register: nginx_info
+
+    - name: Stop NGINX if present
+      docker_container:
+        name: nginx
+        state: stopped
+      when: 
+        - nginx_info.exists
+
+    # Manage certbot
+
+    - name: Install / configure certbot
+      include_role: 
+        name: geerlingguy.certbot
+
+    # Copy certificates
+    # configured volume for ssl is 
+    # "/usr/data/wp/nginx/ssl:/etc/nginx/ssl/:ro"
+
+    - name: Copy fullchain files to nginx volume
+      ansible.builtin.copy:
+        src: "/etc/letsencrypt/live/{{ item.name }}/fullchain.pem"
+        #TODO nginx configuration is not multi domain
+        dest: "{{ docker_base_volume_path }}/nginx/ssl/fullchain.pem"
+        remote_src: true
+        mode: '0644'
+      loop: "{{ certbot_certs }}"
+
+    - name: Copy privkey files to nginx volume
+      ansible.builtin.copy:
+        src: "/etc/letsencrypt/live/{{ item.name }}/privkey.pem"
+        #TODO nginx configuration is not multi domain
+        dest: "{{ docker_base_volume_path }}/nginx/ssl/privatekey.pem"
+        remote_src: true
+        mode: '0644'
+      loop: "{{ certbot_certs }}"
+
+
+    # Restart NGINX
+
+    - name: (Re)start NGINX
+      include_role:
+        name: chrissayon.wordpress_docker.nginx
--- a/ansible/requirements.yml
+++ b/ansible/requirements.yml
@ -11,6 +11,8 @@ roles:

  # Required by wordpress_docker
  - name: geerlingguy.docker
+  - name: geerlingguy.certbot
+