Issue geerlingguy#83: Add HTTPS examples.

Author: geerlingguy

.gitignore

@@ -4,3 +4,5 @@ vagrant_ansible_inventory_default
 *.cache
 *.retry
 test.sh
+
+*/provisioning/roles/geerlingguy.*

.travis.yml

@@ -25,6 +25,9 @@ env:
  # - playbook: dynamic-inventory.yml
  # distro: ubuntu1604
 
+ - playbook: https-self-signed.yml
+ distro: ubuntu1604
+
  - playbook: includes.yml
  distro: ubuntu1604
 

https-self-signed/README.md

@@ -0,0 +1,36 @@
+# HTTPS Demonstration VM
+
+This project spins up a VM and demonstrates generating self-signed certificates locally, or Let's Encrypt certificates on a public server.
+
+## Quick Start Guide
+
+### 1 - Install dependencies (VirtualBox, Vagrant, Ansible)
+
+ 1. Download and install [VirtualBox](https://www.virtualbox.org/wiki/Downloads).
+ 2. Download and install [Vagrant](http://www.vagrantup.com/downloads.html).
+ 3. [Mac/Linux only] Install [Ansible](http://docs.ansible.com/intro_installation.html).
+
+Note for Windows users: *This guide assumes you're on a Mac or Linux host. Windows hosts are unsupported at this time.*
+
+### 2 - Build the Virtual Machine
+
+ 1. Download this project and put it wherever you want.
+ 2. Open Terminal, cd to this 'provisioning' directory.
+ 3. Run `ansible-galaxy install -r requirements.yml` to install required Ansible roles.
+ 4. cd up one level to this directory (with the README and Vagrantfile).
+ 4. Type in `vagrant up`, and let Vagrant do its magic.
+
+Note: *If there are any errors during the course of running `vagrant up`, and it drops you back to your command prompt, just run `vagrant provision` to continue building the VM from where you left off. If there are still errors after doing this a few times, post an issue to this project's issue queue on GitHub with the error.*
+
+### 3 - Configure your host machine to access the VM.
+
+ 1. [Edit your hosts file](http://www.rackspace.com/knowledge_center/article/how-do-i-modify-my-hosts-file), adding the line `192.168.76.84 https.test` so you can connect to the VM.
+ 2. Open your browser and access [https://https.test](https://https.test).
+
+## Notes
+
+ - To shut down the virtual machine, enter `vagrant halt` in the Terminal in the same folder that has the `Vagrantfile`. To destroy it completely (if you want to save a little disk space, or want to rebuild it from scratch with `vagrant up` again), type in `vagrant destroy`.
+
+## About the Author
+
+This project was created by [Jeff Geerling](https://www.jeffgeerling.com/) as an example for [Ansible for DevOps](https://www.ansiblefordevops.com/).

https-self-signed/Vagrantfile

@@ -0,0 +1,24 @@
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+
+VAGRANTFILE_API_VERSION = "2"
+
+Vagrant.configure(VAGRANTFILE_API_VERSION) do |config|
+ config.vm.box = "geerlingguy/ubuntu1604"
+ config.vm.hostname = "https.test"
+ config.vm.network :private_network, ip: "192.168.76.84"
+ config.ssh.insert_key = false
+
+ config.vm.provider :virtualbox do |v|
+ v.memory = 512
+ end
+
+ # Ansible provisioning.
+ config.vm.provision "ansible" do |ansible|
+ ansible.playbook = "provisioning/main.yml"
+ ansible.become = true
+ ansible.extra_vars = {
+ ansible_python_interpreter: "/usr/bin/python3",
+ }
+ end
+end

https-self-signed/provisioning/ansible.cfg

@@ -0,0 +1,9 @@
+[defaults]
+host_key_checking = False
+roles_path = ./roles
+nocows = 1
+vault_password_file = ~/.ansible/J2-vault-password.txt
+
+[ssh_connection]
+control_path = %(directory)s/%%h-%%p-%%r
+pipelining = True

https-self-signed/provisioning/files/index.html

@@ -0,0 +1,11 @@
+<!DOCTYPE html>
+<html>
+<head>
+ <title>HTTPS Self-Signed Certificate Test</title>
+ <style>* { font-family: Helvetica, Arial, sans-serif }</style>
+</head>
+<body>
+ <h1>HTTPS Self-Signed Certificate Test</h1>
+ <p>If you can see this message, it worked!</p>
+</body>
+</html>

https-self-signed/provisioning/main.yml

@@ -0,0 +1,50 @@
+---
+- hosts: all
+
+ vars:
+ # Firewall settings.
+ firewall_allowed_tcp_ports:
+ - "22"
+ - "80"
+ - "443"
+
+ # Python settings.
+ pip_package: python3-pip
+ pip_install_packages: ['pyopenssl']
+
+ # Nginx settings.
+ nginx_vhosts: []
+ nginx_remove_default_vhost: True
+ nginx_ppa_use: True
+ nginx_ppa_version: stable
+ nginx_docroot: /var/www/html
+
+ # Self-signed certificate settings.
+ certificate_dir: /etc/letsencrypt/live
+ server_hostname: https.test
+
+ roles:
+ - geerlingguy.firewall
+ - geerlingguy.pip
+ - geerlingguy.nginx
+
+ tasks:
+ - import_tasks: tasks/self-signed-cert.yml
+
+ - name: Ensure docroot exists.
+ file:
+ path: "{{ nginx_docroot }}"
+ state: directory
+
+ - name: Copy example index.html file in place.
+ copy:
+ src: files/index.html
+ dest: "{{ nginx_docroot }}/index.html"
+ mode: 0755
+
+ - name: Copy Nginx server configuration in place.
+ template:
+ src: templates/https.test.conf.j2
+ dest: /etc/nginx/sites-enabled/https.test.conf
+ mode: 0644
+ notify: restart nginx

https-self-signed/provisioning/requirements.yml

@@ -0,0 +1,4 @@
+---
+- src: geerlingguy.firewall
+- src: geerlingguy.pip
+- src: geerlingguy.nginx

https-self-signed/provisioning/tasks/self-signed-cert.yml

@@ -0,0 +1,22 @@
+---
+- name: Ensure directory exists for local self-signed TLS certs.
+ file:
+ path: "{{ certificate_dir }}/{{ server_hostname }}"
+ state: directory
+
+- name: Generate an OpenSSL private key.
+ openssl_privatekey:
+ path: "{{ certificate_dir }}/{{ server_hostname }}/privkey.pem"
+
+- name: Generate an OpenSSL CSR.
+ openssl_csr:
+ path: "/etc/ssl/private/{{ server_hostname }}.csr"
+ privatekey_path: "{{ certificate_dir }}/{{ server_hostname }}/privkey.pem"
+ common_name: "{{ server_hostname }}"
+
+- name: Generate a Self Signed OpenSSL certificate.
+ openssl_certificate:
+ path: "{{ certificate_dir }}/{{ server_hostname }}/fullchain.pem"
+ privatekey_path: "{{ certificate_dir }}/{{ server_hostname }}/privkey.pem"
+ csr_path: /etc/ssl/private/{{ server_hostname }}.csr
+ provider: selfsigned

https-self-signed/provisioning/templates/https.test.conf.j2

@@ -0,0 +1,33 @@
+# HTTPS Test server configuration.
+server {
+ listen 80 default_server;
+ server_name _;
+ index index.html;
+ return 301 https://$host$request_uri;
+}
+
+server {
+ listen 443 ssl default_server;
+ server_name {{ server_hostname }};
+ index index.html;
+ root {{ nginx_docroot }};
+
+ ssl_certificate {{ certificate_dir }}/{{ server_hostname }}/fullchain.pem;
+ ssl_certificate_key {{ certificate_dir }}/{{ server_hostname }}/privkey.pem;
+ ssl_trusted_certificate {{ certificate_dir }}/{{ server_hostname }}/fullchain.pem;
+ ssl_session_timeout 1d;
+ ssl_session_cache shared:SSL:50m;
+ ssl_session_tickets off;
+
+ ssl_protocols TLSv1.2;
+ ssl_ciphers EECDH+AESGCM:EECDH+AES;
+ ssl_ecdh_curve secp384r1;
+ ssl_prefer_server_ciphers on;
+
+ ssl_stapling on;
+ ssl_stapling_verify on;
+
+ add_header Strict-Transport-Security "max-age=15768000; includeSubdomains; preload";
+ add_header X-Frame-Options DENY;
+ add_header X-Content-Type-Options nosniff;
+}