kevinveenbirkenbach/computer-playbook
1
0
Fork 0
mirror of https://github.com/kevinveenbirkenbach/computer-playbook.git synced 2025-02-22 12:29:39 +01:00
Code Issues Packages Projects Releases Wiki Activity
computer-playbook/roles/nginx-docker-cert-deploy/README.md

158 lines
5.4 KiB
Markdown
Raw Permalink Blame History

This file contains invisible Unicode characters

This file contains invisible Unicode characters that are indistinguishable to humans but may be processed differently by a computer. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

# Nginx Docker Cert Deploy Role
🎉 **Author**: [Kevin Veen-Birkenbach](https://www.veen.world)
This Ansible role simplifies the deployment of **Let's Encrypt certificates** into **Docker Compose** setups with Nginx. It supports both **individual certificates per subdomain** and a **single wildcard certificate** for all subdomains.
---
## 🚀 **Features**
- Automatically deploys **Let's Encrypt certificates** to Docker Compose setups.
- Supports both **single-domain certificates** and **one wildcard certificate** for all subdomains.
- **Copies certificates** to the target directory inside the container.
- Automatically **reloads or restarts Nginx services** when certificates are updated.
- **Configures and manages a `systemd` service** for automated certificate deployment.
- **Includes a `systemd` timer** for scheduled renewals.
- **Handles dependent services** like `systemd-notifier`.
---
## 📋 **Configuration Options**
### 🔹 **One Wildcard Certificate for All Subdomains**
By default, each subdomain gets its own certificate. You can **enable a wildcard certificate** by setting:
```yaml
enable_wildcard_certificate: true
```
📌 **Pros & Cons of a Wildcard Certificate:**
**Improves performance** by reducing TLS handshakes.
**Simplifies certificate management** (one cert for all subdomains).
**Requires manual DNS challenge setup** for Let's Encrypt.
**Needs additional configuration for automation** (see below).
If enabled, update your inventory file and follow the **manual wildcard certificate setup** below.
---
## 🔧 **Tasks Overview**
### **1⃣ Main Tasks**
1. **Add Deployment Script**
- Copies `nginx-docker-cert-deploy.sh` to the administrator scripts directory.
2. **Create Certificate Directory**
- Ensures `cert_mount_directory` exists with proper permissions.
3. **Configure `systemd` Service**
- Deploys a `systemd` service file for the deployment process.
4. **Include `systemd-timer` Role**
- Schedules automatic certificate deployment using a `systemd` timer.
### **2⃣ Handlers**
- **Restart Nginx Service**
- Restarts `nginx-docker-cert-deploy` whenever a certificate update occurs.
---
## **🔐 Wildcard Certificate Setup with Let's Encrypt**
If you enabled `enable_wildcard_certificate`, follow these steps to manually request a **wildcard certificate**.
### **1⃣ Run the Certbot Command 🖥️**
```sh
certbot certonly --manual --preferred-challenges=dns --agree-tos \
--email administrator@primary_domain -d primary_domain -d "*.primary_domain"
```
### **2⃣ Add DNS TXT Record for Validation 📜**
Certbot will prompt you to add a DNS TXT record:
```
Please create a TXT record under the name:
_acme-challenge.primary_domain.
with the following value:
9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA
```
**Go to your DNS provider** and create a new **TXT record**:
- **Host:** `_acme-challenge.primary_domain`
- **Value:** `"9oVizYIYVGlZ3VtWQIKRS5UghyXiqGoUNlCtIE7LiA"`
- **TTL:** Set to **300 seconds (or lowest possible)**
**Verify the DNS record** before continuing:
```sh
dig TXT _acme-challenge.primary_domain @8.8.8.8
```
### **3⃣ Complete the Certificate Request ✅**
Once the DNS changes have propagated, **press Enter** in the Certbot terminal.
If successful, Certbot will save the certificates under:
```
/etc/letsencrypt/live/primary_domain/
```
- **fullchain.pem** → The certificate
- **privkey.pem** → The private key
---
## **📂 File & Directory Structure**
```sh
roles/nginx-docker-cert-deploy/
├── files/
│ ├── nginx-docker-cert-deploy.sh # Deployment script
├── handlers/
│ ├── main.yml # Restart Nginx handler
├── meta/
│ ├── main.yml # Dependencies
├── tasks/
│ ├── main.yml # Main Ansible tasks
├── templates/
│ ├── nginx-docker-cert-deploy.service.j2 # Systemd service template
├── vars/
│ ├── main.yml # Variable definitions
```
---
## **🔧 Deploying Certificates into Docker Containers**
The role **automates copying certificates** into Docker Compose setups.
### **1⃣ Deployment Script (`nginx-docker-cert-deploy.sh`)**
This script:
- **Copies certificates** to the correct container directory.
- **Reloads Nginx** inside all running containers.
- **Restarts containers if needed**.
**Usage:**
```sh
sh nginx-docker-cert-deploy.sh primary_domain /path/to/docker/compose
```
### **2⃣ Systemd Service & Timer**
The role includes a **`systemd` service** that runs the deployment script whenever certificates are updated.
Example `nginx-docker-cert-deploy.service.j2`:
```ini
[Unit]
Description=Let's Encrypt deploy to {{docker_compose.directories.instance}}
OnFailure=systemd-notifier.cymais@%n.service
[Service]
Type=oneshot
ExecStart=/usr/bin/bash {{path_administrator_scripts}}/nginx-docker-cert-deploy.sh {{primary_domain}} {{docker_compose.directories.instance}}
```
---
## 🎯 **Summary**
| Feature | Description |
|---------|------------|
| **Single-domain & wildcard support** | Use individual certs or a wildcard certificate |
| **Automated renewal** | Cronjob or systemd timer ensures auto-renewals |
| **Docker-ready** | Deploys certificates directly into Docker containers |
| **Supports Nginx & Mailu** | Compatible with multiple services |
| **Systemd integration** | Automates deployment via `systemd` |
🚀 **Now your Nginx setup is fully automated and secured with Let's Encrypt!** 🎉
```
Reference in New Issue View Git Blame Copy Permalink