Add https support for copr-be-dev

roles/copr/backend/files/lighttpd/lighttpd_dev.conf

@@ -81,7 +81,8 @@ server.modules = (
   "mod_setenv",
   "mod_redirect",
   "mod_indexfile",
-  "mod_cgi"
+  "mod_cgi",
+  "mod_openssl"
 )
 
 cgi.assign = ( ".pl"  => "/usr/bin/perl",
@@ -448,6 +449,37 @@ server.upload-dirs = ( "/var/tmp" )
 ##
 #ssl.ca-file = ""
 
+
+# Used for letsencrypt validation
+$HTTP["url"] =~ "^/.well-known/" {
+    server.document-root = "/var/certbot/public_html/.well-known/"
+    alias.url = ( "/.well-known/" => "/var/certbot/public_html/.well-known/" )
+    dir-listing.activate = "enable"
+}
+
+
+# Enable HTTPS
+$SERVER["socket"] == ":443" {
+    ssl.engine              = "enable"
+    ssl.ca-file             = "/etc/letsencrypt/live/copr-be-dev.cloud.fedoraproject.org/chain.pem"
+    ssl.pemfile             = "/etc/letsencrypt/live/copr-be-dev.cloud.fedoraproject.org/combined.pem"
+    ssl.honor-cipher-order  = "enable"
+    # The following is OPTIONAL
+    ssl.cipher-list         = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH:ECDHE-RSA-AES128-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA128:DHE-RSA-AES128-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-GCM-SHA128:ECDHE-RSA-AES128-SHA384:ECDHE-RSA-AES128-SHA128:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA128:DHE-RSA-AES128-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA384:AES128-GCM-SHA128:AES128-SHA128:AES128-SHA128:AES128-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
+    ssl.use-compression     = "disable"
+    ssl.use-sslv2           = "disable"
+    ssl.use-sslv3           = "disable"
+}
+
+
+# Force HTTPS
+$SERVER["socket"] == ":80" {
+    url.redirect = (
+        "^/(.*)" => "https://copr-be-dev.cloud.fedoraproject.org/$1"
+    )
+}
+
+
 ##
 #######################################################################
 

roles/copr/backend/tasks/letsencrypt.yml

@@ -0,0 +1,60 @@
+# This playbook is inspired by
+# https://mikeshultz.com/setting-up-lets-encrypt-with-lighttpd-and-certbot.html
+# Particularly it follows "(Option B) The Hard Way"
+
+- name: Install required packages
+  dnf: state=latest name={{ item }}
+  with_items:
+    - certbot
+
+- name: Create The Web Root
+  file:
+    path: /var/certbot/public_html/.well-known/
+    state: directory
+    owner: lighttpd
+    group: lighttpd
+    mode: g+s
+
+- name: Check that cert file exists
+  stat:
+    path: "/etc/letsencrypt/live/copr-be-dev.cloud.fedoraproject.org/cert.pem"
+  register: stat_cert
+
+# This is only for initial setup
+# In such case, lighttpd config expects certificate files in /etc/letsencrypt/live,
+# but it doesn't exist yet and therefore lighttpd refuses to start at all.
+# We will use certbot standalone server to get certificates and then let the playbook to
+# parse them and start the lighttpd again.
+# Once we have at least some existing certificate files, this step will be skipped.
+- name: Should admin run certbot?
+  fail:
+    msg:
+      - "There are no certificates yet"
+      - "Please temporarily stop lighttpd and run:"
+      - "  certbot certonly --standalone --manual-public-ip-logging-ok -d copr-be-dev.cloud.fedoraproject.org"
+      - "Let it stopped and re-run the playbook."
+  when:
+    - stat_cert.stat.exists == False
+
+- name: Reformat Cert Files For Lighttpd
+  command: cat /etc/letsencrypt/live/copr-be-dev.cloud.fedoraproject.org/privkey.pem /etc/letsencrypt/live/copr-be-dev.cloud.fedoraproject.org/cert.pem > /etc/letsencrypt/live/copr-be-dev.cloud.fedoraproject.org/combined.pem
+
+- name: Give Lighty Permissions
+  file:
+    path: "{{ item }}"
+    group: lighttpd
+    mode: g+x
+  with_items:
+    - /etc/letsencrypt
+    - /etc/letsencrypt/live
+
+- name: Service lighttpd should be running
+  service:
+    name: lighttpd
+    state: started
+
+- name: Automate Renewal
+  cron:
+    name: "Get fresh letsencrypt certificates"
+    special_time: daily
+    job: "certbot certonly --force-renew --webroot -w /var/certbot/public_html -d copr-be-dev.cloud.fedoraproject.org"

roles/copr/backend/tasks/main.yml

@@ -93,6 +93,12 @@
   when: not devel
   import_tasks: "install_certs.yml"
 
+- name: letsencrypt cert
+  import_tasks: "letsencrypt.yml"
+  when: devel
+  tags:
+  - config
+
 - name: allow lighttpd set fds limit
   seboolean: name=httpd_setrlimit state=yes persistent=yes