From 7131bc0ea97d422d900a20ea759d87e5affc78ce Mon Sep 17 00:00:00 2001
From: Matchu <matchu1993@gmail.com>
Date: Wed, 3 Nov 2021 01:00:28 -0700
Subject: [PATCH] Set up certbot during setup playbook

You can see how, instead of the default experience where certbot edits your config for you, I've referenced the certificates in the config in the first place, and set up certbot to just generate them!

Also, I learned about certbot non-interactive mode! At first I wrote this with the Ansible `expect` module lol :p
---
 deploy/playbooks/setup.yml | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/deploy/playbooks/setup.yml b/deploy/playbooks/setup.yml
index acd51b9..b7cf6b4 100644
--- a/deploy/playbooks/setup.yml
+++ b/deploy/playbooks/setup.yml
@@ -1,6 +1,8 @@
 ---
 - name: Set up the environment for the impress-2020 app
   hosts: webserver
+  vars:
+    email_address: "emi@matchu.dev" # TODO: Extract this to personal config?
   tasks:
     - name: Create web user group
       become: yes
@@ -86,6 +88,21 @@
     - name: Save pm2 startup script
       command: pm2 save
 
+    - name: Install core snap
+      become: yes
+      community.general.snap:
+        name: core
+
+    - name: Install certbot as a snap
+      become: yes
+      community.general.snap:
+        name: certbot
+        classic: yes
+
+    - name: Set up certbot
+      become: yes
+      command: "certbot certonly --nginx -n --agree-tos --email {{ email_address }} --domains impress-2020-box.openneo.net"
+
     - name: Install nginx
       become: yes
       apt:
@@ -97,8 +114,22 @@
       copy:
         content: >
           server {
-            listen 80;
             server_name impress-2020-box.openneo.net;
+            listen 80;
+            if ($host = impress-2020-box.openneo.net) {
+              return 301 https://$host$request_uri;
+            }
+          }
+
+          server {
+            server_name impress-2020-box.openneo.net;
+            listen 443 ssl;
+            ssl_certificate /etc/letsencrypt/live/impress-2020-box.openneo.net/fullchain.pem;
+            ssl_certificate_key /etc/letsencrypt/live/impress-2020-box.openneo.net/privkey.pem;
+            include /etc/letsencrypt/options-ssl-nginx.conf;
+            ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;
+            ssl_session_cache shared:SSL:10m; # https://superuser.com/q/1484466/14127
+
             # TODO: Serve static files directly, instead of through the proxy
             location / {
               proxy_pass http://127.0.0.1:3000;