Add separate SSL first run role and other tweaks

ansible/Makefile

@@ -9,3 +9,6 @@ setup:
 
 maintenance:
 	ansible-playbook -v -i inventory.yml --ask-vault-pass playbook.yml --tags="maintenance"
+
+ssl:
+	ansible-playbook -v -i inventory.yml --ask-vault-pass playbook.yml --tags="ssl"

ansible/playbook.yml

@@ -3,18 +3,26 @@
   hosts: all
   roles:
     - role: setup
+      name: Run OS and disk set up tasks
       tags: [setup]
     - role: docker
+      name: Install and configure Docker
       tags: [setup]
     - role: fail2ban
+      name: Install and configure fail2ban
       tags: [setup]
+    - role: ssl_first_run
+      name: Run stripped down nginx and SSL for the first time
+      tags: [setup, ssl]
     - role: datalab
+      name: Build and launch datalab services
       tags: [deploy]
     - role: nginx
-      tags: [setup, maintenance]
+      name: Launch nginx container with autorenewing certbot
+      tags: [setup, maintenance, ssl]
 
   tasks:
     - name: Keep all packages up-to-date
       ansible.builtin.include_role:
         name: apt_upgrade
-      tags: [setup, maintenance]
+      tags: [maintenance]

ansible/roles/docker/tasks/main.yml

@@ -21,6 +21,7 @@
 - name: Install Docker Module for Python
   ansible.builtin.pip:
     name: docker
+    break_system_packages: true
 
 - name: Add user '{{ ansible_ssh_user }}' to docker group
   become: true

ansible/roles/nginx/tasks/main.yml

@@ -1,23 +1,9 @@
 ---
-- name: Create a Docker volume for certbot-conf (mounted to /etc/letsencrypt)
-  community.docker.docker_volume:
-    name: certbot-conf
-
-- name: Create a Docker volume for certbot-www (mounted to /var/www/certbot)
-  community.docker.docker_volume:
-    name: certbot-www
-
-- name: Build/pull certbot image
-  community.docker.docker_image:
-    name: certbot/certbot:latest
-    source: pull
-    state: present
-    force_source: true
-
 - name: Synchronize nginx files to remote
   ansible.posix.synchronize:
     src: "{{ role_path }}/files/"
     dest: /home/{{ ansible_ssh_user }}/nginx
+    delete: true
 
 - name: Make directory for rendered templates
   ansible.builtin.file:
@@ -37,12 +23,6 @@
     dest: /home/{{ ansible_ssh_user }}/nginx/rendered/nginx_ssl.conf
     mode: "0644"
 
-- name: Render templated certbot config
-  ansible.builtin.template:
-    src: certbot-docker.sh.j2
-    dest: /home/{{ ansible_ssh_user }}/nginx/rendered/certbot-docker.sh
-    mode: "0644"
-
 - name: Build nginx image
   community.docker.docker_image:
     name: datalab-nginx
@@ -61,27 +41,3 @@
       - certbot-conf:/etc/letsencrypt
       - certbot-www:/var/www/certbot
     restart_policy: always
-
-- name: Launch certbot container
-  community.docker.docker_container:
-    name: datalab-certbot
-    image: certbot/certbot:latest
-    network_mode: host
-    volumes:
-      - certbot-conf:/etc/letsencrypt
-      - certbot-www:/var/www/certbot
-    restart_policy: false
-    detach: true
-    entrypoint:
-      - /bin/sh
-      - -c
-      - certbot renew
-
-- name: Scheduled SSL renewal with certbot
-  ansible.builtin.cron:
-    name: SSL renewal with certbot
-    minute: "38"
-    hour: "10"
-    day: "2"
-    month: "*"
-    job: docker run -v certbot-www:/var/www/certbot -v certbot-conf:/etc/letsencrypt certbot/certbot:latest renew

ansible/roles/ssl_first_run/files/Dockerfile

@@ -0,0 +1,12 @@
+FROM nginx:1.25.3
+
+WORKDIR /app
+
+COPY nginx.conf /etc/nginx/nginx.conf
+COPY ./rendered/nginx_ssl.conf /etc/nginx/nginx_ssl.conf
+COPY ./rendered/include /etc/nginx/include
+RUN rm -f /etc/nginx/conf.d/default.conf
+
+
+EXPOSE 80
+EXPOSE 443

ansible/roles/ssl_first_run/files/nginx.conf

@@ -0,0 +1,44 @@
+worker_processes 1;
+user nobody nogroup;
+# 'user nobody nobody;' for systems with 'nobody' as a group instead
+
+pid /var/run/nginx.pid;
+
+events {
+  worker_connections 1024; # increase if you have lots of clients
+  accept_mutex off; # set to 'on' if nginx worker_processes > 1
+  # 'use epoll;' to enable for Linux 2.6+
+  # 'use kqueue;' to enable for FreeBSD, OSX
+}
+
+http {
+  sendfile on;
+  include mime.types;
+
+  # Add some security headers
+  add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload;";
+  add_header X-Frame-Options "DENY";
+  add_header X-XSS-Protection "1; mode=block;";
+  add_header X-Content-Type-Options "nosniff;";
+
+  # Include upstream definitions
+  # When SSL needs to be nuked, comment out this line and regenerate certs
+  # include /etc/nginx/include/*;
+
+  # Proxy all HTTP requests to the HTTPS server
+  server {
+      listen 80;
+      listen [::]:80;
+      server_name _;
+
+      # For certbot challenges
+      location ^~ /.well-known/acme-challenge {
+          root /var/www/certbot;
+          allow all;
+      }
+
+      location / {
+          return 301 https://$host$request_uri;
+      }
+  }
+}

ansible/roles/ssl_first_run/tasks/main.yml

@@ -0,0 +1,68 @@
+---
+- name: Create a Docker volume for certbot-conf (mounted to /etc/letsencrypt)
+  community.docker.docker_volume:
+    name: certbot-conf
+
+- name: Create a Docker volume for certbot-www (mounted to /var/www/certbot)
+  community.docker.docker_volume:
+    name: certbot-www
+
+- name: Build/pull certbot image
+  community.docker.docker_image:
+    name: certbot/certbot:latest
+    source: pull
+    state: present
+    force_source: true
+
+- name: Synchronize nginx files to remote
+  ansible.posix.synchronize:
+    src: "{{ role_path }}/files/"
+    dest: /home/{{ ansible_ssh_user }}/nginx
+
+- name: Render templated certbot config
+  ansible.builtin.template:
+    src: certbot-docker.sh.j2
+    dest: /home/{{ ansible_ssh_user }}/nginx/rendered/certbot-docker.sh
+    mode: "0744"
+
+- name: Build nginx image
+  community.docker.docker_image:
+    name: datalab-nginx
+    source: build
+    state: present
+    force_source: true
+    build:
+      path: /home/{{ ansible_ssh_user }}/nginx
+
+- name: Launch nginx container without services
+  community.docker.docker_container:
+    name: datalab-nginx
+    image: datalab-nginx
+    network_mode: host
+    volumes:
+      - certbot-conf:/etc/letsencrypt
+      - certbot-www:/var/www/certbot
+    restart_policy: false
+
+- name: Launch certbot container
+  community.docker.docker_container:
+    name: datalab-certbot
+    image: certbot/certbot:latest
+    network_mode: host
+    volumes:
+      - certbot-conf:/etc/letsencrypt
+      - certbot-www:/var/www/certbot
+      - /home/{{ ansible_ssh_user }}/nginx/rendered/certbot-docker.sh:/opt/certbot-docker.sh
+    restart_policy: false
+    detach: true
+    entrypoint:
+      - /opt/certbot-docker.sh
+
+- name: Scheduled SSL renewal with certbot
+  ansible.builtin.cron:
+    name: SSL renewal with certbot
+    minute: "38"
+    hour: "10"
+    day: "2"
+    month: "*"
+    job: docker run -v certbot-www:/var/www/certbot -v certbot-conf:/etc/letsencrypt certbot/certbot:latest renew

ansible/roles/ssl_first_run/templates/certbot-docker.sh.j2

@@ -0,0 +1,2 @@
+#!/bin/sh
+certbot certonly --webroot -w /var/www/certbot --register-unsafely-without-email --no-eff-email --agree-tos -d {{ app_url }} -d {{ api_url }}