For certbot

webapps/peertube/defaults/main.yml

@@ -4,6 +4,7 @@ system_dep: "['curl', 'python3-dev', 'python-is-python3', 'python3-psycopg2','ce
 version: 'v5.1.0'
 download_url: "https://github.com/Chocobozzz/PeerTube/releases/download/{{ version }}/peertube-{{ version }}.zip"
 domains: ['example.domain.org']
+certbot_admin_email: 'mgauthier@evolix.ca'
 service_home: '/var/www/peertube'
 db_host: 'localhost'
 db_port: '5432'

webapps/peertube/tasks/main.yml

@@ -9,13 +9,16 @@
 - name: Install main system dependencies
   apt:
     name: "{{ system_dep }}"
+    update_cache: yes
 
 - name: Upgrade redis-server to the latest version from bullseye-backports
   apt:
     name: redis-server
     state: latest
     default_release: bullseye-backports
-    update_cache: yes
+
+- name: Enable yarn (via corepack)
+  shell: "corepack enable; yarn set version classic"
 
 - name: Add UNIX account
   user:
@@ -92,39 +95,39 @@
     enabled: true
     state: started
 
-#~ - name: Check if SSL certificate is present and register result
-  #~ stat:
-    #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
-  #~ register: ssl
+- name: Check if SSL certificate is present and register result
+  stat:
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+  register: ssl
 
-#~ - name: Generate certificate only if required (first time)
-  #~ block:
-  #~ - name: Template vhost without SSL for successfull LE challengce
-    #~ template: 
-      #~ src: "vhost.conf.j2"
-      #~ dest: "/etc/nginx/sites-available/{{ service }}.conf"
-  #~ - name: Enable temporary nginx vhost for peertube
-    #~ file:
-      #~ src: "/etc/nginx/sites-available/{{ service }}.conf"
-      #~ dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
-      #~ state: link
-  #~ - name: Reload nginx conf
-    #~ service:
-      #~ name: nginx
-      #~ state: reloaded
-  #~ - name: Make sure /var/lib/letsencrypt exists and has correct permissions
-    #~ file: 
-      #~ path: /var/lib/letsencrypt
-      #~ state: directory
-      #~ mode: '0755'
-  #~ - name: Generate certificate with certbot
-    #~ shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
-  #~ when: ssl.stat.exists == true
+- name: Generate certificate only if required (first time)
+  block:
+  - name: Template vhost without SSL for successfull LE challengce
+    template: 
+      src: "vhost.conf.j2"
+      dest: "/etc/nginx/sites-available/{{ service }}.conf"
+  - name: Enable temporary nginx vhost for peertube
+    file:
+      src: "/etc/nginx/sites-available/{{ service }}.conf"
+      dest: "/etc/nginx/sites-enabled/{{ service }}.conf"
+      state: link
+  - name: Reload nginx conf
+    service:
+      name: nginx
+      state: reloaded
+  - name: Make sure /var/lib/letsencrypt exists and has correct permissions
+    file: 
+      path: /var/lib/letsencrypt
+      state: directory
+      mode: '0755'
+  - name: Generate certificate with certbot
+    shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt --non-interactive --agree-tos --email {{ certbot_admin_email }} -d {{ domains |first }}
+  when: ssl.stat.exists != true
 
-#~ - name: (Re)check if SSL certificate is present and register result
-  #~ stat:
-    #~ path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
-  #~ register: ssl
+- name: (Re)check if SSL certificate is present and register result
+  stat:
+    path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
+  register: ssl
 
 - name: (Re)template conf file for nginx vhost with SSL
   template:
@@ -141,3 +144,11 @@
   service:
     name: nginx
     state: reloaded
+
+- name: Adjust permissions of files/folders for nginx
+  file:
+    path: "~/"
+    state: directory
+    mode: 'o=rX'
+    recurse: true
+  become_user: "{{ service }}"

webapps/peertube/templates/production.yaml.j2

@@ -4,7 +4,7 @@ listen:
 
 # Correspond to your reverse proxy server_name/listen configuration (i.e., your public PeerTube instance URL)
 webserver:
-  https: false
+  https: true
   hostname: '{{ domains| first }}'
   port: 80
 

webapps/peertube/templates/vhost.conf.j2

@@ -3,57 +3,62 @@
 # STANDARD HTTP MODULES: Core, Proxy, Rewrite, Access, Gzip, Headers, HTTP/2, Log, Real IP, SSL, Thread Pool, Upstream, AIO Multithreading.
 # THIRD PARTY MODULES:   None.
 
-#server {
-#  listen 80;
-#  listen [::]:80;
-#  server_name {{ domains | first }};
+server {
+  listen 80;
+  listen [::]:80;
+  server_name {{ domains | first }};
 
-#  location /.well-known/acme-challenge/ {
-#    default_type "text/plain";
-#    root /var/www/certbot;
-#  }
-#  location / { return 301 https://$host$request_uri; }
-#}
+  # For certbot
+  location ~ /.well-known/acme-challenge {
+    alias /var/lib/letsencrypt/;
+    try_files $uri =404;
+    allow all;
+  }
+  {% if ssl.stat.exists %}
+  location / { return 301 https://$host$request_uri; }
+  {% endif %}
+}
 
 upstream backend {
   server {{ pt_host }};
 }
 
+{% if ssl.stat.exists %}
 server {
-  #listen 443 ssl http2;
-  #listen [::]:443 ssl http2;
-  listen 80;
-  listen [::]:80;
+  listen 443 ssl http2;
+  listen [::]:443 ssl http2;
   server_name {{ domains | first }};
 
   access_log /var/log/nginx/{{ service }}.access.log; # reduce I/0 with buffer=10m flush=5m
   error_log  /var/log/nginx/{{ service }}.error.log;
+  
+  # For certbot
+  location ~ /.well-known/acme-challenge {
+    alias /var/lib/letsencrypt/;
+    try_files $uri =404;
+    allow all;
+  }
 
   ##
   # Certificates
   # you need a certificate to run in production. see https://letsencrypt.org/
   ##
-  #ssl_certificate     /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
-  #ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
-
-  location ^~ '/.well-known/acme-challenge' {
-    default_type "text/plain";
-    root /var/www/certbot;
-  }
+  ssl_certificate     /etc/letsencrypt/live/{{ domains | first }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ domains | first }}/privkey.pem;
 
   ##
   # Security hardening (as of Nov 15, 2020)
   # based on Mozilla Guideline v5.6
   ##
 
-  #ssl_protocols             TLSv1.2 TLSv1.3;
-  #ssl_prefer_server_ciphers on;
-  #ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
-  #ssl_session_timeout       1d; # defaults to 5m
-  #ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
-  #ssl_session_tickets       off;
-  #ssl_stapling              on;
-  #ssl_stapling_verify       on;
+  ssl_protocols             TLSv1.2 TLSv1.3;
+  ssl_prefer_server_ciphers on;
+  ssl_ciphers               ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; # add ECDHE-RSA-AES256-SHA if you want compatibility with Android 4
+  ssl_session_timeout       1d; # defaults to 5m
+  ssl_session_cache         shared:SSL:10m; # estimated to 40k sessions
+  ssl_session_tickets       off;
+  ssl_stapling              on;
+  ssl_stapling_verify       on;
   # HSTS (https://hstspreload.org), requires to be copied in 'location' sections that have add_header directives
   #add_header Strict-Transport-Security "max-age=63072000; includeSubDomains";
 
@@ -276,3 +281,5 @@ server {
     try_files $uri @api;
   }
 }
+
+{% endif %}