(#39) xmpp2: preliminary certbot setup

Author: ForNeVeR

Folder.DotSettings

@@ -1,4 +1,5 @@
 <wpf:ResourceDictionary xml:space="preserve" xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml" xmlns:s="clr-namespace:System;assembly=mscorlib" xmlns:ss="urn:shemas-jetbrains-com:settings-storage-xaml" xmlns:wpf="http://schemas.microsoft.com/winfx/2006/xaml/presentation">
+	<s:Boolean x:Key="/Default/UserDictionary/Words/=certonly/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=codingteam/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=lineinfile/@EntryIndexedValue">True</s:Boolean>
 	<s:Boolean x:Key="/Default/UserDictionary/Words/=loglist/@EntryIndexedValue">True</s:Boolean>

xmpp2/certbot.yml

@@ -0,0 +1,23 @@
+# SPDX-FileCopyrightText: 2025 Friedrich von Never <friedrich@fornever.me>
+#
+# SPDX-License-Identifier: MIT
+
+---
+- name: Configure Certbot for certificate renewal
+  hosts: xmpp2
+  become: true
+
+  tasks:
+    - name: Install certbot
+      community.general.snap:
+        name: certbot
+        classic: true
+
+    # One-time setup should be performed manually, see the documentation:
+    # https://certbot.eff.org/instructions?ws=nginx&os=snap&tab=standard
+    #
+    # sudo certbot certonly --nginx -d codingteam.org.ru -d loglist.xyz -d www.loglist.xyz
+    #
+    # Verify the changes to the web server configuration files performed by this command.
+    #
+    # Further updates are done by snap.certbot.renew.timer — see `systemctl list-timers` for details.

xmpp2/default.yml

@@ -7,3 +7,4 @@
 - import_playbook: docker.yml
 - import_playbook: codingteam.org.ru.yml
 - import_playbook: loglist.yml
+- import_playbook: certbot.yml

xmpp2/files/nginx/conf.d/codingteam.org.ru.conf

@@ -3,10 +3,9 @@
 # SPDX-License-Identifier: MIT
 
 server {
-    # TODO: enable back after we set up SSL
-    # listen 443 ssl http2;
-    listen 443;
+    listen 443 ssl http2;
     server_name codingteam.org.ru;
+    include /etc/nginx/ssl.conf;
 
     location /old-logs/ {
         alias /opt/codingteam/old-logs/;

xmpp2/files/nginx/conf.d/loglist.conf

@@ -3,10 +3,9 @@
 # SPDX-License-Identifier: MIT
 
 server {
-    # TODO: enable back after we set up SSL
-    # listen 443 ssl http2;
+    listen 443 ssl http2;
     server_name loglist.xyz;
-    # TODO: include /etc/nginx/ssl.conf;
+    include /etc/nginx/ssl.conf;
 
     location / {
         proxy_set_header X-Forwarded-Host $host;
@@ -19,10 +18,9 @@ server {
 }
 
 server {
-    # TODO: enable back after we set up SSL
-    # listen 443 ssl http2;
+    listen 443 ssl http2;
     server_name *.loglist.xyz;
-    # TODO: include /etc/nginx/ssl.conf;
+    include /etc/nginx/ssl.conf;
 
     location / {
         return 301 https://loglist.xyz$request_uri;

xmpp2/files/nginx/ssl.conf

@@ -0,0 +1,9 @@
+# SPDX-FileCopyrightText: 2017-2025 codingteam/devops contributors <https://github.com/codingteam/devops>
+#
+# SPDX-License-Identifier: MIT
+
+ssl_certificate /etc/letsencrypt/live/codingteam.org.ru-0001/fullchain.pem;
+ssl_certificate_key /etc/letsencrypt/live/codingteam.org.ru-0001/privkey.pem;
+ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+ssl_ciphers  "HIGH:!aNULL:!MD5:!kEDH";
+add_header Strict-Transport-Security 'max-age=15552000';

xmpp2/nginx.yml

@@ -26,7 +26,7 @@
 
     - name: Remove the *-enabled and *-available directories
       ansible.builtin.file:
-        path: "/etc/nginx/{{ item }}"
+        path: '/etc/nginx/{{ item }}'
         state: absent
       loop:
         - modules-available
@@ -36,7 +36,10 @@
 
     - name: Set up the main nginx configuration file
       ansible.builtin.copy:
-        src: nginx/nginx.conf
-        dest: /etc/nginx/nginx.conf
+        src: 'nginx/{{ item }}'
+        dest: '/etc/nginx/{{ item }}'
         mode: "u=rx,go=rx"
+      loop:
+        - nginx.conf
+        - ssl.conf
       notify: Reload nginx