From 705b909c6cb75916404efe756eee8f7c65794d55 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 23 Jan 2021 10:48:21 +0200
Subject: install: change Ansible playbook for server to support Let's Encrypt

The playbook now optionally gets a TLS certificate from Let's Encrypt,
or it can use a pre-generated certificate as before.
---
 ansible/files/server.yaml        |   2 +-
 ansible/obnam-server.retry       |   1 -
 ansible/obnam-server.yml         | 105 ++++++++++++++++++++++++++++++---------
 ansible/templates/server.yaml.j2 |   4 ++
 4 files changed, 86 insertions(+), 26 deletions(-)
 delete mode 100644 ansible/obnam-server.retry
 create mode 100644 ansible/templates/server.yaml.j2

diff --git a/ansible/files/server.yaml b/ansible/files/server.yaml
index 0277b52..bbba77c 100644
--- a/ansible/files/server.yaml
+++ b/ansible/files/server.yaml
@@ -1,4 +1,4 @@
-address: 0.0.0.0:8888
+address: 0.0.0.0:443
 chunks: /srv/obnam/chunks
 tls_key: /etc/obnam/server.key
 tls_cert: /etc/obnam/server.pem
diff --git a/ansible/obnam-server.retry b/ansible/obnam-server.retry
deleted file mode 100644
index ef785e6..0000000
--- a/ansible/obnam-server.retry
+++ /dev/null
@@ -1 +0,0 @@
-obnam0
diff --git a/ansible/obnam-server.yml b/ansible/obnam-server.yml
index 110dcce..426ca74 100644
--- a/ansible/obnam-server.yml
+++ b/ansible/obnam-server.yml
@@ -1,39 +1,96 @@
-- hosts: obnam-server
+- hosts: server
   remote_user: root
   tasks:
-    - file:
+    - name: add Obnam package repository to APT
+      apt_repository:
+        repo: "deb [trusted=yes]  http://ci-prod-controller.vm.liw.fi/debian unstable-ci main"
+
+    - name: refresh APT package lists and upgrade all installed packages
+      apt:
+        update_cache: true
+        upgrade: true
+
+    - name: install packages for an Obnam server
+      apt:
+        name:
+          - obnam
+          - psmisc
+
+    - name: "install packages for Let's Encrypt TLS certificates"
+      apt:
+        name:
+          - apache2
+          - dehydrated
+          - dehydrated-apache2
+      when: domain is defined
+
+    - name: create Obnam configuration directory
+      file:
         path: /etc/obnam
         state: directory
-    - file:
+
+    - name: create Obnam directory for chunk storage
+      file:
         path: /srv/obnam/chunks
         state: directory
-    - filesystem:
-        dev: "{{ chunkdev }}"
-        fstype: ext4
-        opts: -Lchunks
-    - mount:
-        src: LABEL=chunks
-        path: /srv/obnam/chunks
-        fstype: auto
-        state: mounted
-    - apt_repository:
-        repo: "deb [trusted=yes]  http://ci-prod-controller.vm.liw.fi/debian unstable-ci main"
-    - apt:
-        name: obnam
-    - copy:
-        src: obnam.service
-        dest: /etc/systemd/system/obnam.service
-    - copy:
+
+    - name: "install Obnam server configuration for provided TLS certifiactes"
+      copy:
         src: "{{ item }}"
         dest: "/etc/obnam/{{ item }}"
       with_items:
         - server.yaml
         - server.key
         - server.pem
-    - systemd:
+      when: domain is not defined
+
+    - name: "install Obnam server configuration for Let's Encrypt TLS certifiactes"
+      template:
+        src: server.yaml.j2
+        dest: /etc/obnam/server.yaml
+      when: domain is defined
+
+    - name: install Obnam service file for systemd
+      copy:
+        src: obnam.service
+        dest: /etc/systemd/system/obnam.service
+
+    - name: configure domains for TLS certificates
+      copy:
+        content: |
+          {{ domain }}
+        dest: /etc/dehydrated/domains.txt
+      when: domain is defined
+
+    - name: stop Obnam service for getting TLS certificates
+      systemd:
+        daemon_reload: true
+        name: obnam
+        state: stopped
+      when: domain is defined
+
+    - name: start Apache server for getting TLS certificates
+      systemd:
+        name: apache2
+        state: started
+      when: domain is defined
+
+    - name: get TLS certificates
+      shell: |
+        dehydrated --register --accept-terms
+        dehydrated -c
+      when: domain is defined
+
+    - name: stop Apache server so Obnam server can be started again
+      systemd:
+        name: apache2
+        state: stopped
+      when: domain is defined
+
+    - name: start Obnam server
+      systemd:
         name: obnam
-        enabled: true
         state: restarted
-        daemon_reload: true
   vars:
-    chunkdev: /dev/vdb
+    tls_key_path: "/var/lib/dehydrated/certs/{{ domain }}/privkey.pem"
+    tls_cert_path: "/var/lib/dehydrated/certs/{{ domain }}/cert.pem"
diff --git a/ansible/templates/server.yaml.j2 b/ansible/templates/server.yaml.j2
new file mode 100644
index 0000000..dc8b965
--- /dev/null
+++ b/ansible/templates/server.yaml.j2
@@ -0,0 +1,4 @@
+address: 0.0.0.0:443
+chunks: /srv/obnam/chunks
+tls_key: "{{ tls_key_path }}"
+tls_cert: "{{ tls_cert_path }}"
-- 
cgit v1.2.1


From 06d00d7d0028e6b39e768d6e43650c518808ea53 Mon Sep 17 00:00:00 2001
From: Lars Wirzenius <liw@liw.fi>
Date: Sat, 23 Jan 2021 11:43:52 +0200
Subject: doc: update README.md with server installation instructions

---
 README.md | 52 +++++++++++++++++++++++++++++++++++++++++++++++++---
 1 file changed, 49 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index 44610d7..af9d6e1 100644
--- a/README.md
+++ b/README.md
@@ -2,12 +2,58 @@
 
 Obnam2 is a project to develop a backup system.
 
-You probably want to read the [obnam.md](obnam.md) subplot file. This
-README is just a placeholder.
+You probably want to read the [obnam.md](obnam.md) subplot file.
+
+## Client installation
+
+See instructions at <https://obnam.org/download/> for installing the
+client. It's not duplicated here to avoid having to keep the
+information in sync in two places.
+
+## Server installation
+
+To install the Obnam server component, you need a Debian host with
+sufficient disk space, and Ansible installed locally. Run the
+following commands in the Obnam source tree, replacing
+`obnam.example.com` with the domain name of your server:
+
+```sh
+$ cd ansible
+$ printf '[obnam-server]\nobnam.example.com\n' > hosts
+$ ansible-playbook -i hosts obnam-server.yml -e domain=obnam.example.com
+```
+
+The above gets a free TLS certificate from [Let's Encrypt][], but only
+works if the server is accessible from the public Internet. For a
+private host use the following instead:
+
+```sh
+$ cd ansible
+$ printf '[obnam-server]\nprivate-vm\n' > hosts
+$ ansible-playbook -i hosts obnam-server.yml
+```
+
+This uses a pre-created self-signed certificate from
+`files/server.key` and `files/server.pem` and is probably only good
+for trying out Obnam. You may want to generate your own certificates
+instead.
+
+To create a self-signed certificate, something like the following
+command might work, using [OpenSSL]:
+
+```sh
+$ openssl req -x509 -newkey rsa:4096 -passout pass:hunter2 \
+  -keyout key.pem -out cert.pem -days 365 -subj /CN=localhost
+```
+
+
+[Let's Encrypt]: https://letsencrypt.org/
+[OpenSSL]: https://www.openssl.org/
+
 
 ## Legalese
 
-Copyright 2020  Lars Wirzenius
+Copyright 2020-2021  Lars Wirzenius
 
 This program is free software: you can redistribute it and/or modify
 it under the terms of the GNU General Public License as published by
-- 
cgit v1.2.1