Add automatic SSL certificate generation

terraform/main.tf

@@ -38,20 +38,21 @@ locals {
 module "app_server" {
   source = "./modules/app_server"
 
-  project_name     = var.project_name
-  environment      = var.environment
-  region           = var.region
-  vpc_uuid         = var.vpc_uuid
-  vpc_ip_range     = var.vpc_ip_range
-  ssh_keys         = local.all_ssh_key_ids
-  droplet_size     = var.app_droplet_size
-  droplet_image    = var.app_droplet_image
-  ssh_port         = var.app_ssh_port
-  domain           = var.app_domain
-  enable_backups   = var.enable_droplet_backups
-  tags             = local.common_tags
-  manage_dns       = var.manage_dns
-  dns_zone         = var.dns_zone
-  dns_record_name  = var.dns_record_name
-  forgejo_registry = var.forgejo_registry
+  project_name      = var.project_name
+  environment       = var.environment
+  region            = var.region
+  vpc_uuid          = var.vpc_uuid
+  vpc_ip_range      = var.vpc_ip_range
+  ssh_keys          = local.all_ssh_key_ids
+  droplet_size      = var.app_droplet_size
+  droplet_image     = var.app_droplet_image
+  ssh_port          = var.app_ssh_port
+  domain            = var.app_domain
+  enable_backups    = var.enable_droplet_backups
+  tags              = local.common_tags
+  manage_dns        = var.manage_dns
+  dns_zone          = var.dns_zone
+  dns_record_name   = var.dns_record_name
+  forgejo_registry  = var.forgejo_registry
+  letsencrypt_email = var.letsencrypt_email
 }

terraform/modules/app_server/cloud-init.yaml.tpl

@@ -229,4 +229,20 @@ runcmd:
   - systemctl enable unattended-upgrades
   - systemctl start unattended-upgrades
 
-final_message: "Realms app server ready after $UPTIME seconds. Deploy via Forgejo CI/CD."
+  # Install certbot for SSL certificates
+  - DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y certbot
+
+  # Create directories for certbot webroot
+  - mkdir -p /opt/realms/certbot_webroot
+
+  # Obtain initial SSL certificate (standalone mode - no webserver running yet)
+  # This runs before Docker services start, so port 80 is free
+  - |
+    certbot certonly --standalone \
+      --non-interactive \
+      --agree-tos \
+      --email ${letsencrypt_email} \
+      -d ${domain} \
+      || echo "Certbot failed - certificate may need to be obtained manually after DNS propagates"
+
+final_message: "Realms app server ready after $UPTIME seconds. SSL cert obtained for ${domain}. Deploy via Forgejo CI/CD."

terraform/modules/app_server/main.tf

@@ -15,10 +15,11 @@ resource "digitalocean_droplet" "app" {
   ipv6       = true
 
   user_data = templatefile("${path.module}/cloud-init.yaml.tpl", {
-    ssh_port         = var.ssh_port
-    vpc_ip_range     = var.vpc_ip_range
-    domain           = var.domain
-    forgejo_registry = var.forgejo_registry
+    ssh_port          = var.ssh_port
+    vpc_ip_range      = var.vpc_ip_range
+    domain            = var.domain
+    forgejo_registry  = var.forgejo_registry
+    letsencrypt_email = var.letsencrypt_email
   })
 
   tags = var.tags

terraform/modules/app_server/variables.tf

@@ -99,3 +99,12 @@ variable "forgejo_registry" {
   type        = string
   default     = "qbit.realms.pub"
 }
+
+# =============================================================================
+# SSL Certificate Configuration
+# =============================================================================
+
+variable "letsencrypt_email" {
+  description = "Email for Let's Encrypt certificate notifications"
+  type        = string
+}

terraform/variables.tf

@@ -139,3 +139,12 @@ variable "forgejo_registry" {
   type        = string
   default     = "qbit.realms.pub"
 }
+
+# =============================================================================
+# SSL Certificate Configuration
+# =============================================================================
+
+variable "letsencrypt_email" {
+  description = "Email for Let's Encrypt certificate notifications"
+  type        = string
+}