Add automatic SSL certificate generation

2026-01-06 03:46:28 -05:00 · 2026-01-06 03:46:28 -05:00 · 38ecb718e7
commit 38ecb718e7
parent 1220c5101d
8 changed files with 92 additions and 31 deletions
--- a/terraform/modules/app_server/cloud-init.yaml.tpl
+++ b/terraform/modules/app_server/cloud-init.yaml.tpl
@ -229,4 +229,20 @@ runcmd:
  - systemctl enable unattended-upgrades
  - systemctl start unattended-upgrades

-final_message: "Realms app server ready after $UPTIME seconds. Deploy via Forgejo CI/CD."
+  # Install certbot for SSL certificates
+  - DEBIAN_FRONTEND=noninteractive apt-get -o DPkg::Lock::Timeout=60 install -y certbot
+
+  # Create directories for certbot webroot
+  - mkdir -p /opt/realms/certbot_webroot
+
+  # Obtain initial SSL certificate (standalone mode - no webserver running yet)
+  # This runs before Docker services start, so port 80 is free
+  - |
+    certbot certonly --standalone \
+      --non-interactive \
+      --agree-tos \
+      --email ${letsencrypt_email} \
+      -d ${domain} \
+      || echo "Certbot failed - certificate may need to be obtained manually after DNS propagates"
+
+final_message: "Realms app server ready after $UPTIME seconds. SSL cert obtained for ${domain}. Deploy via Forgejo CI/CD."
--- a/terraform/modules/app_server/main.tf
+++ b/terraform/modules/app_server/main.tf
@ -15,10 +15,11 @@ resource "digitalocean_droplet" "app" {
  ipv6       = true

  user_data = templatefile("${path.module}/cloud-init.yaml.tpl", {
-    ssh_port         = var.ssh_port
-    vpc_ip_range     = var.vpc_ip_range
-    domain           = var.domain
-    forgejo_registry = var.forgejo_registry
+    ssh_port          = var.ssh_port
+    vpc_ip_range      = var.vpc_ip_range
+    domain            = var.domain
+    forgejo_registry  = var.forgejo_registry
+    letsencrypt_email = var.letsencrypt_email
  })

  tags = var.tags
--- a/terraform/modules/app_server/variables.tf
+++ b/terraform/modules/app_server/variables.tf
@ -99,3 +99,12 @@ variable "forgejo_registry" {
  type        = string
  default     = "qbit.realms.pub"
 }
+
+# =============================================================================
+# SSL Certificate Configuration
+# =============================================================================
+
+variable "letsencrypt_email" {
+  description = "Email for Let's Encrypt certificate notifications"
+  type        = string
+}