Add example of using certbot and Let's Encrypt for Deployment via Ansible

deployment/customization.rst

@@ -120,6 +120,8 @@ If you're conservative, you'll first try starting and stopping the reserved clie
     You don't need to worry that an automated restart might occur after a failed buildout.
 
 
+.. _web-hosting-options:
+
 Web Hosting Options
 -------------------
 
@@ -187,7 +189,13 @@ Alternatively, you could specify use of certificates already on the server:
     Log in and delete it if needed.
     Yes, this is an exception to the "don't login to change configuration rule".
 
-**Extra tricks**
+.. seealso::
+
+    For an example of using free Let's Encrypt certificates with certbot and auto-renewal, see :doc:`letsencrypt-certbot`.
+
+
+Extra tricks
+^^^^^^^^^^^^
 
 There are a couple of extra setting that allow you to do extra customization if you know nginx directives.
 For example:
@@ -202,6 +210,7 @@ This is a *redirect to https*.
 It takes advantage of the fact that if you do not specify a zodb_path,
 the playbook will not automatically create a location stanza with a rewrite and proxy_pass directives.
 
+
 Mail Relay
 ----------
 

deployment/letsencrypt-certbot.rst

@@ -0,0 +1,58 @@
+.. _letsencrypt_certbot:
+
+======================================
+Let's Encrypt Certificates and certbot
+======================================
+
+All websites should use TLS.
+We use an Ansible role that will automatically install `certbot <https://certbot.eff.org/>`_, a free secure certificate from `Let's Encrypt <https://letsencrypt.org>`_, and create a cron job that will automatically renew the certificate.
+
+Installation
+============
+
+You need to install the role.
+
+.. code-block:: bash
+
+    cd ansible-playbook
+    git clone https://github.com/geerlingguy/ansible-role-certbot.git geerlingguy.certbot
+
+
+Configuration
+=============
+
+To use the role, you need to add the following variables to your ``local-configure.yml``, and substitute your values as needed.
+
+.. code-block:: yaml
+
+    # https://github.com/geerlingguy/ansible-role-certbot#role-variables
+    # override roles/geerlingguy.certbot/defaults/main.yml
+    certbot_create_if_missing: true
+    certbot_admin_email: email@example.com
+    certbot_auto_renew_options: '--quiet --no-self-upgrade
+    --pre-hook "service nginx stop" --post-hook "service nginx start"'
+
+    certbot_certs:
+      - domains:
+        - "{{ inventory_hostname }}"
+
+    webserver_virtualhosts:
+      - hostname: "{{ inventory_hostname }}"
+        port: 80
+        protocol: http
+        extra: return 301 https://$server_name$request_uri;
+      - hostname: "{{ inventory_hostname }}"
+        default_server: yes
+        zodb_path: /Plone
+        address: 1.1.1.1
+        port: 443
+        protocol: https
+        certificate:
+          key: /etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
+          crt: /etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+
+The above configuration redirects all traffic from http to https, using the ``extra`` key mentioned in :ref:`web-hosting-options`.
+
+.. seealso::
+
+    `Read documentation of the role geerlingguy.certbot <https://github.com/geerlingguy/ansible-role-certbot>`_.