Commit ce7cfe40 authored by Sven-Hendrik Haase's avatar Sven-Hendrik Haase
Browse files

Merge branch 'cert-stuff' into 'master'

Move certificate issuing to its own role to ease maintenance

See merge request !265
parents d2c3a7d7 2d152700
Pipeline #4502 passed with stage
in 51 seconds
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ arch32_mirror_domain }}' creates='/etc/letsencrypt/live/{{ arch32_mirror_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ arch32_mirror_domain }}"]
when: 'arch32_mirror_domain is defined'
- name: install rsync
......
......@@ -10,7 +10,10 @@
when: maintenance is defined
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ archwiki_domain }}' creates='/etc/letsencrypt/live/{{ archwiki_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ archwiki_domain }}"]
when: 'archwiki_domain is defined'
- name: install packages
......
certificate_contact_email: "webmaster@archlinux.org"
certificate_rsa_key_size: 4096
- name: create ssl cert
command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }} creates='/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
......@@ -22,7 +22,10 @@
copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ repos_domain }}' creates='/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ repos_domain }}"]
- name: make nginx log dir
file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755
......
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ matrix_domain }}' creates='/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ matrix_domain }}"]
when: 'matrix_domain is defined'
- name: install packages
......
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d mta-sts.{{ item.domains | join(' -d mta-sts.') }} creates='/etc/letsencrypt/live/{{ "mta-sts." + item.domains | first }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: "{{ ['mta-sts.'] | product(item.domains) | map('join') }}"
loop: "{{ mta_sts }}"
- name: make nginx log dir
......
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ public_domain }}' -d 'www.{{ public_domain }}' creates='/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ public_domain }}", "www.{{ public_domain }}"]
- name: copy webroot files
copy: src=public_html dest=/srv owner=root group=root mode=0644 directory_mode=0755
......
......@@ -2,7 +2,10 @@
pacman: name=rebuilderd,rebuilderd-website state=present
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ rebuilderd_domain }}' creates='/etc/letsencrypt/live/{{ rebuilderd_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ rebuilderd_domain }}"]
when: 'rebuilderd_domain is defined'
- name: configure rebuilderd.conf
......
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ item.domain }} creates='/etc/letsencrypt/live/{{ item.domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ item.domain }}"]
loop: "{{ redirects }}"
- name: make nginx log dir
......
---
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mirror_domain }}' creates='/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ mirror_domain }}"]
when: 'mirror_domain is defined'
- name: install rsync
......
......@@ -19,7 +19,10 @@
template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644
- name: create ssl cert
command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ wkd_domain }}' creates='/etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem'
include_role:
name: certificate
vars:
domains: ["{{ wkd_domain }}"]
- name: create wkd_dir
file: state=directory owner={{ wkd_user }} group={{ wkd_user }} path="{{ wkd_dir }}" mode=0755
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment