Merge branch 'cert-stuff' into 'master'

Move certificate issuing to its own role to ease maintenance See merge request !265

Merge branch 'cert-stuff' into 'master'
Move certificate issuing to its own role to ease maintenance See merge request !265
ce7cfe40 · Sven-Hendrik Haase · d2c3a7d7 · 2d152700 · ce7cfe40 · ce7cfe40
Commit ce7cfe40 authored Jan 10, 2021 by Sven-Hendrik Haase
--- a/roles/arch32_mirror/tasks/main.yml
+++ b/roles/arch32_mirror/tasks/main.yml
 ---

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ arch32_mirror_domain }}' creates='/etc/letsencrypt/live/{{ arch32_mirror_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ arch32_mirror_domain }}"]
  when: 'arch32_mirror_domain is defined'

 - name: install rsync

--- a/roles/archwiki/tasks/main.yml
+++ b/roles/archwiki/tasks/main.yml
@@ -10,7 +10,10 @@
  when: maintenance is defined

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ archwiki_domain }}' creates='/etc/letsencrypt/live/{{ archwiki_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ archwiki_domain }}"]
  when: 'archwiki_domain is defined'

 - name: install packages

--- a/roles/certificate/defaults/main.yml
+++ b/roles/certificate/defaults/main.yml
+certificate_contact_email: "webmaster@archlinux.org"
+certificate_rsa_key_size: 4096
--- a/roles/certificate/tasks/main.yml
+++ b/roles/certificate/tasks/main.yml
+- name: create ssl cert
+  command: certbot certonly --email {{ certificate_contact_email }} --agree-tos --rsa-key-size {{ certificate_rsa_key_size }} --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ domains | join(' -d ') }} creates='/etc/letsencrypt/live/{{ domains | first }}/fullchain.pem'
--- a/roles/dbscripts/tasks/main.yml
+++ b/roles/dbscripts/tasks/main.yml
@@ -22,7 +22,10 @@
  copy: src=sudoers.d dest=/etc/sudoers.d/dbscripts owner=root group=root mode=0600

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ repos_domain }}' creates='/etc/letsencrypt/live/{{ repos_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ repos_domain }}"]

 - name: make nginx log dir
  file: path=/var/log/nginx/{{ repos_domain }} state=directory owner=root group=root mode=0755

--- a/roles/matrix/tasks/main.yml
+++ b/roles/matrix/tasks/main.yml
 ---

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ matrix_domain }}' creates='/etc/letsencrypt/live/{{ matrix_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ matrix_domain }}"]
  when: 'matrix_domain is defined'

 - name: install packages

--- a/roles/mta_sts/tasks/main.yml
+++ b/roles/mta_sts/tasks/main.yml
 ---
 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d mta-sts.{{ item.domains | join(' -d mta-sts.') }} creates='/etc/letsencrypt/live/{{ "mta-sts." + item.domains | first }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: "{{ ['mta-sts.'] | product(item.domains) | map('join') }}"
  loop: "{{ mta_sts }}"

 - name: make nginx log dir

--- a/roles/public_html/tasks/main.yml
+++ b/roles/public_html/tasks/main.yml
 ---

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ public_domain }}' -d 'www.{{ public_domain }}' creates='/etc/letsencrypt/live/{{ public_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ public_domain }}", "www.{{ public_domain }}"]

 - name: copy webroot files
  copy: src=public_html dest=/srv owner=root group=root mode=0644 directory_mode=0755

--- a/roles/rebuilderd/tasks/main.yml
+++ b/roles/rebuilderd/tasks/main.yml
@@ -2,7 +2,10 @@
  pacman: name=rebuilderd,rebuilderd-website state=present

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ rebuilderd_domain }}' creates='/etc/letsencrypt/live/{{ rebuilderd_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ rebuilderd_domain }}"]
  when: 'rebuilderd_domain is defined'

 - name: configure rebuilderd.conf

--- a/roles/redirects/tasks/main.yml
+++ b/roles/redirects/tasks/main.yml
 ---
 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d {{ item.domain }} creates='/etc/letsencrypt/live/{{ item.domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ item.domain }}"]
  loop: "{{ redirects }}"

 - name: make nginx log dir

--- a/roles/syncrepo/tasks/main.yml
+++ b/roles/syncrepo/tasks/main.yml
 ---

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ mirror_domain }}' creates='/etc/letsencrypt/live/{{ mirror_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ mirror_domain }}"]
  when: 'mirror_domain is defined'

 - name: install rsync

--- a/roles/wkd/tasks/main.yml
+++ b/roles/wkd/tasks/main.yml
@@ -19,7 +19,10 @@
  template: src=update-wkd-pacman-hook.j2 dest=/etc/pacman.d/hooks/update-wkd.hook owner=root group=root mode=0644

 - name: create ssl cert
-  command: certbot certonly --email webmaster@archlinux.org --agree-tos --rsa-key-size 4096 --renew-by-default --webroot -w {{ letsencrypt_validation_dir }} -d '{{ wkd_domain }}' creates='/etc/letsencrypt/live/{{ wkd_domain }}/fullchain.pem'
+  include_role:
+    name: certificate
+  vars:
+    domains: ["{{ wkd_domain }}"]

 - name: create wkd_dir
  file: state=directory owner={{ wkd_user }} group={{ wkd_user }} path="{{ wkd_dir }}" mode=0755