diff --git a/group_vars/dev/vars.yml b/group_vars/dev/vars.yml index fd003dd..8cd725f 100644 --- a/group_vars/dev/vars.yml +++ b/group_vars/dev/vars.yml @@ -11,7 +11,7 @@ server_name: "m.unglue.it" wsgi_home: "/opt/regluit/venv" wsgi_python_path: "/opt/regluit/venv/bin/python" git_repo: "https://github.com/EbookFoundation/regluit.git" -git_branch: "master" +git_branch: "lencrypt" ### Variables in settings.prod.py ### mysql_db_name: "{{ vault_mysql_db_name }}" diff --git a/roles/regluit_prod/tasks/apache.yml b/roles/regluit_prod/tasks/apache.yml index 7216832..37aaa5d 100644 --- a/roles/regluit_prod/tasks/apache.yml +++ b/roles/regluit_prod/tasks/apache.yml @@ -2,12 +2,8 @@ - name: Install apache become: yes apt: - name: "{{ item }}" + name: ['apache2', 'libapache2-mod-wsgi', 'cronolog'] state: present - with_items: - - 'apache2' - - 'libapache2-mod-wsgi' - - 'cronolog' - name: Ensure apache is running and enabled become: yes diff --git a/roles/regluit_prod/tasks/certs.yml b/roles/regluit_prod/tasks/certs.yml index 0804ace..e445f2c 100644 --- a/roles/regluit_prod/tasks/certs.yml +++ b/roles/regluit_prod/tasks/certs.yml @@ -1,8 +1,38 @@ --- + +- name: Make sure account exists and has given contacts. We agree to TOS. + acme_account: + account_key_src: certs/account-key.pem + state: present + terms_agreed: yes + contact: + - mailto: support@ebookfoundation.org + +- name: Create a challenge for server_name using a account key file. + acme_certificate: + account_key_src: certs/account-key.pem + csr: "certs/{{ server_name }}.csr" + dest: /etc/ssl/certs/server.crt + fullchain_dest: /etc/ssl/certs/server-fullchain.crt + register: acme_challenge + +- copy: + dest: /var/www/static/lencrypt/{{ acme_challenge['challenge_data'][server_name]['http-01']['resource'] }} + content: "{{ acme_challenge['challenge_data'][server_name]['http-01']['resource_value'] }}" + when: acme_challenge is changed + +- name: Create a challenge for server_name using a account key file. + acme_certificate: + account_key_src: certs/account-key.pem + csr: "certs/{{ server_name }}.csr" + dest: /etc/ssl/certs/server.crt + fullchain_dest: /etc/ssl/certs/server-fullchain.crt" + data: "{{ acme_challenge }}" + - name: Copy server key become: yes copy: - src: certs/server.key + src: certs/m.unglue.it.key dest: /etc/ssl/private/server.key owner: "{{ user_name }}" group: "{{ user_name }}" @@ -12,28 +42,3 @@ tags: - certs -- name: Copy STAR_unglue_it.crt - become: yes - copy: - src: certs/STAR_unglue_it.crt - dest: /etc/ssl/certs/server.crt - owner: "{{ user_name }}" - group: "{{ user_name }}" - mode: 0644 - notify: - - restart apache - tags: - - certs - -- name: Copy STAR_unglue_it.ca-bundle - become: yes - copy: - src: certs/STAR_unglue_it.ca-bundle - dest: /etc/ssl/certs/STAR_unglue_it.ca-bundle - owner: "{{ user_name }}" - group: "{{ user_name }}" - mode: 0600 - notify: - - restart apache - tags: - - certs \ No newline at end of file diff --git a/roles/regluit_prod/templates/apache.conf.j2 b/roles/regluit_prod/templates/apache.conf.j2 index 874f8db..acaffb8 100644 --- a/roles/regluit_prod/templates/apache.conf.j2 +++ b/roles/regluit_prod/templates/apache.conf.j2 @@ -25,7 +25,7 @@ SSLProtocol All -SSLv2 -SSLv3 SSLCertificateFile /etc/ssl/certs/server.crt SSLCertificateKeyFile /etc/ssl/private/server.key -SSLCertificateChainFile /etc/ssl/certs/STAR_unglue_it.ca-bundle +SSLCertificateChainFile /etc/ssl/certs/server.ca-bundle #SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt