wip
parent
cfa971eb79
commit
de88fa12b2
|
@ -11,7 +11,7 @@ server_name: "m.unglue.it"
|
||||||
wsgi_home: "/opt/regluit/venv"
|
wsgi_home: "/opt/regluit/venv"
|
||||||
wsgi_python_path: "/opt/regluit/venv/bin/python"
|
wsgi_python_path: "/opt/regluit/venv/bin/python"
|
||||||
git_repo: "https://github.com/EbookFoundation/regluit.git"
|
git_repo: "https://github.com/EbookFoundation/regluit.git"
|
||||||
git_branch: "master"
|
git_branch: "lencrypt"
|
||||||
|
|
||||||
### Variables in settings.prod.py ###
|
### Variables in settings.prod.py ###
|
||||||
mysql_db_name: "{{ vault_mysql_db_name }}"
|
mysql_db_name: "{{ vault_mysql_db_name }}"
|
||||||
|
|
|
@ -2,12 +2,8 @@
|
||||||
- name: Install apache
|
- name: Install apache
|
||||||
become: yes
|
become: yes
|
||||||
apt:
|
apt:
|
||||||
name: "{{ item }}"
|
name: ['apache2', 'libapache2-mod-wsgi', 'cronolog']
|
||||||
state: present
|
state: present
|
||||||
with_items:
|
|
||||||
- 'apache2'
|
|
||||||
- 'libapache2-mod-wsgi'
|
|
||||||
- 'cronolog'
|
|
||||||
|
|
||||||
- name: Ensure apache is running and enabled
|
- name: Ensure apache is running and enabled
|
||||||
become: yes
|
become: yes
|
||||||
|
|
|
@ -1,8 +1,38 @@
|
||||||
---
|
---
|
||||||
|
|
||||||
|
- name: Make sure account exists and has given contacts. We agree to TOS.
|
||||||
|
acme_account:
|
||||||
|
account_key_src: certs/account-key.pem
|
||||||
|
state: present
|
||||||
|
terms_agreed: yes
|
||||||
|
contact:
|
||||||
|
- mailto: support@ebookfoundation.org
|
||||||
|
|
||||||
|
- name: Create a challenge for server_name using a account key file.
|
||||||
|
acme_certificate:
|
||||||
|
account_key_src: certs/account-key.pem
|
||||||
|
csr: "certs/{{ server_name }}.csr"
|
||||||
|
dest: /etc/ssl/certs/server.crt
|
||||||
|
fullchain_dest: /etc/ssl/certs/server-fullchain.crt
|
||||||
|
register: acme_challenge
|
||||||
|
|
||||||
|
- copy:
|
||||||
|
dest: /var/www/static/lencrypt/{{ acme_challenge['challenge_data'][server_name]['http-01']['resource'] }}
|
||||||
|
content: "{{ acme_challenge['challenge_data'][server_name]['http-01']['resource_value'] }}"
|
||||||
|
when: acme_challenge is changed
|
||||||
|
|
||||||
|
- name: Create a challenge for server_name using a account key file.
|
||||||
|
acme_certificate:
|
||||||
|
account_key_src: certs/account-key.pem
|
||||||
|
csr: "certs/{{ server_name }}.csr"
|
||||||
|
dest: /etc/ssl/certs/server.crt
|
||||||
|
fullchain_dest: /etc/ssl/certs/server-fullchain.crt"
|
||||||
|
data: "{{ acme_challenge }}"
|
||||||
|
|
||||||
- name: Copy server key
|
- name: Copy server key
|
||||||
become: yes
|
become: yes
|
||||||
copy:
|
copy:
|
||||||
src: certs/server.key
|
src: certs/m.unglue.it.key
|
||||||
dest: /etc/ssl/private/server.key
|
dest: /etc/ssl/private/server.key
|
||||||
owner: "{{ user_name }}"
|
owner: "{{ user_name }}"
|
||||||
group: "{{ user_name }}"
|
group: "{{ user_name }}"
|
||||||
|
@ -12,28 +42,3 @@
|
||||||
tags:
|
tags:
|
||||||
- certs
|
- certs
|
||||||
|
|
||||||
- name: Copy STAR_unglue_it.crt
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
src: certs/STAR_unglue_it.crt
|
|
||||||
dest: /etc/ssl/certs/server.crt
|
|
||||||
owner: "{{ user_name }}"
|
|
||||||
group: "{{ user_name }}"
|
|
||||||
mode: 0644
|
|
||||||
notify:
|
|
||||||
- restart apache
|
|
||||||
tags:
|
|
||||||
- certs
|
|
||||||
|
|
||||||
- name: Copy STAR_unglue_it.ca-bundle
|
|
||||||
become: yes
|
|
||||||
copy:
|
|
||||||
src: certs/STAR_unglue_it.ca-bundle
|
|
||||||
dest: /etc/ssl/certs/STAR_unglue_it.ca-bundle
|
|
||||||
owner: "{{ user_name }}"
|
|
||||||
group: "{{ user_name }}"
|
|
||||||
mode: 0600
|
|
||||||
notify:
|
|
||||||
- restart apache
|
|
||||||
tags:
|
|
||||||
- certs
|
|
|
@ -25,7 +25,7 @@ SSLProtocol All -SSLv2 -SSLv3
|
||||||
|
|
||||||
SSLCertificateFile /etc/ssl/certs/server.crt
|
SSLCertificateFile /etc/ssl/certs/server.crt
|
||||||
SSLCertificateKeyFile /etc/ssl/private/server.key
|
SSLCertificateKeyFile /etc/ssl/private/server.key
|
||||||
SSLCertificateChainFile /etc/ssl/certs/STAR_unglue_it.ca-bundle
|
SSLCertificateChainFile /etc/ssl/certs/server.ca-bundle
|
||||||
|
|
||||||
#SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
|
#SSLCertificateChainFile /etc/ssl/certs/gd_bundle.crt
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue