pagure: fix ssl cert deployment

The current playbook assumes the old digicert ssl cert thats in private.
However, we got that in 2020 and it's expired. We switched pagure.io
over to letsencrypt a while back. Somehow we didn't change the playbook
however, or the change was lost somewhere. :(

So, this adds 2 calls to the letsencrypt role to get certs for the prod
and staging pagure instances. I think this should do the right thing
with placement of files, but more eyes welcome.

Without this playbooks runs have the chance of messing up pagure.io
certs, so I think we should fix this asap.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

playbooks/groups/pagure.yml

@@ -41,6 +41,33 @@
    - "{{ vars_path }}/{{ ansible_distribution }}.yml"
 
   roles:
+
+  #
+  # use letsencrypt to get ssl certs
+  #
+  - role: letsencrypt
+    site_name: "stg.pagure.io"
+    server_aliases:
+    - stg.pagure.io
+    - docs.stg.pagure.org
+    - releases.stg.pagure.org
+    - stg.pagure.org
+    tags:
+    - pagure.io
+    when: env == "staging"
+
+  - role: letsencrypt
+    site_name: "pagure.io"
+    server_aliases:
+    - docs.pagure.org
+    - lists.pagure.io
+    - pagure.org
+    - releases.pagure.org
+    - www.pagure.io
+    tags:
+    - pagure.io
+    when: env != "staging"
+
   - pagure
 
   handlers:

roles/pagure/tasks/main.yml

@@ -139,22 +139,6 @@
   - pagure
   - mirror
 
-# We need the SSL certs early on
-
-- name: Install the SSL cert so that we can use https
-  copy: >
-      src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }}
-      owner=root group=root mode=0600
-  notify: restart stunnel
-  with_items:
-  - pagure.io.cert
-  - pagure.io.key
-  - pagure.io.intermediate.cert
-  tags:
-  - config
-  - pagure
-  - httpd/certificate
-
 # Set-up postfix and the milter for postfix
 
 - name: Add the /etc/aliases file