From 1133e45da3f2592476c25c2fab14659af7993111 Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Thu, 28 Apr 2022 17:09:22 -0700
Subject: [PATCH] pagure: fix ssl cert deployment

The current playbook assumes the old digicert ssl cert thats in private.
However, we got that in 2020 and it's expired. We switched pagure.io
over to letsencrypt a while back. Somehow we didn't change the playbook
however, or the change was lost somewhere. :(

So, this adds 2 calls to the letsencrypt role to get certs for the prod
and staging pagure instances. I think this should do the right thing
with placement of files, but more eyes welcome.

Without this playbooks runs have the chance of messing up pagure.io
certs, so I think we should fix this asap.

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
---
 playbooks/groups/pagure.yml | 27 +++++++++++++++++++++++++++
 roles/pagure/tasks/main.yml | 16 ----------------
 2 files changed, 27 insertions(+), 16 deletions(-)

diff --git a/playbooks/groups/pagure.yml b/playbooks/groups/pagure.yml
index 632a7df1db..7aea38f55e 100644
--- a/playbooks/groups/pagure.yml
+++ b/playbooks/groups/pagure.yml
@@ -41,6 +41,33 @@
    - "{{ vars_path }}/{{ ansible_distribution }}.yml"
 
   roles:
+
+  #
+  # use letsencrypt to get ssl certs
+  #
+  - role: letsencrypt
+    site_name: "stg.pagure.io"
+    server_aliases:
+    - stg.pagure.io
+    - docs.stg.pagure.org
+    - releases.stg.pagure.org
+    - stg.pagure.org
+    tags:
+    - pagure.io
+    when: env == "staging"
+
+  - role: letsencrypt
+    site_name: "pagure.io"
+    server_aliases:
+    - docs.pagure.org
+    - lists.pagure.io
+    - pagure.org
+    - releases.pagure.org
+    - www.pagure.io
+    tags:
+    - pagure.io
+    when: env != "staging"
+
   - pagure
 
   handlers:
diff --git a/roles/pagure/tasks/main.yml b/roles/pagure/tasks/main.yml
index 4a80b39c8f..2f58261968 100644
--- a/roles/pagure/tasks/main.yml
+++ b/roles/pagure/tasks/main.yml
@@ -139,22 +139,6 @@
   - pagure
   - mirror
 
-# We need the SSL certs early on
-
-- name: Install the SSL cert so that we can use https
-  copy: >
-      src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }}
-      owner=root group=root mode=0600
-  notify: restart stunnel
-  with_items:
-  - pagure.io.cert
-  - pagure.io.key
-  - pagure.io.intermediate.cert
-  tags:
-  - config
-  - pagure
-  - httpd/certificate
-
 # Set-up postfix and the milter for postfix
 
 - name: Add the /etc/aliases file