copr: credential cleanup: drop log for "static" SSL

We are for quite some time using the roles/copr/certbot also for backend production.
2023-11-10 13:44:14 +01:00 · 2023-11-10 13:44:14 +01:00 · bb04ae62ad
commit bb04ae62ad
parent 8abbdbaea5
2 changed files with 0 additions and 64 deletions
--- a/roles/copr/backend/tasks/install_certs.yml
+++ b/roles/copr/backend/tasks/install_certs.yml
@ -1,59 +0,0 @@
---
-
-# Some files need to be made readable by lighttpd using the ACLs, so we need to
-# set the mode 0640 (the group mode means mask).
-
- name: copy httpd ssl certificates
-  copy: src="{{ private }}/files/httpd/{{ item.file }}"
-        dest="/etc/lighttpd/{{ item.file }}" owner=root group=root
-        mode={{ item.mode | default('0600') }}
-  with_items:
-  - file: copr-be.cloud.fedoraproject.org.key
-  - file: copr-be.cloud.fedoraproject.org.cert
-  - file: copr-be.cloud.fedoraproject.org.pem
-    mode: "0640"
-  - file: copr-be.cloud.fedoraproject.org.intermediate.cert
-    mode: "0640"
-  - file: copr.fedorainfracloud.org.key
-  - file: copr.fedorainfracloud.org.crt
-  - file: copr.fedorainfracloud.org.pem
-  - file: copr.fedorainfracloud.org.intermediate.crt
-  notify:
-  - restart lighttpd
-  tags:
-  - config
-  - config_httpd_certificates
-
-# When we do 'systemctl restart', lighttpd is initially started as "root"
-# process (when the config is loaded) and later it does setuid(lighttpd).
-# So "restart" is just fine.   Though we also do 'killall -HUP lighttpd' in
-# several occasions and then 'lighttpd' user needs to have the access.  See the
-# following issues:
-#   https://pagure.io/copr/copr/issue/2001 Resolves:
-#   https://pagure.io/fedora-infrastructure/issue/10391
-# Note that the items here must match the configuration in lighttpd.conf!
- name: allow lighttpd to read the certificates
-  acl:
-    path: "{{ item.0 }}"
-    etype: "{{ item.1.etype }}"
-    entity: "{{ item.1.entity }}"
-    permissions: "{{ item.1.permissions }}"
-    state: present
-  loop: "{{ files|product(perms)|list }}"
-  vars:
-    files:
-      - "/etc/lighttpd/copr-be.cloud.fedoraproject.org.pem"
-      - "/etc/lighttpd/copr-be.cloud.fedoraproject.org.intermediate.cert"
-    perms:
-      # make sure the default 'root' group has '---' perms
-      - etype: group
-        permissions: "---"
-        entity: null
-      # and grant lighty the read access
-      - etype: user
-        entity: lighttpd
-        permissions: "r--"
-
-  tags:
-  - config
-  - config_httpd_certificates
--- a/roles/copr/backend/tasks/main.yml
+++ b/roles/copr/backend/tasks/main.yml
@ -115,11 +115,6 @@
  tags:
  - config

-# TODO: move production to Let's Encrypt as well as devel
- name: install certificates for production
-  when: not devel
-  import_tasks: "install_certs.yml"
-
 - name: letsencrypt cert
  include_role: name=copr/certbot
  tags: