Infrastructure/ansible
3
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions

removing pagure.io certs, enabling letsencrypt

Browse source
This commit is contained in:
Tim Flink 2017-05-18 16:18:55 +00:00
parent 17a44d5b2f
commit e3ab9901ae
3 changed files with 20 additions and 23 deletions
Download patch file Download diff file Expand all files Collapse all files

1
playbooks/hosts/upstreamfirst.fedorainfracloud.org.yml
View file

@ -30,6 +30,7 @@
- sudo
- collectd/base
- postgresql_server
- certbot
tasks:
- include: "{{ tasks_path }}/yumrepos.yml"

17
roles/pagure/upstreamfirst-frontend/tasks/main.yml
View file

@ -235,23 +235,6 @@
- web
- pagure
- name: Install the SSL cert so that we can use https
copy: >
src={{ private}}/files/httpd/{{ item }} dest=/etc/pki/tls/certs/{{ item }}
owner=root group=root mode=0600
notify: restart stunnel
with_items:
- pagure.io.cert
- pagure.io.key
- pagure.io.intermediate.cert
- docs.pagure.org.crt
- docs.pagure.org.intermediate.crt
- docs.pagure.org.key
tags:
- config
- pagure
- httpd/certificate
- name: Install the configuration file to activate https
template: src={{ item }} dest=/etc/httpd/conf.d/{{ item }}
owner=root group=root mode=0644

25
roles/pagure/upstreamfirst-frontend/templates/0_pagure.conf
View file

@ -9,16 +9,22 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
## Redirects http -> https
<VirtualHost *:80>
RewriteEngine on
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
ServerName {{ external_hostname }}
Redirect permanent / https://{{ external_hostname }}/
</VirtualHost>
<VirtualHost *:80>
RewriteEngine on
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
ServerName docs.{{ external_hostname }}
Redirect permanent / https://docs.{{ external_hostname }}/
</VirtualHost>
<VirtualHost *:80>
RewriteEngine on
RewriteRule ^/\.well-known/(.*) /srv/web/acme-challenge/.well-known/$1 [L]
ServerName releases.{{ external_hostname }}
Redirect permanent / https://releases.{{ external_hostname }}/
@ -52,9 +58,12 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLProtocol ALL -SSLv2
Alias /static /usr/lib/python2.7/site-packages/pagure/static/
@ -100,9 +109,13 @@ WSGIDaemonProcess paguredocs user=git group=git maximum-requests=1000 display-na
# Use secure TLSv1.1 and TLSv1.2 ciphers
Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
SSLCertificateFile /etc/pki/tls/certs/pagure.io.cert
SSLCertificateChainFile /etc/pki/tls/certs/pagure.io.intermediate.cert
SSLCertificateKeyFile /etc/pki/tls/certs/pagure.io.key
SSLCertificateFile /etc/letsencrypt/live/{{ external_hostname }}/cert.pem
SSLCertificateKeyFile /etc/letsencrypt/live/{{ external_hostname }}/privkey.pem
SSLCertificateChainFile /etc/letsencrypt/live/{{ external_hostname }}/fullchain.pem
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:AES128-SHA:ALL:!ADH:!EXP:!LOW:!MD5:!SSLV2:!NULL
SSLProtocol ALL -SSLv2
Alias /static /usr/lib/python2.7/site-packages/pagure/static/