lets break all the things

2017-02-02 17:16:11 +00:00 · 2017-02-02 17:16:11 +00:00 · e3e3317a3d
commit e3e3317a3d
parent 4d87922f7b
12 changed files with 34 additions and 27 deletions
--- a/inventory/group_vars/all
+++ b/inventory/group_vars/all
@ -124,6 +124,9 @@ max_cpu: "{{ num_cpus * 5 }}"
 # This is the wildcard certname for our proxies.  It has a different name for
 # the staging group and is used in the proxies.yml playbook.
 wildcard_cert_name: wildcard-2017.fedoraproject.org
+wildcard_crt_file: wildcard-2017.fedoraproject.org.cert
+wildcard_key_file: wildcard-2017.fedoraproject.org.key
+wildcard_int_file: wildcard-2017.fedoraproject.org.intermediate.cert

 # Everywhere, always, we should sign messages and validate signatures.
 # However, we allow individual hosts and groups to override this.  Use this very
--- a/inventory/group_vars/staging
+++ b/inventory/group_vars/staging
@ -6,6 +6,10 @@ host_group: staging

 # This is the wildcard certname for our stg proxies.
 wildcard_cert_name: wildcard-2017.stg.fedoraproject.org
+wildcard_cert_file: wildcard-2017.stg.fedoraproject.org.cert
+wildcard_key_file: wildcard-2017.stg.fedoraproject.org.key
+wildcard_int_file: wildcard-2017.stg.fedoraproject.org.intermediate.cert
+

 # This only does anything if the host is not RHEL6
 collectd_graphite: True
--- a/playbooks/groups/batcave.yml
+++ b/playbooks/groups/batcave.yml
@ -26,7 +26,7 @@
  - rsyncd
  - apache
  - httpd/mod_ssl
-  - { role: httpd/certificate, name: wildcard-2014.fedoraproject.org, SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert }
+  - { role: httpd/certificate, name: "{{wildcard_cert_name}}", SSLCertificateChainFile: "{{wildcard_int_file}}}" }
  - openvpn/client
  - batcave

--- a/playbooks/groups/mirrorlist2.yml
+++ b/playbooks/groups/mirrorlist2.yml
@ -59,24 +59,24 @@
  - httpd/mod_ssl

  - role: httpd/certificate
-    name: wildcard-2014.stg.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
+    name: wildcard-2017.stg.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/website
    name: mirrorlist-phx2.stg.phx2.fedoraproject.org
-    cert_name: wildcard-2014.stg.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
+    cert_name: wildcard-2017.stg.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
-    name: wildcard-2014.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert
+    name: wildcard-2017.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert
    when: env != "staging"

  - role: httpd/website
    name: mirrorlist-phx2.fedoraproject.org
-    cert_name: wildcard-2014.fedoraproject.org
+    cert_name: wildcard-2017.fedoraproject.org
    server_aliases:
    - mirrorlist-dedicatedsolutions.fedoraproject.org
    - mirrorlist-host1plus.fedoraproject.org
--- a/playbooks/groups/people.yml
+++ b/playbooks/groups/people.yml
@ -75,8 +75,8 @@
  - role: apache

  - role: httpd/certificate
-    name: wildcard-2014.fedorapeople.org
-    SSLCertificateChainFile: wildcard-2014.fedorapeople.org.intermediate.cert
+    name: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{wildcard_int_file}}"

  - people

--- a/playbooks/groups/secondary.yml
+++ b/playbooks/groups/secondary.yml
@ -37,8 +37,8 @@
  - role: httpd/mod_ssl

  - role: httpd/certificate
-    name: wildcard-2014.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert
+    name: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{wildcard_int_file}}"

  - role: httpd/website
    name: secondary.fedoraproject.org
--- a/playbooks/groups/torrent.yml
+++ b/playbooks/groups/torrent.yml
@ -26,8 +26,8 @@
  - role: httpd/mod_ssl

  - role: httpd/certificate
-    name: wildcard-2014.fedoraproject.org
-    SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert
+    name: "{{wildcard_cert_name}}"
+    SSLCertificateChainFile: "{{wildcard_int_name}}"

  - role: httpd/website
    name: torrent.fedoraproject.org
--- a/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
+++ b/roles/batcave/templates/infrastructure.fedoraproject.org.conf.j2
@ -110,9 +110,9 @@ ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
                       /usr/libexec/git-core/git-http-backend/$1

  SSLEngine on
-  SSLCertificateFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.cert
-  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedoraproject.org.key
-  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.intermediate.cert
+  SSLCertificateFile /etc/pki/tls/certs/{{ wildcard_crt_file }}
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }}
+  SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }}

  Header always add Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"

--- a/roles/download/templates/httpd/dl.fedoraproject.org.conf
+++ b/roles/download/templates/httpd/dl.fedoraproject.org.conf
@ -15,9 +15,9 @@


  SSLEngine on
-  SSLCertificateFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.cert
-  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
-  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.intermediate.cert
+  SSLCertificateFile {{ wildcard_crt_file }}
+  SSLCertificateKeyFile {{ wildcard_key_file }}
+  SSLCertificateChainFile {{ wildcard_int_file }}
  SSLHonorCipherOrder On

  # https://fedorahosted.org/fedora-infrastructure/ticket/4101#comment:14
--- a/roles/fedmsg/gateway/slave/tasks/main.yml
+++ b/roles/fedmsg/gateway/slave/tasks/main.yml
@ -82,8 +82,8 @@

 - name: put our combined cert in place
  copy: >
-    src={{private}}/files/httpd/wildcard-2014.fedoraproject.org.combined.cert
-    dest=/etc/pki/tls/certs/wildcard-2014.fedoraproject.org.combined.cert
+    src={{private}}/files/httpd/wildcard-2017.fedoraproject.org.combined.cert
+    dest=/etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
    owner=root group=root mode=0644
  notify: restart stunnel
  tags:
--- a/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
+++ b/roles/fedmsg/gateway/slave/templates/stunnel-conf.j2
@ -1,5 +1,5 @@
-cert = /etc/pki/tls/certs/wildcard-2014.fedoraproject.org.combined.cert
-key = /etc/pki/tls/private/wildcard-2014.fedoraproject.org.key
+cert = /etc/pki/tls/certs/wildcard-2017.fedoraproject.org.combined.cert
+key = /etc/pki/tls/private/wildcard-2017.fedoraproject.org.key
 pid = /var/run/stunnel.pid

 [{{ stunnel_service }}]
--- a/roles/people/templates/people.conf
+++ b/roles/people/templates/people.conf
@ -27,9 +27,9 @@ NameVirtualHost *:80
  DocumentRoot /srv/people/site

  SSLEngine on
-  SSLCertificateFile    /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.cert
-  SSLCertificateKeyFile /etc/pki/tls/private/wildcard-2014.fedorapeople.org.key
-  SSLCertificateChainFile /etc/pki/tls/certs/wildcard-2014.fedorapeople.org.intermediate.cert
+  SSLCertificateFile    /etc/pki/tls/certs/{{ wildcard_crt_file }}
+  SSLCertificateKeyFile /etc/pki/tls/private/{{ wildcard_key_file }}
+  SSLCertificateChainFile /etc/pki/tls/certs/{{ wildcard_int_file }}
  SSLHonorCipherOrder On
  SSLCipherSuite {{ ssl_ciphers }}
  SSLProtocol {{ ssl_protocols }}