ansible/playbooks/include/proxies-certificates.yml

- name: Set up those proxy certificates.  Good gravy..
  hosts: proxies_stg:proxies
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  roles:

  - role: httpd/mod_ssl

  - role: httpd/certificate
    certname: wildcard-2017.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
    certname: wildcard-2017.fedorahosted.org
    SSLCertificateChainFile: wildcard-2017.fedorahosted.org.intermediate.cert

  - role: httpd/certificate
    certname: wildcard-2017.id.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
    certname: wildcard-2017.stg.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
    certname: wildcard-2017.app.os.stg.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"
    tags:
    - app.os.fedoraproject.org

  - role: httpd/certificate
    certname: wildcard-2017.app.os.fedoraproject.org
    SSLCertificateChainFile: wildcard-2017.app.os.fedoraproject.org.intermediate.cert
    tags:
    - app.os.fedoraproject.org

  - role: httpd/certificate
    certname: fedoramagazine.org
    SSLCertificateChainFile: fedoramagazine.org.intermediate.cert

  - role: httpd/certificate
    certname: getfedora.org
    SSLCertificateChainFile: getfedora.org.intermediate.cert

  - role: httpd/certificate
    certname: flocktofedora.org
    SSLCertificateChainFile: flocktofedora.org.intermediate.cert

  - role: httpd/certificate
    certname: qa.stg.fedoraproject.org
    SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
    certname: qa.fedoraproject.org
    SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
    certname: secondary.koji.fedoraproject.org.letsencrypt
    SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt

  - role: httpd/certificate
    certname: fedoracommunity.org
    SSLCertificateChainFile: fedoracommunity.org.intermediate.cert
    tags:
    - fedoracommunity.org
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- name: Set up those proxy certificates. Good gravy..`
ansible: more group fixing. Get playboooks/include and update_ticketkey Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2019-05-20 18:14:08 +00:00			`hosts: proxies_stg:proxies`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`user: root`
			`gather_facts: True`

			`vars_files:`
			`- /srv/web/infra/ansible/vars/global.yml`
New ansible doesn't like expanding {{ private }} in the same list of vars files it's defined in. 2015-01-09 22:59:18 +00:00			`- "/srv/private/ansible/vars.yml"`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml`

			`handlers:`
These need to be imported rather than included Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-10-16 21:58:36 +00:00			`- import_tasks: "{{ handlers_path }}/restart_services.yml"`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00
			`roles:`

			`- role: httpd/mod_ssl`
Death to all trailing whitespace. 2016-08-08 19:36:31 +00:00
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: wildcard-2017.fedoraproject.org`
make a small set of changes before too many 2017-02-01 23:39:23 +00:00			`SSLCertificateChainFile: wildcard-2017.fedoraproject.org.intermediate.cert`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00
Install the hosted cert too 2016-05-18 20:17:43 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: wildcard-2017.fedorahosted.org`
and we have the fedorahosted finally 2017-02-02 21:59:26 +00:00			`SSLCertificateChainFile: wildcard-2017.fedorahosted.org.intermediate.cert`
Install the hosted cert too 2016-05-18 20:17:43 +00:00
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: wildcard-2017.id.fedoraproject.org`
make a small set of changes before too many 2017-02-01 23:39:23 +00:00			`SSLCertificateChainFile: wildcard-2017.id.fedoraproject.org.intermediate.cert`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00
			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: wildcard-2017.stg.fedoraproject.org`
make a small set of changes before too many 2017-02-01 23:39:23 +00:00			`SSLCertificateChainFile: wildcard-2017.stg.fedoraproject.org.intermediate.cert`
install new cert only in staging 2017-06-12 19:05:55 +00:00			`when: env == "staging"`

			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: wildcard-2017.app.os.stg.fedoraproject.org`
install new cert only in staging 2017-06-12 19:05:55 +00:00			`SSLCertificateChainFile: wildcard-2017.app.os.stg.fedoraproject.org.intermediate.cert`
			`when: env == "staging"`
Also add tags to cert statements Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-08-23 22:42:11 +00:00			`tags:`
			`- app.os.fedoraproject.org`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00
some os prod proxy adjustments for os prod 2017-08-22 19:58:32 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: wildcard-2017.app.os.fedoraproject.org`
some os prod proxy adjustments for os prod 2017-08-22 19:58:32 +00:00			`SSLCertificateChainFile: wildcard-2017.app.os.fedoraproject.org.intermediate.cert`
Also add tags to cert statements Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-08-23 22:42:11 +00:00			`tags:`
			`- app.os.fedoraproject.org`
some os prod proxy adjustments for os prod 2017-08-22 19:58:32 +00:00
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: fedoramagazine.org`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`SSLCertificateChainFile: fedoramagazine.org.intermediate.cert`

Make fpaste.org use certgetter Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-11-25 00:07:42 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: getfedora.org`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`SSLCertificateChainFile: getfedora.org.intermediate.cert`
Also copy ftf cert Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-01-21 21:38:23 +00:00
			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: flocktofedora.org`
Also copy ftf cert Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-01-21 21:38:23 +00:00			`SSLCertificateChainFile: flocktofedora.org.intermediate.cert`
adding qa.stg cert to proxies 2016-02-02 14:04:04 +00:00
			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: qa.stg.fedoraproject.org`
This was inconsistent Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-02-12 07:46:06 +00:00			`SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert`
No need to install stg ssl certs in production. 2016-02-14 16:46:43 +00:00			`when: env == "staging"`
adding the qa.fp.o wildcard to the proxies 2016-04-14 03:08:10 +00:00
			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: qa.fedoraproject.org`
adding the qa.fp.o wildcard to the proxies 2016-04-14 03:08:10 +00:00			`SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert`
Define secondary kojis Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-12-14 23:57:52 +00:00
			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: secondary.koji.fedoraproject.org.letsencrypt`
cert/crt Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-12-15 00:02:13 +00:00			`SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt`
Deploy the crt Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-10-12 22:19:23 +00:00
use fedoracommunity.org cert 2017-11-16 02:00:19 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: fedoracommunity.org`
fix cert name 2017-11-16 04:23:07 +00:00			`SSLCertificateChainFile: fedoracommunity.org.intermediate.cert`
use fedoracommunity.org cert 2017-11-16 02:00:19 +00:00			`tags:`
			`- fedoracommunity.org`