ansible/playbooks/include/proxies-certificates.yml

- name: Set up those proxy certificates.  Good gravy..
  hosts: proxies_stg:proxies
  user: root
  gather_facts: True

  vars_files:
   - /srv/web/infra/ansible/vars/global.yml
   - "/srv/private/ansible/vars.yml"
   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml

  handlers:
  - import_tasks: "{{ handlers_path }}/restart_services.yml"

  roles:

  - role: httpd/mod_ssl

  - role: httpd/certificate
    certname: wildcard-2023.fedoraproject.org
    SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
    certname: wildcard-2023.fedoraproject.org
    SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert
 
  - role: httpd/certificate
    certname: wildcard-2024.id.fedoraproject.org
    SSLCertificateChainFile: wildcard-2024.id.fedoraproject.org.intermediate.cert

  - role: httpd/certificate
    certname: wildcard-2024.stg.fedoraproject.org
    SSLCertificateChainFile: wildcard-2024.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
    certname: wildcard-2024.stg.fedoraproject.org
    SSLCertificateChainFile: wildcard-2024.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
    certname: wildcard-2023.apps.ocp.stg.fedoraproject.org
    SSLCertificateChainFile: wildcard-2023.apps.ocp.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"
    tags:
    - apps.ocp.stg.fedoraproject.org

  - role: httpd/certificate
    certname: wildcard-2024.apps.ocp.fedoraproject.org
    SSLCertificateChainFile: wildcard-2024.apps.ocp.fedoraproject.org.intermediate.cert
    tags:
    - apps.ocp.fedoraproject.org

  - role: httpd/certificate
    certname: getfedora.org
    SSLCertificateChainFile: getfedora.org.intermediate.cert
    tags:
    - getfedora.org

  - role: httpd/certificate
    certname: qa.stg.fedoraproject.org
    SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert
    when: env == "staging"

  - role: httpd/certificate
    certname: qa.fedoraproject.org
    SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert

  # - role: httpd/certificate
  #   certname: secondary.koji.fedoraproject.org.letsencrypt
  #   SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- name: Set up those proxy certificates. Good gravy..`
ansible: more group fixing. Get playboooks/include and update_ticketkey Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2019-05-20 18:14:08 +00:00			`hosts: proxies_stg:proxies`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`user: root`
			`gather_facts: True`

			`vars_files:`
			`- /srv/web/infra/ansible/vars/global.yml`
New ansible doesn't like expanding {{ private }} in the same list of vars files it's defined in. 2015-01-09 22:59:18 +00:00			`- "/srv/private/ansible/vars.yml"`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml`

			`handlers:`
These need to be imported rather than included Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-10-16 21:58:36 +00:00			`- import_tasks: "{{ handlers_path }}/restart_services.yml"`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00
			`roles:`

			`- role: httpd/mod_ssl`
Death to all trailing whitespace. 2016-08-08 19:36:31 +00:00
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- role: httpd/certificate`
wildcard-2023.fedoraproject.org: new wildcard ssl cert Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2023-01-11 08:48:15 -08:00			`certname: wildcard-2023.fedoraproject.org`
			`SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00
Revert "Revert "wildcard-2022.fedoraproject.org cert"" This reverts commit 4430178b29f481dde2b69b115fec9d9452b1f8d0. It's time to put this back before the cert expires and before we go into Beta freeze. Hopefully the odd issue with armv7 qemu guests having a time behind real time is not still happening. 2022-02-21 10:19:17 -08:00			`- role: httpd/certificate`
wildcard-2023.fedoraproject.org: new wildcard ssl cert Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2023-01-11 08:48:15 -08:00			`certname: wildcard-2023.fedoraproject.org`
			`SSLCertificateChainFile: wildcard-2023.fedoraproject.org.intermediate.cert`
more vim spew fixing Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2023-01-11 08:57:04 -08:00
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`- role: httpd/certificate`
new 2024 id.fedoraproject.org wildcard cert Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2024-01-29 18:42:22 -08:00			`certname: wildcard-2024.id.fedoraproject.org`
			`SSLCertificateChainFile: wildcard-2024.id.fedoraproject.org.intermediate.cert`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00
			`- role: httpd/certificate`
staging: update wildcard cert to new 2024 one Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2024-02-02 11:15:25 -08:00			`certname: wildcard-2024.stg.fedoraproject.org`
			`SSLCertificateChainFile: wildcard-2024.stg.fedoraproject.org.intermediate.cert`
install new cert only in staging 2017-06-12 19:05:55 +00:00			`when: env == "staging"`

staging: move to new wildcard stg cert Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-01 14:21:08 -08:00			`- role: httpd/certificate`
staging: update wildcard cert to new 2024 one Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2024-02-02 11:15:25 -08:00			`certname: wildcard-2024.stg.fedoraproject.org`
			`SSLCertificateChainFile: wildcard-2024.stg.fedoraproject.org.intermediate.cert`
staging: move to new wildcard stg cert Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2022-03-01 14:21:08 -08:00			`when: env == "staging"`

add cert to proxies-certificates Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-08-04 19:46:15 -07:00			`- role: httpd/certificate`
apps.ocp.stg new certs for 2023 Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2023-01-08 18:26:33 -08:00			`certname: wildcard-2023.apps.ocp.stg.fedoraproject.org`
			`SSLCertificateChainFile: wildcard-2023.apps.ocp.stg.fedoraproject.org.intermediate.cert`
add cert to proxies-certificates Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-08-04 19:46:15 -07:00			`when: env == "staging"`
			`tags:`
more vim spew fixing Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2023-01-11 08:57:04 -08:00			`- apps.ocp.stg.fedoraproject.org`
add cert to proxies-certificates Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-08-04 19:46:15 -07:00
metrics-for-apps: Adding inventory/groupvars/changes for ocp prod Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-08-30 13:12:45 +09:00			`- role: httpd/certificate`
new wildcard cert for prod apps.ocp Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2024-01-15 16:52:04 -08:00			`certname: wildcard-2024.apps.ocp.fedoraproject.org`
			`SSLCertificateChainFile: wildcard-2024.apps.ocp.fedoraproject.org.intermediate.cert`
metrics-for-apps: Adding inventory/groupvars/changes for ocp prod Signed-off-by: David Kirwan <dkirwan@redhat.com> 2021-08-30 13:12:45 +09:00			`tags:`
			`- apps.ocp.fedoraproject.org`

Make fpaste.org use certgetter Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-11-25 00:07:42 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: getfedora.org`
mod_ssl and certificates, first try. 2014-12-08 14:51:28 +00:00			`SSLCertificateChainFile: getfedora.org.intermediate.cert`
proxies / certificates: also tag getfedora.org cert Signed-off-by: Kevin Fenzi <kevin@scrye.com> 2021-12-10 11:43:15 -08:00			`tags:`
			`- getfedora.org`
Also copy ftf cert Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-01-21 21:38:23 +00:00
adding qa.stg cert to proxies 2016-02-02 14:04:04 +00:00			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: qa.stg.fedoraproject.org`
This was inconsistent Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-02-12 07:46:06 +00:00			`SSLCertificateChainFile: qa.stg.fedoraproject.org.intermediate.cert`
No need to install stg ssl certs in production. 2016-02-14 16:46:43 +00:00			`when: env == "staging"`
adding the qa.fp.o wildcard to the proxies 2016-04-14 03:08:10 +00:00
			`- role: httpd/certificate`
try and deal with name scoping some more 2018-04-05 20:48:29 +00:00			`certname: qa.fedoraproject.org`
adding the qa.fp.o wildcard to the proxies 2016-04-14 03:08:10 +00:00			`SSLCertificateChainFile: qa.fedoraproject.org.intermediate.cert`
Define secondary kojis Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2016-12-14 23:57:52 +00:00
comment out 2 certs on proxies which are no longer needed: fedoramagazine.org (moved). secondary.koji (broken) 2020-02-05 15:48:06 +00:00			`# - role: httpd/certificate`
			`# certname: secondary.koji.fedoraproject.org.letsencrypt`
			`# SSLCertificateChainFile: secondary.koji.fedoraproject.org.letsencrypt.intermediate.crt`
Deploy the crt Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com> 2017-10-12 22:19:23 +00:00