mod_ssl and certificates, first try.

playbooks/groups/proxies-certificates.yml

@@ -0,0 +1,36 @@
+- name: Set up those proxy certificates.  Good gravy..
+  hosts: proxies-stg
+  user: root
+  gather_facts: True
+
+  vars_files:
+   - /srv/web/infra/ansible/vars/global.yml
+   - "{{ private }}/vars.yml"
+   - /srv/web/infra/ansible/vars/{{ ansible_distribution }}.yml
+
+  handlers:
+  - include: "{{ handlers }}/restart_services.yml"
+
+  roles:
+
+  - role: httpd/mod_ssl
+    
+  - role: httpd/certificate
+    name: wildcard-2014.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2014.fedoraproject.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: wildcard-2014.id.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2014.id.fedoraproject.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: wildcard-2014.stg.fedoraproject.org
+    SSLCertificateChainFile: wildcard-2014.stg.fedoraproject.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: fedoramagazine.org
+    SSLCertificateChainFile: fedoramagazine.org.intermediate.cert
+
+  - role: httpd/certificate
+    name: getfedora.org
+    SSLCertificateChainFile: getfedora.org.intermediate.cert

playbooks/groups/proxies.yml

@@ -47,5 +47,6 @@
 # out the proxy-specific configuration into a couple different sub-playbooks.
 # Othewise, this file would be unbearably long.
 
+- include: proxies-certificates.yml
 - include: proxies-websites.yml
 - include: proxies-redirects.yml

roles/httpd/certificate/tasks/main.yml

@@ -0,0 +1,51 @@
+# Expected vars
+# - name...
+# - SSLCertificateChainFile:
+# - cert:
+# - key:
+
+- name: Copy over SSLCertificateChainFile if defined
+  copy: >
+    src={{private}}/httpd/{{SSLCertificateChainFile}}
+    dest=/etc/pki/tls/certs/{{SSLCertificateChainFile}}
+    owner=root
+    group=root
+    mode=0644
+  when: SSLCertificateChainFile is defined
+  notify:
+  - restart httpd
+  tags:
+  - httpd
+  - httpd/certificate
+
+- name: Copy {{name}}.cert
+  copy: >
+    src={{item}}
+    dest=/etc/pki/tls/certs/{{item}}
+    owner=root
+    group=root
+    mode=0644
+  with_first_found:
+  - {{private}}/httpd/{{name}}.cert
+  - {{cert}}
+  notify:
+  - restart httpd
+  tags:
+  - httpd
+  - httpd/certificate
+
+- name: Copy {{name}}.key
+  copy: >
+    src={{item}}
+    dest=/etc/pki/tls/private/{{item}}
+    owner=root
+    group=root
+    mode=0600
+  with_first_found:
+  - {{private}}/httpd/{{name}}.key
+  - {{key}}
+  notify:
+  - restart httpd
+  tags:
+  - httpd
+  - httpd/certificate

roles/httpd/mod_ssl/files/ssl.conf

@@ -0,0 +1 @@
+LoadModule ssl_module modules/mod_ssl.so

roles/httpd/mod_ssl/tasks/main.yml

@@ -0,0 +1,20 @@
+- name: Install mod_ssl
+  yum: name=mod_ssl state=installed
+  notify:
+  - restart httpd
+  tags:
+  - httpd
+  - httpd/mod_ssl
+
+- name: Copy over SSLCertificateChainFile if defined
+  copy: >
+    src=ssl.conf
+    dest=/etc/httpd/ssl.conf
+    owner=root
+    group=root
+    mode=0644
+  notify:
+  - restart httpd
+  tags:
+  - httpd
+  - httpd/certificate