SSL certificates refactor

roots · Jul 27, 2022 · db79cc7 · db79cc7
1 parent 8104b1d
commit db79cc7
Show file tree

Hide file tree

Showing 36 changed files with 266 additions and 468 deletions.
diff --git a/dev.yml b/dev.yml
@@ -16,6 +16,7 @@
     - { role: xdebug, tags: [php, xdebug] }
     - { role: memcached, tags: [memcached] }
     - { role: nginx, tags: [nginx] }
+    - { role: ssl_certificates, tags: [ssl_certificates, ssl], when: sites_using_ssl | count }
     - { role: logrotate, tags: [logrotate] }
     - { role: composer, tags: [composer] }
     - { role: wp-cli, tags: [wp-cli] }

diff --git a/group_vars/all/helpers.yml b/group_vars/all/helpers.yml
@@ -10,7 +10,13 @@ wordpress_env_defaults:
   domain_current_site: "{{ site_hosts_canonical | first }}"
   wp_debug_log: "{{ www_root }}/{{ item.key }}/logs/debug.log"
 
+ssl_defaults:
+  acme:
+    challenge:
+      type: http-01
+
 site_env: "{{ wordpress_env_defaults | combine(vault_wordpress_env_defaults | default({}), item.value.env | default({}), vault_wordpress_sites[item.key].env) }}"
+site_ssl: "{{ ssl_defaults | combine(item.value.ssl | default({}) ) }}"
 site_hosts_canonical: "{{ item.value.site_hosts | map(attribute='canonical') | list }}"
 site_hosts_redirects: "{{ item.value.site_hosts | selectattr('redirects', 'defined') | sum(attribute='redirects', start=[]) | list }}"
 site_hosts: "{{ site_hosts_canonical | union(site_hosts_redirects) }}"

diff --git a/group_vars/development/main.yml b/group_vars/development/main.yml
@@ -1,4 +1,4 @@
-acme_tiny_challenges_directory: "{{ www_root }}/letsencrypt"
 env: development
+acme_ca_server: 'https://127.0.0.1:8443/acme/acme/directory'
 mysql_root_password: "{{ vault_mysql_root_password }}" # Define this variable in group_vars/development/vault.yml
 web_user: vagrant
diff --git a/group_vars/development/wordpress_sites.yml b/group_vars/development/wordpress_sites.yml
@@ -14,6 +14,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: self-signed
     cache:
       enabled: false
diff --git a/group_vars/production/wordpress_sites.yml b/group_vars/production/wordpress_sites.yml
@@ -16,6 +16,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: false
diff --git a/group_vars/staging/wordpress_sites.yml b/group_vars/staging/wordpress_sites.yml
@@ -16,6 +16,5 @@ wordpress_sites:
       enabled: false
     ssl:
       enabled: false
-      provider: letsencrypt
     cache:
       enabled: false
diff --git a/roles/letsencrypt/README.md b/roles/letsencrypt/README.md
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
diff --git a/roles/letsencrypt/library/test_challenges.py b/roles/letsencrypt/library/test_challenges.py
diff --git a/roles/letsencrypt/tasks/certificates.yml b/roles/letsencrypt/tasks/certificates.yml
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
diff --git a/roles/letsencrypt/tasks/setup.yml b/roles/letsencrypt/tasks/setup.yml
diff --git a/roles/letsencrypt/templates/acme-challenge-location.conf.j2 b/roles/letsencrypt/templates/acme-challenge-location.conf.j2
diff --git a/roles/letsencrypt/templates/renew-certs.py b/roles/letsencrypt/templates/renew-certs.py
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
@@ -24,12 +24,6 @@
     - sites-available
     - sites-enabled
 
-- name: Create SSL directory
-  file:
-    mode: '0700'
-    path: "{{ nginx_path }}/ssl"
-    state: directory
-
 - name: Copy h5bp configs
   copy:
     src: templates/h5bp