Rename letsencrypt-tiny to lacme.

author: Guilhem Moulin <guilhem@fripost.org> 2016-06-15 18:00:57 +0200
committer: Guilhem Moulin <guilhem@fripost.org> 2016-06-15 18:00:57 +0200
commit: 97e78349145156ca6565ee5b2af54983a6fdd3a6 (patch)
tree: b5eb26c93c323425d8a8a008ef1f7750f61e1ded
parent: bf6d69d38578245302525395f5f53ac40f441f0c (diff)
8 files changed, 57 insertions, 55 deletions
diff --git a/common.yml b/common.yml
index 2a062ee..2136c5d 100644
--- a/common.yml
+++ b/common.yml
@@ -1,41 +1,43 @@
 ---
 # XXX: This organization is unfortunate. As of Ansible 1.4, roles are
 # applied playbook by playbook and not globally for the whole inventory;
 # therefore if two playbooks are given the role 'common', the tasks
 # defined in 'common' would be run twice.
 # The quickfix to ensure that plays are role-disjoint is to create a
 # separate play for each role. Of course the downside is that we loose
 # (most of) the advantage of roles...
 
 - name: Common tasks
   hosts: all
   roles:
     - common
 
 - name: Let's Encrypt
   hosts: IMAP:MX:MSA:webmail:lists:wiki:git
   gather_facts: False
   roles:
-    - letsencrypt
+    - lacme
   tags:
    - letsencrypt
+   - lacme
+   - ACME
 
 - name: Common SQL tasks
   hosts: MDA:webmail:lists:bacula-dir
   gather_facts: False
   tags: mysql,sql
   roles:
     - common-SQL
 
 - name: Common LDAP tasks
   hosts: MDA:MSA:LDAP-provider:MX
   gather_facts: True
   tags: slapd,ldap
   roles:
     - common-LDAP
 
 - name: Configure the LDAP provider
   hosts: LDAP-provider
   gather_facts: False
   tags: slapd,ldap
   roles:
diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf
index 4af4d53..4e2da6e 100644
--- a/roles/common-web/files/etc/nginx/snippets/ssl.conf
+++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf
@@ -1,30 +1,30 @@
 # https://wiki.mozilla.org/Security/Server_Side_TLS
 # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate
 
 # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
-# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
+# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem
 
 ssl on;
 
 ssl_session_timeout 1d;
 ssl_session_cache shared:SSL:50m;
 ssl_session_tickets off;
 
 # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
 ssl_dhparam /etc/ssl/dhparams.pem;
 
 # intermediate configuration. tweak to your needs.
 ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
 ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
 ssl_prefer_server_ciphers on;
 
 # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
 add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains';
 
 # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them
 # https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf
 ssl_stapling on;
 ssl_stapling_verify on;
 
 # verify chain of trust of OCSP response using Root CA and Intermediate certs
-ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem;
+ssl_trusted_certificate /usr/share/lacme/lets-encrypt-x3-cross-signed.pem;
diff --git a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf b/roles/lacme/files/etc/lacme/lacme.conf
index fb19d2a..2956f1a 100644
--- a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf
+++ b/roles/lacme/files/etc/lacme/lacme.conf
@@ -1,49 +1,49 @@
 # For certificate issuance (new-cert command), specify the certificate
 # configuration file to use
 #
-#config-certs = config/letsencrypt-certs.conf
+#config-certs = config/lacme-certs.conf
 
 [client]
-# The value of "socket" specifies the letsencrypt-accountd(1)
-# UNIX-domain socket to connect to for signature requests from the ACME
-# client.  letsencrypt aborts if the socket is readable or writable by
-# other users, or if its parent directory is writable by other users.
-# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR
-# environment variable is set.
+# The value of "socket" specifies the lacme-accountd(1) UNIX-domain
+# socket to connect to for signature requests from the ACME client.
+# lacme(1) aborts if the socket is readable or writable by other users,
+# or if its parent directory is writable by other users.
+# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
+# variable is set.
 #
-#socket = /run/user/1000/S.letsencrypt
+#socket = /run/user/1000/S.lacme
 
 # username to drop privileges to (setting both effective and real uid).
 # Preserve root privileges if the value is empty (not recommended).
 # Default: "nobody".
 #
-user = letsencrypt
+user = lacme
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
 # Preserve root privileges if the value is empty (not recommended).
 #
 group = nogroup
 
 # Path to the ACME client executable.
-#command = /usr/lib/letsencrypt-tiny/client
+#command = /usr/lib/lacme/client
 
 # Root URI of the ACME server.  NOTE: Use the staging server for testing
 # as it has relaxed ratelimit.
 #
 #server = https://acme-v01.api.letsencrypt.org/
 #server = https://acme-staging.api.letsencrypt.org/
 
 # Timeout in seconds after which the client stops polling the ACME
 # server and considers the request failed.
 #
 #timeout = 10
 
 # Whether to verify the server certificate chain.
 SSL_verify = yes
 
 # Specify the version of the SSL protocol used to transmit data.
 SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
 
 # Specify the cipher list for the connection.
 SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
@@ -58,29 +58,29 @@ SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
 
 # If a webserver is already running, specify a non-existent directory
 # under which the webserver is configured to serve GET requests for
 # challenge files under "/.well-known/acme-challenge/" (for each virtual
 # hosts requiring authorization) as static files.
 #
 challenge-directory = /var/www/acme-challenge
 
 # username to drop privileges to (setting both effective and real uid).
 # Preserve root privileges if the value is empty (not recommended).
 #
 user = www-data
 
 # groupname to drop privileges to (setting both effective and real gid,
 # and also setting the list of supplementary gids to that single group).
 # Preserve root privileges if the value is empty (not recommended).
 #
 user = www-data
 
 # Path to the ACME webserver executable.
-#command = /usr/lib/letsencrypt-tiny/webserver
+#command = /usr/lib/lacme/webserver
 
-# Whether to automatically install iptables(1) rules to open the
+# Whether to automatically install iptables(8) rules to open the
 # ADDRESS[:PORT] specified with listen.  Theses rules are automatically
-# removed once letsencrypt exits.
+# removed once lacme(1) exits.
 #
 #iptables = Yes
 
 ; vim:ft=dosini
diff --git a/roles/lacme/handlers/main.yml b/roles/lacme/handlers/main.yml
new file mode 100644
index 0000000..d97bf2d
--- /dev/null
+++ b/roles/lacme/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Install lacme
+  apt: deb=/tmp/lacme_0.1-1_all.deb
diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml
new file mode 100644
index 0000000..4b95d4c
--- /dev/null
+++ b/roles/lacme/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: Install dependencies for lacme
+  apt: pkg={{ item }}
+  with_items:
+    - libjson-perl
+    - libjson-xs-perl
+    - libconfig-tiny-perl
+    - libwww-perl
+    - liblwp-protocol-https-perl
+    - libnet-ssleay-perl
+
+- name: Copy lacme
+  copy: src=deb/lacme_0.1-1_all.deb
+        dest=/tmp
+  notify: Install lacme
+
+- meta: flush_handlers
+
+- name: Create a user 'lacme'
+  user: name=lacme system=yes
+        group=nogroup
+        createhome=no
+        home=/nonexistent
+        shell=/usr/sbin/nologin
+        password=!
+        state=present
+
+- name: Copy lacme/lacme-certs.conf
+  copy: src=etc/lacme/lacme.conf
+        dest=/etc/lacme/lacme.conf
+        owner=root group=root
+        mode=0644
+
+- name: Copy lacme/lacme-certs.conf
+  template: src=etc/lacme/lacme-certs.conf.j2
+            dest=/etc/lacme/lacme-certs.conf
+            owner=root group=root
+            mode=0644
diff --git a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
index ca3415a..ca3415a 100644
--- a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
+++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml
deleted file mode 100644
index d9eed44..0000000
--- a/roles/letsencrypt/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: Install LetsEncrypt's ACME client
-  apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
deleted file mode 100644
index c7ef7ef..0000000
--- a/roles/letsencrypt/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-- name: Install dependencies for letsencrypt-tiny
-  apt: pkg={{ item }}
-  with_items:
-    - libjson-perl
-    - libjson-xs-perl
-    - libconfig-tiny-perl
-    - libwww-perl
-    - liblwp-protocol-https-perl
-    - libnet-ssleay-perl
-
-- name: Copy LetsEncrypt's ACME client
-  copy: src=deb/letsencrypt-tiny_0.1-1_all.deb
-        dest=/tmp
-  notify: Install LetsEncrypt's ACME client
-
-- meta: flush_handlers
-
-- name: Create a user 'letsencrypt'
-  user: name=letsencrypt system=yes
-        group=nogroup
-        createhome=no
-        home=/nonexistent
-        shell=/usr/sbin/nologin
-        password=!
-        state=present
-
-- name: Copy letsencrypt-tiny/letsencrypt-certs.conf
-  copy: src=etc/letsencrypt-tiny/letsencrypt.conf
-        dest=/etc/letsencrypt-tiny/letsencrypt.conf
-        owner=root group=root
-        mode=0644
-
-- name: Copy letsencrypt-tiny/letsencrypt-certs.conf
-  template: src=etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
-            dest=/etc/letsencrypt-tiny/letsencrypt-certs.conf
-            owner=root group=root
-            mode=0644
author	Guilhem Moulin <guilhem@fripost.org>	2016-06-15 18:00:57 +0200
committer	Guilhem Moulin <guilhem@fripost.org>	2016-06-15 18:00:57 +0200
commit	97e78349145156ca6565ee5b2af54983a6fdd3a6 (patch)
tree	b5eb26c93c323425d8a8a008ef1f7750f61e1ded
parent	bf6d69d38578245302525395f5f53ac40f441f0c (diff)