Only install letsencrypt-tiny to the relevant hosts.

3 files changed, 5 insertions, 30 deletions

diff --git a/common.yml b/common.yml
index d689e04..cdf4372 100644
--- a/common.yml
+++ b/common.yml
@@ -1,43 +1,47 @@
 ---
 # XXX: This organization is unfortunate. As of Ansible 1.4, roles are
 # applied playbook by playbook and not globally for the whole inventory;
 # therefore if two playbooks are given the role 'common', the tasks
 # defined in 'common' would be run twice.
 # The quickfix to ensure that plays are role-disjoint is to create a
 # separate play for each role. Of course the downside is that we loose
 # (most of) the advantage of roles...
 
 - name: Common tasks
   hosts: all
   roles:
     - common
 
 - name: Base system
   hosts: IMAP:MX:MSA:webmail:lists:wiki:git
   gather_facts: False
   tasks:
+    - name: Install dependencies for letsencrypt-tiny
+      apt: pkg={{ item }}
+      with_items:
+        - liblwp-protocol-https-perl
+        - socat
     - name: Copy LetsEncrypt's ACME client
       copy: src=deb/letsencrypt-tiny_0.1-1_all.deb
             dest=/tmp
       notify: Install LetsEncrypt's ACME client
-       - genkey
     - name: Create a user 'letsencrypt'
       user: name=letsencrypt system=yes
             group=nogroup
             createhome=no
             home=/nonexistent
             shell=/usr/sbin/nologin
             password=!
             state=present
   handlers:
     - name: Install LetsEncrypt's ACME client
       apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb
   tags:
    - letsencrypt
 
 - name: Common SQL tasks
   hosts: MDA:webmail:lists:bacula-dir
   gather_facts: False
   tags: mysql,sql
   roles:
     - common-SQL
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index a852c4d..47e3db8 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -27,28 +27,25 @@
   service: name=networking pattern=init state=reloaded
 
 - name: Restart rsyslog
   service: name=rsyslog state=restarted
 
 - name: Restart ntp
   service: name=ntp state=restarted
 
 - name: Restart Postfix
   service: name=postfix state=restarted
 
 - name: Reload Postfix
   service: name=postfix state=reloaded
 
 - name: Restart stunnel
   service: name=stunnel4 pattern=/usr/bin/stunnel4 state=restarted
 
 - name: Restart bacula-fd
   service: name=bacula-fd state=restarted
 
-- name: Update certificate
-  command: update-ca-certificates
-
 - name: Restart munin-node
   service: name=munin-node state=restarted
 
 - name: Restart freshclam
   service: name=clamav-freshclam state=restarted
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 955493a..3b95c92 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -28,46 +28,20 @@
   command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem
   tags: genkey
 - include: logging.yml      tags=logging
 - include: ntp.yml          tags=ntp
 - include: mail.yml         tags=mail,postfix
 - include: bacula.yml       tags=bacula-fd,bacula
 - include: munin-node.yml   tags=munin-node,munin
 
 - name: Install common packages
   apt: pkg={{ item }}
   with_items:
     - ca-certificates
     - etckeeper
     - ethtool
     - git
     - htop
     - molly-guard
     - rsync
     - screen
     - telnet-ssl
-    # for letencrypt
-    - liblwp-protocol-https-perl
-    - socat
-
-# XXX: this is a workaround the CAcert root CAs not being present in
-# Jessie.  In stretch, we would merely install the 'ca-cacert' package.
-- name: Create directory /usr/local/share/ca-certificates/CAcert
-  file: path=/usr/local/share/ca-certificates/CAcert
-        state=directory
-        owner=root group=root
-        mode=0755
-  tags:
-    - certs
-
-- name: Copy CAcert root CAs
-  copy: src=certs/CAcert/{{ item }}
-        dest=/usr/local/share/ca-certificates/CAcert/{{ item }}
-        owner=root group=root
-        mode=0644
-  with_items:
-    - root.crt
-    - class3.crt
-  tags:
-    - certs
-  notify:
-    - Update certificate