Use the Let's Encrypt CA for our public certs.

3 files changed, 19 insertions, 32 deletions

diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 3e32158..2519286 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -5,10 +5,14 @@ server {
     server_name     fripost.org;
     server_name www.fripost.org;
 
-    access_log /var/log/nginx/access.log;
-    error_log  /var/log/nginx/error.log info;
+    include snippets/acme-challenge.conf;
 
-    return 301 https://fripost.org$request_uri;
+    access_log /var/log/nginx/www.access.log;
+    error_log  /var/log/nginx/www.error.log info;
+
+    location / {
+        return 301 https://$host$request_uri;
+    }
 }
 
 
@@ -16,14 +20,15 @@ server {
     listen      443;
     listen [::]:443;
 
-    server_name fripost.org;
+    server_name     fripost.org;
+    server_name www.fripost.org;
 
     include snippets/ssl.conf;
     ssl_certificate     /etc/nginx/ssl/www.fripost.org.chained.pem;
     ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
 
-    access_log /var/log/nginx/access.log;
-    error_log  /var/log/nginx/error.log info;
+    access_log /var/log/nginx/www.access.log;
+    error_log  /var/log/nginx/www.error.log info;
 
     location / {
         try_files $uri $uri/ =404;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index 3777b87..2855e07 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -4,18 +4,14 @@ server {
 
     server_name wiki.fripost.org;
 
+    include snippets/acme-challenge.conf;
+
     access_log /var/log/nginx/wiki.access.log;
     error_log  /var/log/nginx/wiki.error.log info;
 
     location / {
         location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; }
-        try_files $uri $uri/ =404;
-        index index.html;
-        root /var/lib/ikiwiki/public_html/fripost-wiki;
-    }
-
-    location = /ikiwiki.cgi {
-        return 302 https://$host$request_uri;
+        return 301 https://$host$request_uri;
     }
 }
 
diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml
index 22a5831..763f99a 100644
--- a/roles/wiki/tasks/main.yml
+++ b/roles/wiki/tasks/main.yml
@@ -65,26 +65,12 @@
 
 - meta: flush_handlers
 
-- name: Generate a private key and a X.509 certificate for Nginx
-  command: genkeypair.sh x509
-                         --pubkey=/etc/nginx/ssl/fripost.org.pem
-                         --privkey=/etc/nginx/ssl/fripost.org.key
-                         --ou=WWW --cn=fripost.org --dns=fripost.org --dns=wiki.fripost.org
-                         -t rsa -b 4096 -h sha512
-  register: r1
-  changed_when: r1.rc == 0
-  failed_when: r1.rc > 1
-  notify:
-    - Restart Nginx
-  tags:
-    - genkey
-
 - name: Copy /etc/nginx/sites-available/{wiki,website}
   copy: src=etc/nginx/sites-available/{{ item }}
         dest=/etc/nginx/sites-available/{{ item }}
         owner=root group=root
         mode=0644
-  register: r2
+  register: r1
   with_items:
     - website
     - wiki
@@ -96,7 +82,7 @@
         dest=/etc/nginx/sites-enabled/{{ item }}
         owner=root group=root
         state=link force=yes
-  register: r3
+  register: r2
   with_items:
     - website
     - wiki
@@ -105,15 +91,15 @@
 
 - name: Start Nginx
   service: name=nginx state=started
-  when: not (r1.changed or r2.changed or r3.changed)
+  when: not (r1.changed or r2.changed)
 
 - meta: flush_handlers
 
 - name: Fetch Nginx's X.509 certificate
   # Ensure we don't fetch private data
   sudo: False
-  fetch: src=/etc/nginx/ssl/fripost.org.pem
-         dest=certs/public/
+  fetch: src=/etc/nginx/ssl/www.fripost.org.pem
+         dest=certs/public/fripost.org.pem
          fail_on_missing=yes
          flat=yes
   tags: