diff options
Diffstat (limited to 'roles/letsencrypt')
4 files changed, 0 insertions, 188 deletions
diff --git a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf b/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf deleted file mode 100644 index fb19d2a..0000000 --- a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf +++ /dev/null @@ -1,86 +0,0 @@ -# For certificate issuance (new-cert command), specify the certificate -# configuration file to use -# -#config-certs = config/letsencrypt-certs.conf - -[client] -# The value of "socket" specifies the letsencrypt-accountd(1) -# UNIX-domain socket to connect to for signature requests from the ACME -# client. letsencrypt aborts if the socket is readable or writable by -# other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR -# environment variable is set. -# -#socket = /run/user/1000/S.letsencrypt - -# username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). -# Default: "nobody". -# -user = letsencrypt - -# groupname to drop privileges to (setting both effective and real gid, -# and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). -# -group = nogroup - -# Path to the ACME client executable. -#command = /usr/lib/letsencrypt-tiny/client - -# Root URI of the ACME server. NOTE: Use the staging server for testing -# as it has relaxed ratelimit. -# -#server = https://acme-v01.api.letsencrypt.org/ -#server = https://acme-staging.api.letsencrypt.org/ - -# Timeout in seconds after which the client stops polling the ACME -# server and considers the request failed. -# -#timeout = 10 - -# Whether to verify the server certificate chain. -SSL_verify = yes - -# Specify the version of the SSL protocol used to transmit data. -SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 - -# Specify the cipher list for the connection. -SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL - - -[webserver] - -# Specify the local address to listen on, in the form ADDRESS[:PORT]. -# -#listen = 0.0.0.0:80 -#listen = [::]:80 - -# If a webserver is already running, specify a non-existent directory -# under which the webserver is configured to serve GET requests for -# challenge files under "/.well-known/acme-challenge/" (for each virtual -# hosts requiring authorization) as static files. -# -challenge-directory = /var/www/acme-challenge - -# username to drop privileges to (setting both effective and real uid). -# Preserve root privileges if the value is empty (not recommended). -# -user = www-data - -# groupname to drop privileges to (setting both effective and real gid, -# and also setting the list of supplementary gids to that single group). -# Preserve root privileges if the value is empty (not recommended). -# -user = www-data - -# Path to the ACME webserver executable. -#command = /usr/lib/letsencrypt-tiny/webserver - -# Whether to automatically install iptables(1) rules to open the -# ADDRESS[:PORT] specified with listen. Theses rules are automatically -# removed once letsencrypt exits. -# -#iptables = Yes - -; vim:ft=dosini diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml deleted file mode 100644 index d9eed44..0000000 --- a/roles/letsencrypt/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Install LetsEncrypt's ACME client - apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml deleted file mode 100644 index c7ef7ef..0000000 --- a/roles/letsencrypt/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: Install dependencies for letsencrypt-tiny - apt: pkg={{ item }} - with_items: - - libjson-perl - - libjson-xs-perl - - libconfig-tiny-perl - - libwww-perl - - liblwp-protocol-https-perl - - libnet-ssleay-perl - -- name: Copy LetsEncrypt's ACME client - copy: src=deb/letsencrypt-tiny_0.1-1_all.deb - dest=/tmp - notify: Install LetsEncrypt's ACME client - -- meta: flush_handlers - -- name: Create a user 'letsencrypt' - user: name=letsencrypt system=yes - group=nogroup - createhome=no - home=/nonexistent - shell=/usr/sbin/nologin - password=! - state=present - -- name: Copy letsencrypt-tiny/letsencrypt-certs.conf - copy: src=etc/letsencrypt-tiny/letsencrypt.conf - dest=/etc/letsencrypt-tiny/letsencrypt.conf - owner=root group=root - mode=0644 - -- name: Copy letsencrypt-tiny/letsencrypt-certs.conf - template: src=etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 - dest=/etc/letsencrypt-tiny/letsencrypt-certs.conf - owner=root group=root - mode=0644 diff --git a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 b/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 deleted file mode 100644 index ca3415a..0000000 --- a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 +++ /dev/null @@ -1,63 +0,0 @@ -hash = sha512 -keyusage = digitalSignature, keyEncipherment - -{% if 'IMAP' in group_names %} -[imap] -certificate-key = /etc/dovecot/ssl/imap.fripost.org.key -certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem -subject = /O=Fripost/CN=imap.fripost.org -subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org -notify = /bin/systemctl restart dovecot -{% endif %} - -{% if 'MSA' in group_names %} -[smtp] -certificate-key = /etc/postfix/ssl/smtp.fripost.org.key -certificate-chain = /etc/postfix/ssl/smtp.fripost.org.pem -subject = /O=Fripost/CN=smtp.fripost.org -notify = /bin/systemctl reload postfix -{% endif %} - -{% if 'MX' in group_names %} -[mx] -certificate-key = /etc/postfix/ssl/mx.fripost.org.key -certificate-chain = /etc/postfix/ssl/mx.fripost.org.pem -subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org -notify = /bin/systemctl reload postfix -{% endif %} - -{% if 'lists' in group_names %} -[lists] -certificate-key = /etc/nginx/ssl/lists.fripost.org.key -certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem -subject = /O=Fripost/CN=lists.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -{% if 'wiki' in group_names %} -[www] -certificate-key = /etc/nginx/ssl/www.fripost.org.key -certificate-chain = /etc/nginx/ssl/www.fripost.org.pem -subject = /O=Fripost/CN=fripost.org -subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -{% if 'webmail' in group_names %} -[webmail] -certificate-key = /etc/nginx/ssl/mail.fripost.org.key -certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem -subject = /O=Fripost/CN=mail.fripost.org -subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -{% if 'git' in group_names %} -[git] -certificate-key = /etc/nginx/ssl/git.fripost.org.key -certificate-chain = /etc/nginx/ssl/git.fripost.org.pem -subject = /O=Fripost/CN=git.fripost.org -notify = /bin/systemctl reload nginx -{% endif %} - -; vim:ft=dosini |