summaryrefslogtreecommitdiffstats
path: root/roles/letsencrypt
diff options
context:
space:
mode:
Diffstat (limited to 'roles/letsencrypt')
-rw-r--r--roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf86
-rw-r--r--roles/letsencrypt/handlers/main.yml2
-rw-r--r--roles/letsencrypt/tasks/main.yml37
-rw-r--r--roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j263
4 files changed, 0 insertions, 188 deletions
diff --git a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf b/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf
deleted file mode 100644
index fb19d2a..0000000
--- a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf
+++ /dev/null
@@ -1,86 +0,0 @@
-# For certificate issuance (new-cert command), specify the certificate
-# configuration file to use
-#
-#config-certs = config/letsencrypt-certs.conf
-
-[client]
-# The value of "socket" specifies the letsencrypt-accountd(1)
-# UNIX-domain socket to connect to for signature requests from the ACME
-# client. letsencrypt aborts if the socket is readable or writable by
-# other users, or if its parent directory is writable by other users.
-# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR
-# environment variable is set.
-#
-#socket = /run/user/1000/S.letsencrypt
-
-# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
-# Default: "nobody".
-#
-user = letsencrypt
-
-# groupname to drop privileges to (setting both effective and real gid,
-# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
-#
-group = nogroup
-
-# Path to the ACME client executable.
-#command = /usr/lib/letsencrypt-tiny/client
-
-# Root URI of the ACME server. NOTE: Use the staging server for testing
-# as it has relaxed ratelimit.
-#
-#server = https://acme-v01.api.letsencrypt.org/
-#server = https://acme-staging.api.letsencrypt.org/
-
-# Timeout in seconds after which the client stops polling the ACME
-# server and considers the request failed.
-#
-#timeout = 10
-
-# Whether to verify the server certificate chain.
-SSL_verify = yes
-
-# Specify the version of the SSL protocol used to transmit data.
-SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
-
-# Specify the cipher list for the connection.
-SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
-
-
-[webserver]
-
-# Specify the local address to listen on, in the form ADDRESS[:PORT].
-#
-#listen = 0.0.0.0:80
-#listen = [::]:80
-
-# If a webserver is already running, specify a non-existent directory
-# under which the webserver is configured to serve GET requests for
-# challenge files under "/.well-known/acme-challenge/" (for each virtual
-# hosts requiring authorization) as static files.
-#
-challenge-directory = /var/www/acme-challenge
-
-# username to drop privileges to (setting both effective and real uid).
-# Preserve root privileges if the value is empty (not recommended).
-#
-user = www-data
-
-# groupname to drop privileges to (setting both effective and real gid,
-# and also setting the list of supplementary gids to that single group).
-# Preserve root privileges if the value is empty (not recommended).
-#
-user = www-data
-
-# Path to the ACME webserver executable.
-#command = /usr/lib/letsencrypt-tiny/webserver
-
-# Whether to automatically install iptables(1) rules to open the
-# ADDRESS[:PORT] specified with listen. Theses rules are automatically
-# removed once letsencrypt exits.
-#
-#iptables = Yes
-
-; vim:ft=dosini
diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml
deleted file mode 100644
index d9eed44..0000000
--- a/roles/letsencrypt/handlers/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
-- name: Install LetsEncrypt's ACME client
- apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
deleted file mode 100644
index c7ef7ef..0000000
--- a/roles/letsencrypt/tasks/main.yml
+++ /dev/null
@@ -1,37 +0,0 @@
-- name: Install dependencies for letsencrypt-tiny
- apt: pkg={{ item }}
- with_items:
- - libjson-perl
- - libjson-xs-perl
- - libconfig-tiny-perl
- - libwww-perl
- - liblwp-protocol-https-perl
- - libnet-ssleay-perl
-
-- name: Copy LetsEncrypt's ACME client
- copy: src=deb/letsencrypt-tiny_0.1-1_all.deb
- dest=/tmp
- notify: Install LetsEncrypt's ACME client
-
-- meta: flush_handlers
-
-- name: Create a user 'letsencrypt'
- user: name=letsencrypt system=yes
- group=nogroup
- createhome=no
- home=/nonexistent
- shell=/usr/sbin/nologin
- password=!
- state=present
-
-- name: Copy letsencrypt-tiny/letsencrypt-certs.conf
- copy: src=etc/letsencrypt-tiny/letsencrypt.conf
- dest=/etc/letsencrypt-tiny/letsencrypt.conf
- owner=root group=root
- mode=0644
-
-- name: Copy letsencrypt-tiny/letsencrypt-certs.conf
- template: src=etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
- dest=/etc/letsencrypt-tiny/letsencrypt-certs.conf
- owner=root group=root
- mode=0644
diff --git a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 b/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
deleted file mode 100644
index ca3415a..0000000
--- a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2
+++ /dev/null
@@ -1,63 +0,0 @@
-hash = sha512
-keyusage = digitalSignature, keyEncipherment
-
-{% if 'IMAP' in group_names %}
-[imap]
-certificate-key = /etc/dovecot/ssl/imap.fripost.org.key
-certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem
-subject = /O=Fripost/CN=imap.fripost.org
-subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org
-notify = /bin/systemctl restart dovecot
-{% endif %}
-
-{% if 'MSA' in group_names %}
-[smtp]
-certificate-key = /etc/postfix/ssl/smtp.fripost.org.key
-certificate-chain = /etc/postfix/ssl/smtp.fripost.org.pem
-subject = /O=Fripost/CN=smtp.fripost.org
-notify = /bin/systemctl reload postfix
-{% endif %}
-
-{% if 'MX' in group_names %}
-[mx]
-certificate-key = /etc/postfix/ssl/mx.fripost.org.key
-certificate-chain = /etc/postfix/ssl/mx.fripost.org.pem
-subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org
-notify = /bin/systemctl reload postfix
-{% endif %}
-
-{% if 'lists' in group_names %}
-[lists]
-certificate-key = /etc/nginx/ssl/lists.fripost.org.key
-certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem
-subject = /O=Fripost/CN=lists.fripost.org
-notify = /bin/systemctl reload nginx
-{% endif %}
-
-{% if 'wiki' in group_names %}
-[www]
-certificate-key = /etc/nginx/ssl/www.fripost.org.key
-certificate-chain = /etc/nginx/ssl/www.fripost.org.pem
-subject = /O=Fripost/CN=fripost.org
-subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org
-notify = /bin/systemctl reload nginx
-{% endif %}
-
-{% if 'webmail' in group_names %}
-[webmail]
-certificate-key = /etc/nginx/ssl/mail.fripost.org.key
-certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem
-subject = /O=Fripost/CN=mail.fripost.org
-subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org
-notify = /bin/systemctl reload nginx
-{% endif %}
-
-{% if 'git' in group_names %}
-[git]
-certificate-key = /etc/nginx/ssl/git.fripost.org.key
-certificate-chain = /etc/nginx/ssl/git.fripost.org.pem
-subject = /O=Fripost/CN=git.fripost.org
-notify = /bin/systemctl reload nginx
-{% endif %}
-
-; vim:ft=dosini