diff options
Diffstat (limited to 'ansible/http.liw.fi.yml')
-rw-r--r-- | ansible/http.liw.fi.yml | 194 |
1 files changed, 74 insertions, 120 deletions
diff --git a/ansible/http.liw.fi.yml b/ansible/http.liw.fi.yml index ed409ff..9372c4c 100644 --- a/ansible/http.liw.fi.yml +++ b/ansible/http.liw.fi.yml @@ -1,10 +1,11 @@ -- hosts: static +- hosts: http.liw.fi remote_user: root roles: - role: sane_debian_system - role: sshd - role: unix_users - role: apache_server + tags: [httpd] - role: comfortable-debian-system - role: self-updating-system vars: @@ -22,11 +23,6 @@ - username: root authorized_keys: | {{ liw_personal_ssh_pub }} - - username: ickliwfi - comment: Ick website - authorized_keys: | - {{ liw_personal_ssh_pub }} - {{ ci_worker_ssh_pub }} letsencrypt: yes letsencrypt_email: liw@liw.fi @@ -41,215 +37,179 @@ owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: ideas.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: files.liw.fi owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: code.liw.fi - owner: liw - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: vmdb2.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: vmdb2-images.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: vmdb2-manual.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cer1 + letsencrypt_cert: certa - domain: journal.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa htpasswd: "{{ lookup('pipe', 'pass journal.liw.fi.htpasswd') }}" htpasswd_name: "Private site by Lars. Go away." - domain: noir.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: manifesto.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: doc.obnam.org - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: seinfeld.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: subplot.tech - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert12 + letsencrypt_cert: certa - domain: www.subplot.tech - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert12 + letsencrypt_cert: certa redirect: subplot.tech - domain: doc.subplot.tech - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert12 + letsencrypt_cert: certa - domain: subplot.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa redirect: subplot.tech - domain: doc.subplot.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert11 + letsencrypt_cert: certa redirect: doc.subplot.tech - - domain: yuck.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - domain: 256.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: gtdfh.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert1 + letsencrypt_cert: certa - domain: blog.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert1 - - - domain: summain.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert4 + letsencrypt_cert: certa - domain: vmadm.liw.fi - owner: ickliwfi - ownermail: liw@liw.fi - letsencrypt: yes - letsencrypt_cert: cert6 - - - domain: clab.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert9 + letsencrypt_cert: certa - domain: doc.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert10 + letsencrypt_cert: certa - domain: sshca.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert11 + letsencrypt_cert: certa - domain: www.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert13 + letsencrypt_cert: certa redirect: liw.fi - domain: riki.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert14 + letsencrypt_cert: certa - domain: v-i.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert15 + letsencrypt_cert: certa - domain: puomi.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert15 + letsencrypt_cert: certa - domain: ewww.liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert16 + letsencrypt_cert: certa - # Sites that need to be changed in DNS (A record) before Let's - # Encrypt certificates can be created. Comment these out until - # DNS has been changed. + - domain: ambient.liw.fi + owner: liw + ownermail: liw@liw.fi + letsencrypt: yes + letsencrypt_cert: certa - - domain: ick.liw.fi - owner: ickliwfi + - domain: openpgpkey.liw.fi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert3 + letsencrypt_cert: certa + + - domain: liw.iki.fi + owner: liw + ownermail: liw@liw.fi + letsencrypt: yes + letsencrypt_cert: certa + + # Sites that need to be changed in DNS (A record) before Let's + # Encrypt certificates can be created. Comment these out until + # DNS has been changed. - domain: obnam.org - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert2 + letsencrypt_cert: certa - domain: liw.fi - owner: ickliwfi + owner: liw ownermail: liw@liw.fi letsencrypt: yes - letsencrypt_cert: cert2 + letsencrypt_cert: certa # Sites without HTTPS. @@ -274,17 +234,11 @@ ownermail: webmaster@docstory.fi letsencrypt: no - - domain: liw.iki.fi - owner: liw - ownermail: liw@liw.fi - letsencrypt: no - - - domain: demo-journal.liw.fi - owner: liw - ownermail: liw@liw.fi - letsencrypt: no - + # We must define the sshd variables here. The defaults from the + # "all" group assume sshca knows the host by the + # sane_debian_system_hostname name, which isn't true for this + # host. sshd_version: 1 sshd_host_key: "{{ lookup('pipe', 'sshca host private-key http.liw.fi') }}" - sshd_host_cert: "{{ lookup('pipe', 'sshca host certify liw.fi/ca/host/v4 http.liw.fi') }}" - sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v3') }}" + sshd_host_cert: "{{ lookup('pipe', 'sshca host certify --ca liw.fi/ca/host/v5 http.liw.fi') }}" + sshd_user_ca_pub: "{{ lookup('pipe', 'sshca ca public-key liw.fi/ca/user/v5') }}" |