[mailman] Use pepcransification of certbot

Signed-off-by: Yohann D'ANELLO <ynerant@crans.org>
2021-02-03 21:31:00 +01:00 · 2021-02-03 21:31:00 +01:00 · 4b76b1a7bf
parent ad4f625992
commit 4b76b1a7bf
5 changed files with 13 additions and 18 deletions
--- a/host_vars/mailman.adm.crans.org.yml
+++ b/host_vars/mailman.adm.crans.org.yml
@ -2,3 +2,6 @@
 interfaces:
  adm: eth0
  srv: eth1
+
+loc_certbot:
+  domains: "*.crans.org"
--- a/3
+++ b/3
@ -92,6 +92,9 @@ linx.adm.crans.org
 [mailman]
 redisdead.adm.crans.org

+[mailman]
+mailman.adm.crans.org
+
 [monitoring]
 monitoring.adm.crans.org

--- a/plays/mailman.yml
+++ b/plays/mailman.yml
@ -21,8 +21,9 @@
    - nginx

 # Deploy Mailman3
- hosts: mailman.adm.crans.org
+- hosts: mailman
  vars:
+    certbot: '{{ glob_certbot | default({}) | combine(loc_certbot | default({})) }}'
    mailman3:
      site_owner: root@crans.org
      database_user: "mailman3"
@ -36,5 +37,6 @@
      web_database_pass: "{{ vault_mailman3_web_database_pass }}"
      web_domain: "mailman.crans.org"
  roles:
+    - certbot
    - mailman3
    - postfix-mailman3
--- a/roles/mailman3/tasks/main.yml
+++ b/roles/mailman3/tasks/main.yml
@ -11,8 +11,6 @@
      - postgresql
      - python3-pip  # CAS
      - python3-lxml  # CAS
-      - certbot  # cert
-      - python3-certbot-nginx
    install_recommends: false
  register: apt_result
  retries: 3
@ -68,19 +66,8 @@
    state: link
  notify: Restart nginx

- name: Create /etc/letsencrypt/conf.d
-  file:
-    path: /etc/letsencrypt/conf.d
-    state: directory
-
- name: Add Certbot configuration
-  template:
-    src: "letsencrypt/conf.d/mailman.ini.j2"
-    dest: "/etc/letsencrypt/conf.d/mailman.ini"
-    mode: 0644
-
 - name: Indicate role in motd
  template:
    src: update-motd.d/05-service.j2
-    dest: /etc/update-motd.d/05-mailman3
+    dest: /etc/update-motd.d/04-mailman3
    mode: 0755
--- a/roles/mailman3/templates/nginx/sites-available/mailman3.j2
+++ b/roles/mailman3/templates/nginx/sites-available/mailman3.j2
@ -42,8 +42,8 @@ server {
    server_tokens off;

    # SSL common conf
-    ssl_certificate /etc/letsencrypt/live/mailman.crans.org/fullchain.pem;
-    ssl_certificate_key /etc/letsencrypt/live/mailman.crans.org/privkey.pem;
+    ssl_certificate /etc/letsencrypt/live/crans.org/fullchain.pem;
+    ssl_certificate_key /etc/letsencrypt/live/crans.org/privkey.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:MozSSL:10m;
    ssl_session_tickets off;
@ -55,7 +55,7 @@ server {
    # Enable OCSP Stapling, point to certificate chain
    ssl_stapling on;
    ssl_stapling_verify on;
-    ssl_trusted_certificate /etc/letsencrypt/live/mailman.crans.org/chain.pem;
+    ssl_trusted_certificate /etc/letsencrypt/live/crans.org/chain.pem;

    location / {
        uwsgi_pass mailman3;