deploy-static.yml

@@ -1,4 +0,0 @@
-- name: static setup
-  hosts: static
-  roles:
-    - static

inventory

@@ -51,6 +51,3 @@ europa  ansible_user=root ansible_connection=ssh
 
 [gitea]
 nijika  ansible_user=root ansible_connection=ssh
-
-[static]
-levi  ansible_user=root ansible_connection=ssh

roles/private/tasks/main.yml

@@ -84,8 +84,11 @@
 - name: reload nginx to activate sites
   service: name=nginx state=restarted
 
-- name: add daily renewal
+- name: add daily letsencrypt cronjob for cert renewal based on hash of domain name to prevent hitting LE rate limits
   cron:
-    name: "letsencrypt_renewal"
+    name: "letsencrypt_renewal_{{ item.stdout }}"
-    special_time: "daily"
+    minute: "0"
-    job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --force-renewal"
+    hour: "5,17"
+    job: "REQUESTS_CA_BUNDLE=/usr/local/share/ca-certificates/{{ step_bootstrap_ca_url }}.crt letsencrypt renew --server https://{{ step_bootstrap_ca_url }}:{{ step_ca_port }}/acme/ACME/directory --cert-name {{ item.stdout }} -n --webroot -w /var/www/letsencrypt --agree-tos --email {{ step_acme_cert_contact }} && service nginx reload"
+  loop: "{{ extracted_domains.results }}"
+  when: item.stdout != ""

roles/static/tasks/main.yml

@@ -1,8 +0,0 @@
----
-
-- name: clone static repo
-  git:
-    repo: https://git.simponic.xyz/simponic/static.simponic.xyz.git
-    dest: /var/www/html/static.simponic.xyz
-    clone: yes
-    update: yes

roles/webservers/files/levi/http.static.simponic.xyz.conf

@@ -1,13 +0,0 @@
-server {
-  listen 80;
-  server_name static.simponic.xyz;
-
-  location /.well-known/acme-challenge {
-    root /var/www/letsencrypt;
-    try_files $uri $uri/ =404;
-  }
-
-  location / {
-    rewrite ^ https://static.simponic.xyz$request_uri? permanent;
-  }
-}

roles/webservers/files/levi/https.static.simponic.xyz.conf

@@ -1,25 +0,0 @@
-server {
-  listen 443 ssl;
-  server_name static.simponic.xyz;
-
-  ssl_certificate         /etc/letsencrypt/live/static.simponic.xyz/fullchain.pem;
-  ssl_certificate_key     /etc/letsencrypt/live/static.simponic.xyz/privkey.pem;
-  ssl_trusted_certificate /etc/letsencrypt/live/static.simponic.xyz/fullchain.pem;
-
-  ssl_session_cache shared:SSL:50m;
-  ssl_session_timeout 5m;
-  ssl_stapling on;
-  ssl_stapling_verify on;
-
-  ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
-  ssl_ciphers "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4";
-
-  ssl_dhparam /etc/nginx/dhparams.pem;
-  ssl_prefer_server_ciphers on;
-
-  root /var/www/html/static.simponic.xyz;
-
-  location / {
-    try_files $uri $uri/ $uri.html =404;
-  }
-}