Re: owncloud and letsencrypt
If you write custom playbooks that use these roles, then sure, that
could be
a solution. In DebOps however, the 'pki' role is part of the
'common.yml'
playbook executed on all hosts. The role is designed in such a way that it's
not needed to include it in other playbooks - roles that want to use the PKI
infrasteructure can do so just by getting information from the
'ansible_local.pki.*' local facts.
I do use custom playbooks but I'm
striving to keep them at minimum.
Ideally I'd keep none. I see no point in keeping a custom role for
something that can work out of the box
The initialization of ACME certificates is a bit involved process,
yes. The PKI role is rather tough. I already went through the docs
several times and I remember reading the role itself a few times but it
still is opaque to me and I always make some mistakes. Perhaps I need to
spend more time on it and go deeper.
because for
'pki' role to correctly get Let's Encrypt certs, it requires a working
webserver. So the usual procedure is:
- run common playbook that includes 'pki'
- run nginx role
- run 'service/pki' playbook that re-runs the 'pki' role which detects
configured 'nginx' server and requests ACME certs where apropriate.
I'm on it. I'll let you know how it goes.
The 'pki' role configures the 'pki-realm' script to renew the
certificates
preiodically, so you don't need to do that yourself.
I see you have developed
clairvoyance: you already answered my next
question :-)
>
> -- Maciej