2:22 p.m.
On sie 25, Damiano Venturin wrote:
so infact to make it work I added to owncloud-nginx.yml
- role: pki
tags: ["role::pki", "skip::pki"]
pki_dependent_realms: "{{ owncloud__pki_dependent_realms }}"
when: (owncloud__pki_dependent_realms|length>0)
and then I added this in the owncloud.yml variables
owncloud__pki_dependent_realms:
- name: "cloud.example.com"
enabled: True
acme: True
#acme_ca: "le-staging-v2" #for testing
acme_ca: "le-live-v2"#for production
acme_default_subdomains: []
acme_subdomains: []
but now that you've explained I see how this is unnecessary.
Perhaps all I shall do is to add in nginx.yml variables file
nginx__pki_dependent_realms:
- name: "cloud.example.com"
enabled: True
acme: True
#acme_ca: "le-staging-v2" #for testing
acme_ca: "le-live-v2"#for production
acme_default_subdomains: []
acme_subdomains: []
and this should do the trick, right?
If you write custom playbooks that use these roles, then sure, that could be
a solution. In DebOps however, the 'pki' role is part of the 'common.yml'
playbook executed on all hosts. The role is designed in such a way that it's
not needed to include it in other playbooks - roles that want to use the PKI
infrasteructure can do so just by getting information from the
'ansible_local.pki.*' local facts.
The initialization of ACME certificates is a bit involved process, because for
'pki' role to correctly get Let's Encrypt certs, it requires a working
webserver. So the usual procedure is:
- run common playbook that includes 'pki'
- run nginx role
- run 'service/pki' playbook that re-runs the 'pki' role which detects
configured 'nginx' server and requests ACME certs where apropriate.
The 'pki' role configures the 'pki-realm' script to renew the
certificates
preiodically, so you don't need to do that yourself.
-- Maciej