removed certificate deployment due to security considerations.

93142a1c · Gallenkamp, Fabian · 8cd463d9 · 93142a1c · 93142a1c · 93142a1c
Commit 93142a1c authored Jul 30, 2019 by Gallenkamp, Fabian
--- a/.gitignore
+++ b/.gitignore
 hosts
 templates/nginx_unmodified_confs/
 group_vars/otree_servers.yml
-ssl/
 files/
 *.retry
+*.swp
--- a/configure_nginx.yml
+++ b/configure_nginx.yml
@@ -63,20 +63,21 @@
        mode: "0644"
      notify: restart nginx
    # TLS certificates
-    - name: copy over certificate key files
-      copy:
-        src: "{{ item.src }}"
-        dest: "{{ item.dest }}"
-        group: root
-        mode: "{{ item.mode }}"
-      no_log: yes
-      with_items:
-        - src: "ssl/certs/localhost.crt"
-          dest: "/etc/ssl/certs/localhost.crt"
-          mode: "0644"
-        - src: "ssl/private/localhost.key"
-          dest: "/etc/ssl/certs/localhost.key"
-          mode: "0600"
+    # Unfourtunately not scriptable due to security considerations
+    #- name: copy over certificate key files
+    #  copy:
+    #    src: "{{ item.src }}"
+    #    dest: "{{ item.dest }}"
+    #    group: root
+    #    mode: "{{ item.mode }}"
+    #  no_log: yes
+    #  with_items:
+    #    - src: "ssl/certs/localhost.crt"
+    #      dest: "/etc/ssl/certs/localhost.crt"
+    #      mode: "0644"
+    #    - src: "ssl/private/localhost.key"
+    #      dest: "/etc/ssl/private/localhost.key"
+    #      mode: "0600"

  handlers:
    - name: restart nginx

--- a/group_vars/otree_servers.yml.example
+++ b/group_vars/otree_servers.yml.example
@@ -24,7 +24,7 @@ otree_users:
    pre_release: no
    # should the pre release version of otree be installed
    redis: "redis://localhost:6379/1"
-    # redis queue. Note don't use a slot twice, there are 16 slots available 
+    # redis queue. Note don't use a slot twice, there are 16 slots available (0-15)
    database: "sqlite:////home/otree1/db.sqlite3"
    # which database should be used. Examples: "postgres://USER:PASSWORD@HOST:PORT/NAME" or "sqlite:////home/user/db.sqlite3"
    admin_pw: "mysecretpw1"
@@ -32,7 +32,7 @@ otree_users:
    auth_level: "STUDY"
    # auth level, possible values: "STUDY", "DEMO"
    secret_key: "safaho9awefzuwf"
-    # django secret key, use differet in different instances
+    # django secret key, use different one in different instances
    production: "1"
    # LOG-LEVEL, set to None ("production: ") to enable further debug messages.
    port: 8005
@@ -50,3 +50,6 @@ otree_users:
    production:
    port: 8006

+ssl_certificate_path: "/etc/ssl/certs/{{ otree_domain }}.crt"
+ssl_certificate_key_path: "/etc/ssl/private/{{ otree_domain }}.key"
+
--- a/templates/nginx_site.conf.j2
+++ b/templates/nginx_site.conf.j2
@@ -18,8 +18,8 @@ server {

 	server_name {% if item.key == otree_master %}{{ otree_domain }} *.{{otree_domain}}{% else %}{{ item.key }}.{{otree_domain}}{% endif %};

-	ssl_certificate /etc/ssl/certs/localhost.crt;
-	ssl_certificate_key /etc/ssl/private/localhost.key;
+	ssl_certificate {{ ssl_certificate_path }};
+	ssl_certificate_key {{ ssl_certificate_key_path }};

 	location / {
 		access_log off;