From 378604abd66c0338daaf548861cb90ad3a077f01 Mon Sep 17 00:00:00 2001
From: Miroslav Suchý <msuchy@redhat.com>
Date: Apr 24 2020 19:34:27 +0000
Subject: retrace: use letsencrypt for retrace-stg


---

diff --git a/inventory/host_vars/retrace-stg.aws.fedoraproject.org b/inventory/host_vars/retrace-stg.aws.fedoraproject.org
index 974e365..7f6f471 100644
--- a/inventory/host_vars/retrace-stg.aws.fedoraproject.org
+++ b/inventory/host_vars/retrace-stg.aws.fedoraproject.org
@@ -7,6 +7,7 @@ ansible_ifcfg_blacklist: True
 public_ip: 3.228.218.234
 datacenter: aws
 
+public_hostname: retrace.stg.fedoraproject.org
 faf_server_name: retrace.stg.fedoraproject.org/faf
 rs_use_faf_packages: true
 
diff --git a/roles/abrt/faf-pre/files/retrace_ssl.conf.j2 b/roles/abrt/faf-pre/files/retrace_ssl.conf.j2
new file mode 100644
index 0000000..502db4f
--- /dev/null
+++ b/roles/abrt/faf-pre/files/retrace_ssl.conf.j2
@@ -0,0 +1,27 @@
+<VirtualHost *:443>
+    SSLEngine on
+    SSLProtocol {{ ssl_protocols }}
+    # Use secure TLSv1.1 and TLSv1.2 ciphers
+    SSLCipherSuite {{ ssl_ciphers }}
+    SSLHonorCipherOrder on
+    Header always add Strict-Transport-Security "max-age=31536000; preload"
+
+    {% if not devel %}
+      # NA
+    {% else %}
+    SSLCertificateFile    /etc/letsencrypt/live/{{ public_hostname }}/cert.pem
+    SSLCertificateKeyFile  /etc/letsencrypt/live/{{ public_hostname }}/privkey.pem
+    SSLCertificateChainFile /etc/letsencrypt/live/{{ public_hostname }}/fullchain.pem
+    {% endif %}
+
+    ServerName {{ public_hostname }}
+
+    WSGIPassAuthorization On
+    WSGIPythonOptimize 1
+    WSGISocketPrefix /srv/faf/wsgi
+    WSGIDaemonProcess faf user=faf group=faf processes=3 threads=5
+    WSGIScriptAlias /faf /usr/lib/python3.6/site-packages/webfaf/hub.wsgi process-group=faf application-group=%{GLOBAL}
+
+    WSGIProcessGroup 127.0.0.1
+
+</VirtualHost>
diff --git a/roles/abrt/faf-pre/tasks/main.yml b/roles/abrt/faf-pre/tasks/main.yml
index 55e7efe..71ff48b 100644
--- a/roles/abrt/faf-pre/tasks/main.yml
+++ b/roles/abrt/faf-pre/tasks/main.yml
@@ -69,3 +69,5 @@
     regexp: 'MORE_SATYR ='
     line: '    MORE_SATYR = "https://github.com/abrt/satyr/"'
   notify: restart httpd
+
+-import_tasks: ssl.yml
diff --git a/roles/abrt/faf-pre/tasks/ssl.yml b/roles/abrt/faf-pre/tasks/ssl.yml
new file mode 100644
index 0000000..d4eca1d
--- /dev/null
+++ b/roles/abrt/faf-pre/tasks/ssl.yml
@@ -0,0 +1,12 @@
+---
+- name: install letsencrypt ssl certificates for dev
+  include_role: name=copr/certbot
+  when: devel|bool
+  tags:
+  - config
+
+- name: install copr-frontend ssl vhost
+  template: src="httpd/retrace_ssl.conf.j2" dest="/etc/httpd/conf.d/retrace_ssl.conf"
+  when: devel|bool
+  tags:
+  - config