-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Change deployment configurations #37
Conversation
deploy/app/deploy-nginx.yml
Outdated
- name: Copy ssl certificate to /etc/nginx/ssl | ||
copy: src=ssl-keys/{{item.src}} dest={{item.dest}} owner=root mode=744 | ||
with_items: | ||
- {src: 'app.crt', dest: '{{ssl_cert_path}}'} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We copy app.crt
, but in the nginx config below we use:
- another path (it includes domain of specific app)
- another name
Did you test it? I like an idea to autogenerate lets encrypt certificate (we does it on one of our new products, ask @KuhArt for more details). Also, aside from this: let's encrypt now supports wildcard certificates, so it is not necessary to generate one certificate per domain, we can generate wildcard.
For let's encrypt we might need to setup a separate repo, which will have:
- guide how to create a certificate
- some kind of ansible automation to regenerate certificate on server as it expires
I remember @gavruk wrote an article about this on our internal blog.
@@ -1,2 +1,2 @@ | |||
#!/bin/sh | |||
ansible-playbook ./deploy-app.yml -i ./hosts/staging -u root --extra-vars "env=staging" "$@" | |||
ansible-playbook ./deploy-app.yml -i ./hosts/staging --extra-vars "env=staging" "$@" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we might need to use ./deploy-app.sh
here
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@anorsich How do you propose to use deploy-app.sh
? Do you mean, that we can delete bash file deploy-staging.sh
?
813e2a6
to
6b51d21
Compare
6b51d21
to
8b4303d
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@ezhivitsa Let's change letsencrypt email to mine. Also, why do we need custom nginx configuration for ssl_ciphers? We can talk about this on Friday. Other than that — PR looks great, merging now!
deploy/app/vars/main.yml
Outdated
ssl_cert_path: "/etc/letsencrypt/live/paralect.com" | ||
ssl_cert: "privkey.pem" | ||
|
||
letsencrypt_email: "ship@test.com" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's change it to andrew@paralect.com
@umitskevich, @anorsich Please, review