New ssl provider: cloudflare-origin-ca

[tangrufus]

Usage:

vault_cloudflare_origin_ca_api_key: 'my_api_key'

wordpress_sites:
  example.com:
    site_hosts:
      - canonical: example.com
        redirects:
          - hi.example.com
          - bye.example.com
    ssl:
      enabled: true
      provider: cloudflare-origin-ca

This will generate and upload (to Cloudflare) a cert for example.com,hi.example.com,bye.example.com

This is Origin CA not Universal SSL

close #868

[partounian]

Any update @swalkinshaw ?

[swalkinshaw]

No, I'm undecided on this one. I don't know if Trellis should have a Cloudflare specific option like this built-in.

[partounian]

No worries, really appreciate your updates through!

[tangrufus]

perhaps publish it to ansible galaxy is a better idea

Question:
What is the best practice for ansible galaxy role to change Trellis's Nginx template (wordpress-site.conf.j2)?

[swalkinshaw]

Good question, I think it would use Child templates.

Right now there's an https block. The new template would use that block and call {{ super() }} then just add the new certificate stuff after that.

[tangrufus]

Extracted to https://github.com/TypistTech/trellis-cloudflare-origin-ca

[swalkinshaw]

@tangrufus thanks, took a quick look at that and it looks great.

This is one of the first 3rd party roles like this so it was interesting to see how the implementation went. Most of it looks fairly straightforward. Other than the playbook hack 😔 .

Something like #830 might be able to help that.

[tangrufus]

Other than #830, we need better way for galaxy roles to override Nginx templates.

Telling users use templats in vendor doesn't feel right:

nginx_wordpress_site_conf: vendor/roles/TypistTech.trellis-cloudflare-origin-ca/templates/wordpress-site.conf.child

But it the only way I could think of.

Adding to includes.d/{{ item.key }}/ directory:
It doesn't get included for redirect domains..... :(

[swalkinshaw]

Yeah I did notice that and thought it wasn't ideal either but honestly I'm not so sure how much it matters.

In any language with packages, it would be equivalent to include vendor/roles/TypistTech.trellis-cloudflare-origin-ca/templates/wordpress-site.conf.child which most languages would allow include TypistTech.trellis-cloudflare-origin-ca/templates/wordpress-site.conf.child. It's still coming from the same place /shrug

[tangrufus]

What to do when another galaxy role need to extend wordpress-site.conf.j2 as well?

[swalkinshaw]

Good question. I'm just not sure we can reasonably expect a solution for that.

[tangrufus]

For current state of Trellis, would it be better to use regexp replace instead of jinja2 template override?

typisttech/trellis-cloudflare-origin-ca#8

[swalkinshaw]

Up to you ultimately. Usually I wouldn't like regexp for things like this, but at least the template output is predictable since it's not a manually created file.