This will allow us to temporarily affect staging instance only,
and test that the images are actually OK. We should though put
the timestamp to the image name.
We need two-phase configuration for Let's Encrypt:
1. initialize; the letsencrypt automation, this is happening only
once per VM (when it is spawned)
2. periodic; using certbot-renew.timer.
Both those phases are now wrapped into copr/certbot role.
Phase 1. needs to be done before the web-server is started (so
include the role on appropriate place in the playbook), so we can
do 'certbot --standalone' (bounds to port 80).
Phase 2. is accomplished using the running web-server, using
'certbot renew --webroot'.
If (and only if) the certificate is renewed, web server needs to
be restarted (and lighttpd needs to have post-processed
certificate format). So we also need the deploy hook script in
hand (two actually, lighttpd/httpd) so 'certbot renew'
automatically does what we expect it to do.
In ansible 2.8 the - character isn't supposed to be valid in group names.
While we could override this, might has well just bite the bullet and change it.
So, just switch all group names to use _ instead of -
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
