Ansible playbook and roles to deploy the webservers for, its subdomains and other campaign domains
Go to file
Linus Sehn 993b306290 Trying to properly proxypass to Luca's ebook generator 2023-02-14 17:15:26 +01:00
files provide rrsync 2022-08-25 17:06:54 +02:00
group_vars make ip_proxy vars global per host+ 2021-10-13 16:26:14 +02:00
host_vars Trying to properly proxypass to Luca's ebook generator 2023-02-14 17:15:26 +01:00
inventory@de8e53f300 Bump inventory 2022-12-14 13:06:03 +01:00
roles Trying to properly proxypass to Luca's ebook generator 2023-02-14 17:15:26 +01:00
.drone.yml adding drone CI for docs sync 2023-01-13 15:48:52 +01:00
.gitignore initial apache+letsencrypt setup 2018-07-09 11:22:01 +02:00
.gitmodules prepare cert deployment via acme-dns 2021-10-12 12:52:00 +02:00
COPYING initial apache+letsencrypt setup 2018-07-09 11:22:01 +02:00 added badge to the README 2023-01-13 15:51:08 +01:00
ansible.cfg Set `remote_user` in ansible.cfg 2023-01-11 09:05:51 +01:00
playbook.yaml provide rrsync 2022-08-25 17:06:54 +02:00
requirements.txt initial apache+letsencrypt setup 2018-07-09 11:22:01 +02:00

FSFE Webserver



Clone this repo:

git clone --recurse-submodules


Update the inventory submodule to reflect the newest changes to the list of our /generate_inventory and the groups that they are in:

git submodule update --remote inventory

Deploy/update all webservers:

ansible-playbook playbook.yaml

Deploy/update only one webserver:

ansible-playbook -l playbook.yaml


There are some ansible tags you can use to only run specific tasks:

  • apache (all typical changes in apache, but no directory creation or so)
  • certs (all things regarding TLS certificates, certbot etc)
  • php (PHP configuration)

Host Vars

The hosts' variables play an essential role. Some are self-explanatory, some are more complex

Host-wide config:

  • onion_address defines the Onion/Tor address for that host. Currently only applies to
  • ip_proxy defines whether the whole server so all primary and alias domains is behind our ip-proxy. In this case, some extra settings have to be made, and the Apache LogFormat is different. Unfortunately, this cannot be set on a vhost basis.

Each entry under domains is an own vhost and certificate. The parent is the primary domain, e.g. or

  • template defines the type of the apache2 vhost config to be used (see under /roles/apache2-site/templates).
  • aliases are domains that are aliases to the primary domain (ServerAlias).
  • mode is a special declaration to differ and, and not used for templates other than "fsfe"
  • target applies to "redirection" vhosts, so the URL all requests are pointed to.
  • www_dir is for vhosts that are served directly from a directory ("subdirectory" template).
  • acme_challenge defines how TLS certs are gathered. Default is http-01, but dns-01 triggers the use of the acne-dns-client role.
  • rewrites can define paths for "subdirectory" templates which redirect to the primary domain.
  • includes defines special Apache2 config files that should be included.

Important Notes

  • All domains/aliases that are served by more than one host/VM MUST have acme_challenge: "dns-01". Otherwise, gathering a new or renewerd cert will fail sooner or later. This then applies all aliases of the primary domain.