reworked letsencrypt to use docker containers instead of certbot on the host.

dkhost.xai-corp.net.yml

@@ -8,24 +8,28 @@
   become: true
 
   vars:
-    datadog_api_key: ca0faf176c4aedd4f547ed7cf85615eb
-    datadog_checks:
-      system:
-        init_config: []
-        instances: []
-      disk:
-        init_config:
-        instances:
-            - use_mount: yes
-              excluded_filesystems:
-                - sysfs
-                - cgroup
-                - tracefs
-                - debugfs
-                - proc
-                - securityfs
-                - tmpfs
-              excluded_mountpoint_re: /[media/richard|run/user].*
+#    datadog_api_key: ca0faf176c4aedd4f547ed7cf85615eb
+#    datadog_config:
+#      log_level: WARNING
+#      apm_enabled: false
+#    datadog_checks:
+#      system:
+#        init_config: []
+#        instances: []
+#      disk:
+#        init_config:
+#        instances:
+#            - use_mount: yes
+#              excluded_filesystems:
+#                - sysfs
+#                - cgroup
+#                - tracefs
+#                - debugfs
+#                - proc
+#                - securityfs
+#                - tmpfs
+#              excluded_mountpoint_re: /[media/richard|run/user].*
+
       docker:
         init_config:
         instances:
@@ -63,6 +67,7 @@
           mount: /data/elasticsearch
 
       certbot:
+        uninstall: true
         domains:
           - xai-corp.net
           - www.xai-corp.net
@@ -76,10 +81,13 @@
           - logs.xai-corp.net
           - tripbuilder.xai-corp.net
           - xaibox.xai-corp.net
+          - office.xai-corp.net
 
   roles:
     - dockerhost
     - geerlingguy.nginx
     - certbot
+#    - { role: Datadog.datadog, when: ansible_architecture != 'armv7l' } #does not support armhf architecture. should switch to fluentd or logstash
+
 
   post_tasks:

dockerfiles/owncloud/docker-compose.yml

@@ -1,29 +0,0 @@
----
-# docker-compose file for owncloud server
-
-# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml owncloud
-
-version: '3'
-services:
-
-  owncloud:
-    image: nextcloud:12
-    ports:
-      - 8083:80
-#      - 9083:9000
-    volumes:
-      - /opt/shared/nextcloud/data:/var/www/html/data
-      - /opt/shared/nextcloud/config:/var/www/html/config
-      - /opt/shared/nextcloud/apps:/var/www/html/custom_apps
-
-    deploy:
-      mode: replicated
-      replicas: 1
-      restart_policy:
-        condition: any
-        delay: "1s"
-        max_attempts: 5
-      resources:
-        limits:
-          cpus: '1'
-          memory: 512M

dockerfiles/services/dkregistry/docker-compose.yml

@@ -3,7 +3,7 @@
 # - see https://www.elastic.co/guide/en/logstash/current/_pulling_the_image.html
 #
 # DOCKER_HOST=dkhost03:2376 docker-compose up -d
-# DOCKER_HOST=dkhost03:2376 docker stack deploy -c docker-compose.yml services
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services
 
 version: '3'
 services:

dockerfiles/services/letsencrypt/docker-compose-staging-install.yml

@@ -0,0 +1,48 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up install
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services_letsencrypt
+
+version: '3'
+services:
+
+  install:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_install
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/docker-compose-staging-update.yml

@@ -0,0 +1,45 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-staging-update.yml services_letsencrypt
+
+version: '3'
+services:
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_updates
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/docker-compose-update.yml

@@ -0,0 +1,47 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-update.yml services_letsencrypt
+
+version: '3'
+services:
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_updates
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_TESTCERT: "true"
+      LETSENCRYPT_DEBUG: "true"
+      LETSENCRYPT_JOB_TIME: "0 0 1 15 * *"
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/docker-compose.yml

@@ -0,0 +1,84 @@
+---
+# docker-compose file for letsencrypt cert management
+
+# DOCKER_HOST=dkhost01:2376 docker-compose up install
+# DOCKER_HOST=dkhost01:2376 docker-compose up updates
+
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml services_letsencrypt
+
+version: '3'
+services:
+
+  install:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_install
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M
+
+  updates:
+    image: "blacklabelops/letsencrypt"
+    container_name: letsencrypt_staging_updates
+    ports:
+      - 80:80
+#      - 443:443
+    volumes:
+      - /opt/shared/letsencrypt-2-staging:/etc/letsencrypt
+    environment:
+      LETSENCRYPT_HTTPS_ENABLED: "false"
+      LETSENCRYPT_EMAIL: r_morgan@sympatico.ca
+      LETSENCRYPT_DOMAIN1: xai-corp.net
+      LETSENCRYPT_DOMAIN2: git.xai-corp.net
+      LETSENCRYPT_DOMAIN3: xaibox.xai-corp.net
+      LETSENCRYPT_DOMAIN4: dkui.xai-corp.net
+      LETSENCRYPT_DOMAIN5: dkregistry.xai-corp.net
+      LETSENCRYPT_DOMAIN6: fs.xai-corp.net
+      LETSENCRYPT_DOMAIN7: jenkins.xai-corp.net
+      LETSENCRYPT_DOMAIN8: sql.xai-corp.net
+      LETSENCRYPT_DOMAIN9: office.xai-corp.net
+      LETSENCRYPT_DOMAIN9: www.xai-corp.net
+    command:
+      - install
+      - --staging
+      - --expand
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: none
+      resources:
+        limits:
+          cpus: '0.1'
+          memory: 256M

dockerfiles/services/letsencrypt/readme.md

@@ -0,0 +1,48 @@
+#Letsencrypt container 
+
+run this as a regular container via cron job
+
+note that this container only takes 2 parameters, so we can use --staging and --merge. maybe we should build our own.
+
+todo: set this up as a cron
+
+#install new certs
+```
+DOCKER_HOST=dkhost:2376 docker run -d \
+    -p 80:80 \
+    --name letsencrypt \
+    -e "LETSENCRYPT_HTTPS_ENABLED=false" \
+    -v /opt/shared/letsencrypt-2:/opt/shared/letsencrypt \
+    -e "LETSENCRYPT_EMAIL=r_morgan@sympatico.ca" \
+    -e "LETSENCRYPT_DOMAIN1=xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN2=git.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN3=xaibox.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN4=dkui.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN5=dkregistry.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN6=fs.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN7=jenkins.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN8=sql.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN9=www.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN90=office.xai-corp.net" \
+    blacklabelops/letsencrypt install
+```
+
+```
+DOCKER_HOST=dkhost:2376 docker run -d \
+    -p 80:80 \
+    --name letsencrypt_updates \
+    -e "LETSENCRYPT_HTTPS_ENABLED=false" \
+    -v /opt/shared/letsencrypt-2:/opt/shared/letsencrypt \
+    -e "LETSENCRYPT_EMAIL=r_morgan@sympatico.ca" \
+    -e "LETSENCRYPT_DOMAIN1=xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN2=git.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN3=xaibox.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN4=dkui.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN5=dkregistry.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN6=fs.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN7=jenkins.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN8=sql.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN9=www.xai-corp.net" \
+    -e "LETSENCRYPT_DOMAIN90=office.xai-corp.net" \
+    blacklabelops/letsencrypt
+```

dockerfiles/services/owncloud/Dockerfile

@@ -0,0 +1,4 @@
+FROM nextcloud:12
+
+RUN apt-get update && apt-get install -y smbclient && rm -rf /var/lib/apt/lists/*
+

dockerfiles/services/owncloud/docker-compose-prod.yml

@@ -0,0 +1,51 @@
+---
+# docker-compose file for owncloud server
+
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose-prod.yml owncloud
+
+version: '3'
+services:
+
+  owncloud:
+    image: dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+    ports:
+      - 8083:80
+#      - 9083:9000
+    volumes:
+      - /opt/shared/nextcloud/data:/var/www/html/data
+      - /opt/shared/nextcloud/config:/var/www/html/config
+      - /opt/shared/nextcloud/apps:/var/www/html/custom_apps
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: "1s"
+        max_attempts: 5
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M
+
+  collabora:
+    image: collabora/code
+    ports:
+      - 9980:9980
+    environment:
+      domain: office\\.xai-corp\\.net
+      username: admin
+      password: ah8031qhnbc
+      server_name: office.xai-corp.net
+
+    deploy:
+      mode: replicated
+      replicas: 1
+      restart_policy:
+        condition: any
+        delay: "1s"
+        max_attempts: 5
+      resources:
+        limits:
+          cpus: '1'
+          memory: 512M

dockerfiles/services/owncloud/docker-compose.yml

@@ -0,0 +1,51 @@
+---
+# docker-compose file for nextcloud server
+
+# docker login dkregistry.xai-corp.net:5000
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest
+# DOCKER_HOST=dkhost:2376 docker stack deploy --with-registry-auth -c docker-compose-prod.yml owncloud
+
+version: '3'
+services:
+
+  owncloud:
+    image: "dkregistry.xai-corp.net:5000/xaicorp/nextcloud:latest"
+    build:
+      context: .
+      dockerfile: Dockerfile
+    ports:
+      - 8083:80
+#      - 9083:9000
+    volumes:
+      - ./data:/var/www/html
+
+  collabora:
+    image: collabora/code
+    ports:
+      - 9980:9980
+    environment:
+      domain: office\\.xai-corp\\.net
+      username: admin
+      password: ah8031qhnbc
+      server_name: office.xai-corp.net
+
+#  letsencrypt:
+#    image: linuxserver/letsencrypt
+#    volumes:
+#      - ./letsencrypt:/config
+#    environment:
+#      URL: xai-corp.net
+#      SUBDOMAINS: www,sql,xaibox,office
+#      TZ: America/Montreal
+#      EMAIL: r_morgan@sympatico.ca
+
+
+#TODO:
+#  cron:
+
+  http:
+    image: "dkregistry.xai-corp.net:5000/sslproxy:2.0"
+    volumes:
+      - ./letsencrypt:/etc/letsencrypt:ro
+    ports:
+      - "443:443"

dockerfiles/services/services/cron/docker-compose.yml

@@ -10,7 +10,7 @@ services:
   cron:
     image: "dkregistry.xai-corp.net:5000/cron:latest"
     build:
-      context: .
+      context: ""
       dockerfile: Dockerfile
 
     deploy:

dockerfiles/services/services/minio/docker-compose.yml

@@ -0,0 +1,100 @@
+---
+#minio s3 clone
+#https://docs.minio.io/docs/deploy-minio-on-docker-swarm
+# DOCKER_HOST=dkhost:2376 docker-compose up -d
+# DOCKER_HOST=dkhost:2376 docker stack deploy -c docker-compose.yml s3
+
+version: '3.1'
+
+services:
+  minio1:
+    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+    volumes:
+      - minio1-data:/export
+    ports:
+      - "9061:9000"
+    networks:
+      - minio_distributed
+    deploy:
+      restart_policy:
+        delay: 10s
+        max_attempts: 10
+        window: 60s
+    command: server http://s3_minio1/export
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+    secrets:
+      - s3_secret_key
+      - s3_access_key
+
+#  minio2:
+#    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+#    volumes:
+#      - minio2-data:/export
+#    ports:
+#      - "9062:9000"
+#    networks:
+#      - minio_distributed
+#    deploy:
+#      restart_policy:
+#        delay: 10s
+#        max_attempts: 10
+#        window: 60s
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+#    secrets:
+#      - s3_secret_key
+#      - s3_access_key
+#
+#  minio3:
+#    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+#    volumes:
+#      - minio3-data:/export
+#    ports:
+#      - "9063:9000"
+#    networks:
+#      - minio_distributed
+#    deploy:
+#      restart_policy:
+#        delay: 10s
+#        max_attempts: 10
+#        window: 60s
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+#    secrets:
+#      - s3_secret_key
+#      - s3_access_key
+#
+#  minio4:
+#    image: minio/minio:RELEASE.2017-08-05T00-00-53Z
+#    volumes:
+#      - minio4-data:/export
+#    ports:
+#      - "9064:9000"
+#    networks:
+#      - minio_distributed
+#    deploy:
+#      restart_policy:
+#        delay: 10s
+#        max_attempts: 10
+#        window: 60s
+#    command: server http://minio1/export http://minio2/export http://minio3/export http://minio4/export
+#    secrets:
+#      - s3_secret_key
+#      - s3_access_key
+
+volumes:
+  minio1-data:
+
+  minio2-data:
+
+  minio3-data:
+
+  minio4-data:
+
+networks:
+  minio_distributed:
+    driver: overlay
+
+secrets:
+  s3_secret_key:
+    external: true
+  s3_access_key:
+    external: true

dockerfiles/services/sslproxy/docker-compose-prod.yml

@@ -1,7 +1,7 @@
 ---
 # DOCKER_HOST=192.168.2.41:2376 docker-compose up -d
 # docker login dkregistry.xai-corp.net:5000
-# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:latest
+# docker-compose build && docker push dkregistry.xai-corp.net:5000/sslproxy:2.0
 # DOCKER_HOST=dkhost01:2376 docker stack deploy --with-registry-auth -c docker-compose-prod.yml sslproxy
 # DOCKER_HOST=dkhost01:2376 docker stack ps sslproxy
 
@@ -14,11 +14,11 @@ services:
     ports:
       - "443:443"
 
-    logging:
-      driver: syslog
-      options:
-        syslog-address: "tcp+tls://logs6.papertrailapp.com:38577"
-        tag: "{{.Name}}/{{.ID}}"
+#    logging:
+#      driver: syslog
+#      options:
+#        syslog-address: "tcp+tls://logs6.papertrailapp.com:38577"
+#        tag: "{{.Name}}/{{.ID}}"
 
     deploy:
       mode: replicated

dockerfiles/services/sslproxy/hosts/dkui.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name dkui.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/dkui.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/dkui.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/dkui.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/fs.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name fs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/fs.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/fs.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/fs.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/git.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name git.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/git.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/git.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/git.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/jenkins.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name jenkins.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/jenkins.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/jenkins.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/jenkins.xai-corp.net/privkey.pem;
 
     #Strict-Transport-Security: max-age=15768000

dockerfiles/services/sslproxy/hosts/logs.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name logs.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/logs.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/logs.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/logs.xai-corp.net/privkey.pem;
     #Strict-Transport-Security: max-age=15768000
     add_header Strict-Transport-Security "max-age=600; includeSubDomains" always;

dockerfiles/services/sslproxy/hosts/xaibox.xai-corp.net.conf

@@ -2,7 +2,7 @@
 server {
     listen  443 ssl;
     server_name xaibox.xai-corp.net;
-    ssl_certificate     /etc/letsencrypt/live/xaibox.xai-corp.net/cert.pem;
+    ssl_certificate     /etc/letsencrypt/live/xaibox.xai-corp.net/fullchain.pem;
     ssl_certificate_key /etc/letsencrypt/live/xaibox.xai-corp.net/privkey.pem;
 
     client_max_body_size 200m;

managed_setup.yml

@@ -50,7 +50,7 @@
                   - debugfs
                   - proc
                   - securityfs
-                  - shm
+                  - tempfs
                 excluded_mountpoint_re: /[media/richard|run/user].*
 
 

managed_updates.yml

@@ -9,29 +9,11 @@
   become: True
 
   vars:
-    datadog_api_key: ca0faf176c4aedd4f547ed7cf85615eb
-    datadog_checks:
-      system:
-        init_config: []
-        instances: []
-      disk:
-        init_config:
-        instances:
-            - use_mount: yes
-              excluded_filesystems:
-                - sysfs
-                - cgroup
-                - tracefs
-                - debugfs
-                - proc
-                - securityfs
-                - shm
-              excluded_mountpoint_re: /[media/richard|run/user].*
 
   roles:
     - _install_updates
     - user-richard
     - motd
-    - { role: Datadog.datadog, when: ansible_architecture != 'armv7l' } #does not support armhf architecture. should switch to fluentd or logstash
+#    - { role: Datadog.datadog, when: ansible_architecture != 'armv7l' } #does not support armhf architecture. should switch to fluentd or logstash
 
   tasks:

roles/certbot/tasks/install.yml

@@ -0,0 +1,33 @@
+---
+# main task for installing Let's Encrypt's certbot tool
+# https://certbot.eff.org/#ubuntuxenial-other
+
+- name: install certbot on ubuntu 16.04
+  apt:
+    state: latest
+    package: "{{ item }}"
+    update_cache: yes
+    cache_valid_time: 3600
+  with_items:
+    - "letsencrypt"
+  when: ansible_os_family == "Debian"
+
+- name: create webroot /var/www/xai-corp.net
+  file:
+    state: directory
+    path: /var/www/xai-corp.net
+
+#- name: create first certificates
+#  command: "letsencrypt certonly --webroot -w /var/www/xai-corp.net -d {{ item }}"
+#  args:
+#    creates: /etc/letsencrypt/live/{{ item }}/cert.pem
+#  with_items: "{{certbot.domains}}"
+
+
+- name: cron job for renewing certs
+  cron:
+    name: renew let's encrypt certificates
+    state: absent
+    user: root
+    day: "*/2"
+    job: "letsencrypt renew "

roles/certbot/tasks/main.yml

@@ -1,33 +1,10 @@
 ---
-# main task for installing Let's Encrypt's certbot tool
-# https://certbot.eff.org/#ubuntuxenial-other
-
-- name: install certbot on ubuntu 16.04
-  apt:
-    state: latest
-    package: "{{ item }}"
-    update_cache: yes
-    cache_valid_time: 3600
-  with_items:
-    - "letsencrypt"
-  when: ansible_os_family == "Debian"
-
-- name: create webroot /var/www/xai-corp.net
-  file:
-    state: directory
-    path: /var/www/xai-corp.net
-
-- name: create first certificates
-  command: "letsencrypt certonly --webroot -w /var/www/xai-corp.net -d {{ item }}"
-  args:
-    creates: /etc/letsencrypt/live/{{ item }}/cert.pem
-  with_items: "{{certbot.domains}}"
+# main install certbot
+# deprecated. Use container instead
 
 
-- name: cron job for renewing certs
-  cron:
-    name: renew let's encrypt certificates
-    state: present
-    user: root
-    day: "*/2"
-    job: "letsencrypt renew "
+- include: install.yml
+  when: certbot.uninstall != true
+
+- include: uninstall.yml
+  when: certbot.uninstall == true

roles/certbot/tasks/uninstall.yml

@@ -0,0 +1,26 @@
+---
+# uninstall certbot
+
+- name: uninstall certbot on ubuntu 16.04
+  apt:
+    state: absent
+    package: "{{ item }}"
+    update_cache: yes
+    cache_valid_time: 3600
+  with_items:
+    - "letsencrypt"
+    - "nginx"
+  when: ansible_os_family == "Debian"
+
+- name: remove webroot /var/www/xai-corp.net
+  file:
+    state: absent
+    path: /var/www/xai-corp.net
+
+- name: remove cron job for renewing certs
+  cron:
+    name: renew let's encrypt certificates
+    state: absent
+    user: root
+    day: "*/2"
+    job: "letsencrypt renew "

roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2

@@ -56,3 +56,4 @@ sql                     IN CNAME    dkhost
 mysql                   IN CNAME    dkhost
 tripbuilder             IN CNAME    dkhost
 xaibox                  IN CNAME    dkhost
+office                  IN CNAME    dkhost

site-django-test.yml

@@ -1,8 +0,0 @@
----
-  # playbook to install django test on home.xai-corp.net
-
-- hosts: home
-  remote_user: ansible
-
-  roles:
-    - django

test-ping.yml

@@ -1,8 +1,11 @@
 ---
   # playbook to install django test on home.xai-corp.net
 
-- hosts: home
+- hosts: managed
   remote_user: root
+  remote_user: ansible
+  gather_facts: yes
+  become: true
 
   tasks:
     - name: test connection

test01.xai-corp.net.yml

@@ -1,37 +0,0 @@
----
-# playbook for home02
-
-
-- hosts: test1
-  remote_user: ansible
-  gather_facts: yes
-  become: true
-
-  vars:
-    datadog_api_key: ca0faf176c4aedd4f547ed7cf85615eb
-    datadog_checks:
-      system:
-        init_config: []
-        instances: []
-      disk:
-        init_config:
-        instances:
-            - use_mount: yes
-              excluded_filesystems:
-                - sysfs
-                - cgroup
-                - tracefs
-                - debugfs
-                - proc
-                - securityfs
-              excluded_mountpoint_re: /[media/richard|run/user].*
-
-
-  roles:
-#    - Datadog.datadog
-#    - bennojoy.ntp
-    - td-agent
-
-  post_tasks:
-#    - name: check service is up
-#      service: name={{ bind.service }} state=started