Use self-signed cert when web server is not reachable

Also fix some punycode niggles
author: alex <alex@pdp7.net> 2026-01-05 11:52:23 +0100
committer: alex <alex@pdp7.net> 2026-01-05 12:08:13 +0100
commit: 3d440014438c1b3bb741acaf17de631029227004 (patch)
tree: 48d6e0315e01fea2aad31301da8ab2a87c68f04c /infrastructure/roles/web
parent: acadb5bbf9282f660d9b6e2706613eac4fd6aafe (diff)
1 files changed, 8 insertions, 0 deletions
diff --git a/infrastructure/roles/web/tasks/main.yaml b/infrastructure/roles/web/tasks/main.yaml
index 92bb88f..f9c722a 100644
--- a/infrastructure/roles/web/tasks/main.yaml
+++ b/infrastructure/roles/web/tasks/main.yaml
@@ -30,12 +30,20 @@
   ansible.builtin.copy:
     dest: /etc/apache2/sites-enabled/ssl.conf
     content: |
+      {% if web_server_reachable %}
       MDomain {{ public_hostname_punycode }}
       MDCertificateAgreement accepted
+      {% endif %}
 
       <VirtualHost *:443>
         ServerName {{ public_hostname_punycode }}
         SSLEngine on
+
+      {% if not web_server_reachable %}
+        SSLCertificateFile "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+        SSLCertificateKeyFile "/etc/ssl/private/ssl-cert-snakeoil.key"
+      {% endif %}
+
         ServerAdmin {{ admin_email }}
 
         <Location /vaultwarden/>
author	alex <alex@pdp7.net>	2026-01-05 11:52:23 +0100
committer	alex <alex@pdp7.net>	2026-01-05 12:08:13 +0100
commit	3d440014438c1b3bb741acaf17de631029227004 (patch)
tree	48d6e0315e01fea2aad31301da8ab2a87c68f04c /infrastructure/roles/web
parent	acadb5bbf9282f660d9b6e2706613eac4fd6aafe (diff)