Use self-signed cert when web server is not reachable

Also fix some punycode niggles

2 files changed, 9 insertions, 1 deletions

diff --git a/infrastructure/roles/incus_provision/tasks/main.yaml b/infrastructure/roles/incus_provision/tasks/main.yaml
index 5ef6ad7..178687b 100644
--- a/infrastructure/roles/incus_provision/tasks/main.yaml
+++ b/infrastructure/roles/incus_provision/tasks/main.yaml
@@ -1,5 +1,5 @@
 - name: create incus container
-  ansible.builtin.shell: incus info incus-test-xn--ix-yja-es || incus launch images:debian/13 incus-test-xn--ix-yja-es --vm
+  ansible.builtin.shell: incus info {{ ansible_incus_host }} || incus launch images:debian/13 {{ ansible_incus_host }} --vm
   delegate_to: 127.0.0.1
 - name: install python
   ansible.builtin.raw: apt install -y python3
diff --git a/infrastructure/roles/web/tasks/main.yaml b/infrastructure/roles/web/tasks/main.yaml
index 92bb88f..f9c722a 100644
--- a/infrastructure/roles/web/tasks/main.yaml
+++ b/infrastructure/roles/web/tasks/main.yaml
@@ -30,12 +30,20 @@
   ansible.builtin.copy:
     dest: /etc/apache2/sites-enabled/ssl.conf
     content: |
+      {% if web_server_reachable %}
       MDomain {{ public_hostname_punycode }}
       MDCertificateAgreement accepted
+      {% endif %}
 
       <VirtualHost *:443>
         ServerName {{ public_hostname_punycode }}
         SSLEngine on
+
+      {% if not web_server_reachable %}
+        SSLCertificateFile "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+        SSLCertificateKeyFile "/etc/ssl/private/ssl-cert-snakeoil.key"
+      {% endif %}
+
         ServerAdmin {{ admin_email }}
 
         <Location /vaultwarden/>