From 3d440014438c1b3bb741acaf17de631029227004 Mon Sep 17 00:00:00 2001
From: alex <alex@pdp7.net>
Date: Mon, 5 Jan 2026 11:52:23 +0100
Subject: Use self-signed cert when web server is not reachable

Also fix some punycode niggles
---
 infrastructure/roles/web/tasks/main.yaml | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'infrastructure/roles/web/tasks/main.yaml')

diff --git a/infrastructure/roles/web/tasks/main.yaml b/infrastructure/roles/web/tasks/main.yaml
index 92bb88f..f9c722a 100644
--- a/infrastructure/roles/web/tasks/main.yaml
+++ b/infrastructure/roles/web/tasks/main.yaml
@@ -30,12 +30,20 @@
   ansible.builtin.copy:
     dest: /etc/apache2/sites-enabled/ssl.conf
     content: |
+      {% if web_server_reachable %}
       MDomain {{ public_hostname_punycode }}
       MDCertificateAgreement accepted
+      {% endif %}
 
       <VirtualHost *:443>
         ServerName {{ public_hostname_punycode }}
         SSLEngine on
+
+      {% if not web_server_reachable %}
+        SSLCertificateFile "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+        SSLCertificateKeyFile "/etc/ssl/private/ssl-cert-snakeoil.key"
+      {% endif %}
+
         ServerAdmin {{ admin_email }}
 
         <Location /vaultwarden/>
-- 
cgit v1.2.3