ssl-keys: WIP

31af58fd · Pietro Albini · Mattia Rizzolo · 576b268b · 31af58fd · 31af58fd
Commit 31af58fd authored Mar 02, 2018 by Pietro Albini Committed by Mattia Rizzolo Mar 14, 2018
15 changed files
--- a/envs/prod/group_vars/roadhouse.yml
+++ b/envs/prod/group_vars/roadhouse.yml
+---
+
+letsencrypt_email: gruppo-sistemisti@liste.ubuntu-it.org
--- a/playbooks/roadhouse.yml
+++ b/playbooks/roadhouse.yml
@@ -15,6 +15,7 @@
        - pietro


+    - role: ssl-keys

 #    - role: nginx
 #      proxy:

--- a/roles/nginx/tasks/proxy.yml
+++ b/roles/nginx/tasks/proxy.yml
@@ -8,3 +8,15 @@
  with_dict: "{{ proxy }}"
  notify:
    - nginx.reload
+
+
+- name: Request an SSL certificate for the domains
+  lineinfile:
+    path: /usr/local/share/ssl-keys/domains
+    line: "{{ item }}"
+    state: present
+
+  with_items: "{{ proxy.keys() }}"
+
+  notify:
+    - ssl-keys.request
--- a/roles/nginx/tasks/setup.yml
+++ b/roles/nginx/tasks/setup.yml
@@ -40,3 +40,26 @@

  notify:
    - common.reload-firewall
+
+
+- name: Add the www-data user to the ssl-keys-read group
+  user:
+    name: www-data
+    groups: ssl-keys-read
+    append: yes
+
+
+- name: Allow the ssl-keys user to reload nginx
+  template:
+    src: sudoers-ssl-keys
+    dest: /etc/sudoers.d/nginx-ssl-keys
+
+
+- name: Add an hook to reload nginx when there are new ssl keys
+  template:
+    src: reload-nginx.sh
+    dest: /usr/local/share/ssl-keys/hooks/nginx.sh
+
+    mode: 0550
+    owner: root
+    group: ssl-keys
--- a/roles/nginx/templates/reload-nginx.sh
+++ b/roles/nginx/templates/reload-nginx.sh
+#!/bin/bash
+#
+# {{ ansible_managed }}
+#
+
+sudo /bin/systemctl reload nginx.service
--- a/roles/nginx/templates/sudoers-ssl-keys
+++ b/roles/nginx/templates/sudoers-ssl-keys
+#
+# {{ ansible_managed }}
+#
+
+ssl-keys ALL=(root) NOPASSWD: /bin/systemctl reload nginx.service
--- a/roles/ssl-keys/defaults/main.yml
+++ b/roles/ssl-keys/defaults/main.yml
+---
+
+letsencrypt_email: false
--- a/roles/ssl-keys/handlers/main.yml
+++ b/roles/ssl-keys/handlers/main.yml
+---
+
+- name: ssl-keys.request
+  service:
+    name: request-ssl-keys
+    state: started
--- a/roles/ssl-keys/tasks/common.yml
+++ b/roles/ssl-keys/tasks/common.yml
+---
+
+- name: Create the ssl-keys-read group
+  group:
+    name: ssl-keys-read
+    state: present
+
+
+- name: Create the ssl-keys user
+  user:
+    name: ssl-keys
+    state: present
+
+    createhome: no
+    groups: ssl-keys-read
+    system: yes
+
+
+- name: Create the /etc/ssl-keys directory
+  file:
+    path: /etc/ssl-keys
+    state: directory
+
+    mode: 0550
+    owner: root
+    group: ssl-keys-read
+
+
+- name: Create the /etc/ssl-keys/hooks directory
+  file:
+    path: /etc/ssl-keys/hooks
+    state: directory
+
+    mode: 0550
+    owner: root
+    group: ssl-keys
+
+
+- name: Create the /etc/ssl-keys/certs directory
+  file:
+    path: /etc/ssl-keys/certs
+    state: directory
+
+    # This directory has the setgid bit to assign the ssl-read-keys group to
+    # newly-created files
+    mode: 02750
+    owner: ssl-keys
+    group: ssl-keys-read
+
+
+- name: Ensure the /etc/ssl-keys/domains file exists
+  command: touch /etc/ssl-keys/domains
+  args:
+    creates: /etc/ssl-keys/domains
+
+
+- name: Set permissions on the /etc/ssl-keys/domains file
+  file:
+    path: /etc/ssl-keys/domains
+
+    mode: 0440
+    owner: root
+    group: ssl-keys
+
+
+- name: Upload the cron.sh script
+  template:
+    src: cron.sh
+    dest: /etc/ssl-keys/cron.sh
+
+    mode: 0750
+    owner: root
+    group: ssl-keys
+
+
+- name: Upload the systemd timer
+  template:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+
+  with_items:
+    - request-ssl-keys.service
+    - request-ssl-keys.timer
+
+
+- name: Enable the systemd timer
+  service:
+    name: request-ssl-keys
+    enabled: yes
+
+  notify:
+    - common.reload-systemd
--- a/roles/ssl-keys/tasks/letsencrypt.yml
+++ b/roles/ssl-keys/tasks/letsencrypt.yml
+---
--- a/roles/ssl-keys/tasks/main.yml
+++ b/roles/ssl-keys/tasks/main.yml
+---
+
+- include_tasks: common.yml
+
+- include_tasks: self-signed.yml
+  when: not letsencrypt_email
+
+- include_tasks: letsencrypt.yml
+  when: letsencrypt_email
--- a/roles/ssl-keys/tasks/self-signed.yml
+++ b/roles/ssl-keys/tasks/self-signed.yml
+---
+
+- name: TODO
+  file:
+    path: /etc/ssl-keys/request.sh
+    state: touch
+
+    mode: 0755
--- a/roles/ssl-keys/templates/cron.sh
+++ b/roles/ssl-keys/templates/cron.sh
+#!/bin/bash
+#
+# {{ ansible_managed }}
+#
+
+set -euo pipefail
+IFS=$'\n\t'
+
+BASE="/etc/ssl-keys"
+
+
+if [[ "`whoami`" != "ssl-keys" ]]; then
+    echo "This must be run as ssl-keys!"
+    exit 1
+fi
+
+"${BASE}/request.sh"
+
+for hook in `ls -1 "${BASE}/hooks"`; do
+    if [[ -x "${BASE}/hooks/${hook}" ]]; then
+        "${BASE}/hooks/${hook}"
+    fi
+done
--- a/roles/ssl-keys/templates/request-ssl-keys.service
+++ b/roles/ssl-keys/templates/request-ssl-keys.service
+[Unit]
+Description=Request new SSL keys
+
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl-keys/cron.sh
+
+User=ssl-keys
+Group=ssl-keys
--- a/roles/ssl-keys/templates/request-ssl-keys.timer
+++ b/roles/ssl-keys/templates/request-ssl-keys.timer
+[Unit]
+Description=Automatic weekly renew of the SSL keys
+
+[Timer]
+Interval=weekly
+Persistent=true
+
+[Install]
+WantedBy=timers.target