ssl-keys: WIP

envs/prod/group_vars/roadhouse.yml

+---
+
+letsencrypt_email: gruppo-sistemisti@liste.ubuntu-it.org

playbooks/roadhouse.yml

@@ -15,6 +15,7 @@
         - pietro
 
 
+    - role: ssl-keys
 
 #    - role: nginx
 #      proxy:

roles/nginx/tasks/proxy.yml

@@ -8,3 +8,15 @@
   with_dict: "{{ proxy }}"
   notify:
     - nginx.reload
+
+
+- name: Request an SSL certificate for the domains
+  lineinfile:
+    path: /usr/local/share/ssl-keys/domains
+    line: "{{ item }}"
+    state: present
+
+  with_items: "{{ proxy.keys() }}"
+
+  notify:
+    - ssl-keys.request

roles/nginx/tasks/setup.yml

@@ -40,3 +40,26 @@
 
   notify:
     - common.reload-firewall
+
+
+- name: Add the www-data user to the ssl-keys-read group
+  user:
+    name: www-data
+    groups: ssl-keys-read
+    append: yes
+
+
+- name: Allow the ssl-keys user to reload nginx
+  template:
+    src: sudoers-ssl-keys
+    dest: /etc/sudoers.d/nginx-ssl-keys
+
+
+- name: Add an hook to reload nginx when there are new ssl keys
+  template:
+    src: reload-nginx.sh
+    dest: /usr/local/share/ssl-keys/hooks/nginx.sh
+
+    mode: 0550
+    owner: root
+    group: ssl-keys

roles/nginx/templates/reload-nginx.sh

+#!/bin/bash
+#
+# {{ ansible_managed }}
+#
+
+sudo /bin/systemctl reload nginx.service

roles/nginx/templates/sudoers-ssl-keys

+#
+# {{ ansible_managed }}
+#
+
+ssl-keys ALL=(root) NOPASSWD: /bin/systemctl reload nginx.service

roles/ssl-keys/defaults/main.yml

+---
+
+letsencrypt_email: false

roles/ssl-keys/handlers/main.yml

+---
+
+- name: ssl-keys.request
+  service:
+    name: request-ssl-keys
+    state: started

roles/ssl-keys/tasks/common.yml

+---
+
+- name: Create the ssl-keys-read group
+  group:
+    name: ssl-keys-read
+    state: present
+
+
+- name: Create the ssl-keys user
+  user:
+    name: ssl-keys
+    state: present
+
+    createhome: no
+    groups: ssl-keys-read
+    system: yes
+
+
+- name: Create the /etc/ssl-keys directory
+  file:
+    path: /etc/ssl-keys
+    state: directory
+
+    mode: 0550
+    owner: root
+    group: ssl-keys-read
+
+
+- name: Create the /etc/ssl-keys/hooks directory
+  file:
+    path: /etc/ssl-keys/hooks
+    state: directory
+
+    mode: 0550
+    owner: root
+    group: ssl-keys
+
+
+- name: Create the /etc/ssl-keys/certs directory
+  file:
+    path: /etc/ssl-keys/certs
+    state: directory
+
+    # This directory has the setgid bit to assign the ssl-read-keys group to
+    # newly-created files
+    mode: 02750
+    owner: ssl-keys
+    group: ssl-keys-read
+
+
+- name: Ensure the /etc/ssl-keys/domains file exists
+  command: touch /etc/ssl-keys/domains
+  args:
+    creates: /etc/ssl-keys/domains
+
+
+- name: Set permissions on the /etc/ssl-keys/domains file
+  file:
+    path: /etc/ssl-keys/domains
+
+    mode: 0440
+    owner: root
+    group: ssl-keys
+
+
+- name: Upload the cron.sh script
+  template:
+    src: cron.sh
+    dest: /etc/ssl-keys/cron.sh
+
+    mode: 0750
+    owner: root
+    group: ssl-keys
+
+
+- name: Upload the systemd timer
+  template:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+
+  with_items:
+    - request-ssl-keys.service
+    - request-ssl-keys.timer
+
+
+- name: Enable the systemd timer
+  service:
+    name: request-ssl-keys
+    enabled: yes
+
+  notify:
+    - common.reload-systemd

roles/ssl-keys/tasks/letsencrypt.yml

+---

roles/ssl-keys/tasks/main.yml

+---
+
+- include_tasks: common.yml
+
+- include_tasks: self-signed.yml
+  when: not letsencrypt_email
+
+- include_tasks: letsencrypt.yml
+  when: letsencrypt_email

roles/ssl-keys/tasks/self-signed.yml

+---
+
+- name: TODO
+  file:
+    path: /etc/ssl-keys/request.sh
+    state: touch
+
+    mode: 0755

roles/ssl-keys/templates/cron.sh

+#!/bin/bash
+#
+# {{ ansible_managed }}
+#
+
+set -euo pipefail
+IFS=$'\n\t'
+
+BASE="/etc/ssl-keys"
+
+
+if [[ "`whoami`" != "ssl-keys" ]]; then
+    echo "This must be run as ssl-keys!"
+    exit 1
+fi
+
+"${BASE}/request.sh"
+
+for hook in `ls -1 "${BASE}/hooks"`; do
+    if [[ -x "${BASE}/hooks/${hook}" ]]; then
+        "${BASE}/hooks/${hook}"
+    fi
+done

roles/ssl-keys/templates/request-ssl-keys.service

+[Unit]
+Description=Request new SSL keys
+
+[Service]
+Type=oneshot
+ExecStart=/etc/ssl-keys/cron.sh
+
+User=ssl-keys
+Group=ssl-keys

roles/ssl-keys/templates/request-ssl-keys.timer

+[Unit]
+Description=Automatic weekly renew of the SSL keys
+
+[Timer]
+Interval=weekly
+Persistent=true
+
+[Install]
+WantedBy=timers.target