Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
S
servers-config
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Gruppo Sistemisti
servers-config
Commits
31af58fd
Commit
31af58fd
authored
Mar 02, 2018
by
Pietro Albini
Committed by
Mattia Rizzolo
Mar 14, 2018
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
ssl-keys: WIP
parent
576b268b
Changes
15
Show whitespace changes
Inline
Side-by-side
Showing
15 changed files
with
210 additions
and
0 deletions
+210
-0
envs/prod/group_vars/roadhouse.yml
envs/prod/group_vars/roadhouse.yml
+3
-0
playbooks/roadhouse.yml
playbooks/roadhouse.yml
+1
-0
roles/nginx/tasks/proxy.yml
roles/nginx/tasks/proxy.yml
+12
-0
roles/nginx/tasks/setup.yml
roles/nginx/tasks/setup.yml
+23
-0
roles/nginx/templates/reload-nginx.sh
roles/nginx/templates/reload-nginx.sh
+6
-0
roles/nginx/templates/sudoers-ssl-keys
roles/nginx/templates/sudoers-ssl-keys
+5
-0
roles/ssl-keys/defaults/main.yml
roles/ssl-keys/defaults/main.yml
+3
-0
roles/ssl-keys/handlers/main.yml
roles/ssl-keys/handlers/main.yml
+6
-0
roles/ssl-keys/tasks/common.yml
roles/ssl-keys/tasks/common.yml
+92
-0
roles/ssl-keys/tasks/letsencrypt.yml
roles/ssl-keys/tasks/letsencrypt.yml
+1
-0
roles/ssl-keys/tasks/main.yml
roles/ssl-keys/tasks/main.yml
+9
-0
roles/ssl-keys/tasks/self-signed.yml
roles/ssl-keys/tasks/self-signed.yml
+8
-0
roles/ssl-keys/templates/cron.sh
roles/ssl-keys/templates/cron.sh
+23
-0
roles/ssl-keys/templates/request-ssl-keys.service
roles/ssl-keys/templates/request-ssl-keys.service
+9
-0
roles/ssl-keys/templates/request-ssl-keys.timer
roles/ssl-keys/templates/request-ssl-keys.timer
+9
-0
No files found.
envs/prod/group_vars/roadhouse.yml
0 → 100644
View file @
31af58fd
---
letsencrypt_email
:
gruppo-sistemisti@liste.ubuntu-it.org
playbooks/roadhouse.yml
View file @
31af58fd
...
...
@@ -15,6 +15,7 @@
-
pietro
-
role
:
ssl-keys
# - role: nginx
# proxy:
...
...
roles/nginx/tasks/proxy.yml
View file @
31af58fd
...
...
@@ -8,3 +8,15 @@
with_dict
:
"
{{
proxy
}}"
notify
:
-
nginx.reload
-
name
:
Request an SSL certificate for the domains
lineinfile
:
path
:
/usr/local/share/ssl-keys/domains
line
:
"
{{
item
}}"
state
:
present
with_items
:
"
{{
proxy.keys()
}}"
notify
:
-
ssl-keys.request
roles/nginx/tasks/setup.yml
View file @
31af58fd
...
...
@@ -40,3 +40,26 @@
notify
:
-
common.reload-firewall
-
name
:
Add the www-data user to the ssl-keys-read group
user
:
name
:
www-data
groups
:
ssl-keys-read
append
:
yes
-
name
:
Allow the ssl-keys user to reload nginx
template
:
src
:
sudoers-ssl-keys
dest
:
/etc/sudoers.d/nginx-ssl-keys
-
name
:
Add an hook to reload nginx when there are new ssl keys
template
:
src
:
reload-nginx.sh
dest
:
/usr/local/share/ssl-keys/hooks/nginx.sh
mode
:
0550
owner
:
root
group
:
ssl-keys
roles/nginx/templates/reload-nginx.sh
0 → 100644
View file @
31af58fd
#!/bin/bash
#
# {{ ansible_managed }}
#
sudo
/bin/systemctl reload nginx.service
roles/nginx/templates/sudoers-ssl-keys
0 → 100644
View file @
31af58fd
#
# {{ ansible_managed }}
#
ssl-keys ALL=(root) NOPASSWD: /bin/systemctl reload nginx.service
roles/ssl-keys/defaults/main.yml
0 → 100644
View file @
31af58fd
---
letsencrypt_email
:
false
roles/ssl-keys/handlers/main.yml
0 → 100644
View file @
31af58fd
---
-
name
:
ssl-keys.request
service
:
name
:
request-ssl-keys
state
:
started
roles/ssl-keys/tasks/common.yml
0 → 100644
View file @
31af58fd
---
-
name
:
Create the ssl-keys-read group
group
:
name
:
ssl-keys-read
state
:
present
-
name
:
Create the ssl-keys user
user
:
name
:
ssl-keys
state
:
present
createhome
:
no
groups
:
ssl-keys-read
system
:
yes
-
name
:
Create the /etc/ssl-keys directory
file
:
path
:
/etc/ssl-keys
state
:
directory
mode
:
0550
owner
:
root
group
:
ssl-keys-read
-
name
:
Create the /etc/ssl-keys/hooks directory
file
:
path
:
/etc/ssl-keys/hooks
state
:
directory
mode
:
0550
owner
:
root
group
:
ssl-keys
-
name
:
Create the /etc/ssl-keys/certs directory
file
:
path
:
/etc/ssl-keys/certs
state
:
directory
# This directory has the setgid bit to assign the ssl-read-keys group to
# newly-created files
mode
:
02750
owner
:
ssl-keys
group
:
ssl-keys-read
-
name
:
Ensure the /etc/ssl-keys/domains file exists
command
:
touch /etc/ssl-keys/domains
args
:
creates
:
/etc/ssl-keys/domains
-
name
:
Set permissions on the /etc/ssl-keys/domains file
file
:
path
:
/etc/ssl-keys/domains
mode
:
0440
owner
:
root
group
:
ssl-keys
-
name
:
Upload the cron.sh script
template
:
src
:
cron.sh
dest
:
/etc/ssl-keys/cron.sh
mode
:
0750
owner
:
root
group
:
ssl-keys
-
name
:
Upload the systemd timer
template
:
src
:
"
{{
item
}}"
dest
:
"
/etc/systemd/system/{{
item
}}"
with_items
:
-
request-ssl-keys.service
-
request-ssl-keys.timer
-
name
:
Enable the systemd timer
service
:
name
:
request-ssl-keys
enabled
:
yes
notify
:
-
common.reload-systemd
roles/ssl-keys/tasks/letsencrypt.yml
0 → 100644
View file @
31af58fd
---
roles/ssl-keys/tasks/main.yml
0 → 100644
View file @
31af58fd
---
-
include_tasks
:
common.yml
-
include_tasks
:
self-signed.yml
when
:
not letsencrypt_email
-
include_tasks
:
letsencrypt.yml
when
:
letsencrypt_email
roles/ssl-keys/tasks/self-signed.yml
0 → 100644
View file @
31af58fd
---
-
name
:
TODO
file
:
path
:
/etc/ssl-keys/request.sh
state
:
touch
mode
:
0755
roles/ssl-keys/templates/cron.sh
0 → 100644
View file @
31af58fd
#!/bin/bash
#
# {{ ansible_managed }}
#
set
-euo
pipefail
IFS
=
$'
\n\t
'
BASE
=
"/etc/ssl-keys"
if
[[
"
`
whoami
`
"
!=
"ssl-keys"
]]
;
then
echo
"This must be run as ssl-keys!"
exit
1
fi
"
${
BASE
}
/request.sh"
for
hook
in
`
ls
-1
"
${
BASE
}
/hooks"
`
;
do
if
[[
-x
"
${
BASE
}
/hooks/
${
hook
}
"
]]
;
then
"
${
BASE
}
/hooks/
${
hook
}
"
fi
done
roles/ssl-keys/templates/request-ssl-keys.service
0 → 100644
View file @
31af58fd
[Unit]
Description=Request new SSL keys
[Service]
Type=oneshot
ExecStart=/etc/ssl-keys/cron.sh
User=ssl-keys
Group=ssl-keys
roles/ssl-keys/templates/request-ssl-keys.timer
0 → 100644
View file @
31af58fd
[Unit]
Description=Automatic weekly renew of the SSL keys
[Timer]
Interval=weekly
Persistent=true
[Install]
WantedBy=timers.target
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment