Merge branch 'ssl-keys'

Signed-off-by: Mattia Rizzolo <mattia@debian.org>

envs/prod/group_vars/roadhouse.yml

+---
+
+letsencrypt_email: gruppo-sistemisti@liste.ubuntu-it.org

playbooks/roadhouse.yml

@@ -14,6 +14,8 @@
         - mattia
         - pietro
 
+    - role: ssl-keys
+
     - role: nginx
       proxy:
 #        code.ubuntu-it.org: spock.lxd:80

roles/nginx/tasks/proxy.yml

@@ -8,3 +8,15 @@
   with_dict: "{{ proxy }}"
   notify:
     - nginx.reload
+
+
+- name: Request an SSL certificate for the domains
+  lineinfile:
+    path: /usr/local/share/ssl-keys/domains
+    line: "{{ item }}"
+    state: present
+
+  with_items: "{{ proxy.keys() }}"
+
+  notify:
+    - ssl-keys.request

roles/nginx/tasks/setup.yml

@@ -40,3 +40,12 @@
 
   notify:
     - common.reload-firewall
+
+- name: Add an hook to reload nginx when there are new ssl keys
+  template:
+    src: reload-nginx.sh
+    dest: "{{ ssl_home }}/hooks"
+
+    mode: 0755
+    owner: root
+    group: ssl-keys

roles/nginx/templates/reload-nginx.sh

+#!/bin/bash
+#
+# {{ ansible_managed }}
+#
+
+sudo service nginx reload

roles/ssl-keys/defaults/main.yml

+---
+
+letsencrypt_email: false
+local_webserver: false
+ssl_home: /etc/ssl

roles/ssl-keys/tasks/common.yml

+---
+
+- name: Create the ssl-keys user
+  user:
+    name: ssl-keys
+    comment: User handling this server SSL keys
+    createhome: yes
+    home: "{{ ssl_home }}"
+    shell: /bin/false
+    generate_ssh_key: no
+    group: ssl-cert
+    system: yes
+
+- name: Make sure of ssl_home permissions
+  file:
+    path: "{{ ssl_home }}"
+    state: directory
+    mode: 0755
+    owner: root
+    group: ssl-cert
+
+- name: Create the ssl_home/hooks directory
+  file:
+    path: "{{ ssl_home }}/hooks"
+    state: directory
+    mode: 0755
+    owner: root
+    group: ssl-keys
+
+- name: Create the ssl_home/localcerts directory
+  file:
+    path: "{{ ssl_home }}/localcerts"
+    state: directory
+    mode: 0740
+    owner: ssl-keys
+    group: ssl-cert
+
+- name: Ensure the ssl_home/domains file exists
+  file:
+    dest: "{{ ssl_home }}/domains"
+    force: no
+    owner: root
+    group: ssl-cert
+
+- name: configure sudo so cron can renew certs by itself
+  template:
+    src: sudoers
+    dest: /etc/sudoers.d/ssl
+    owner: root
+    group: root
+    mode: 0440
+    validate: visudo -cf %s

roles/ssl-keys/tasks/letsencrypt.yml

+---
+
+- name: Be sure the dehydrated client is installed
+  apt: name=dehydrated state=present
+
+- name: Copy dehydrated config file
+  template: src=letsencrypt/config
+            dest=/etc/dehydrated/conf.d/config.sh
+            owner=root
+            group=root
+            mode=0644
+
+- name: Copy the hooks cript
+  template: src=letsencrypt/hooks.sh
+            dest=/etc/dehydrated/hooks.sh
+            owner=root
+            group=root
+            mode=0755
+
+- name: Install the cronjob
+  cron:
+    cron_file: ssl
+    state: present
+    user: letsencrypt
+    special_time: weekly
+    env: "{{ item.env }}"
+    name: "{{ item.name }}"
+    job: "{{ item.job }}"
+  with_items:
+    - env: true
+      name: MAILTO
+      job: root
+    - env: false
+      name: ssl-keys
+      job: chronic dehydrated -c
+
+- name: Install the apache configuration
+  apt: name=dehydrated-apache2 state=present
+  when:
+    - local_webserver == 'apache'
+
+- name: Install the nginx configuration
+  template:
+    src: letsencrypt/nginx.conf
+    dest: /etc/nginx/snippets/dehydrated.conf
+    owner: root
+    group: root
+    mode: 0444
+  when:
+    - local_webserver == 'nginx'
+
+- name: Create the acme-challenges directory
+  file: path=/var/lib/dehydrated/acme-challenges
+        owner=ssl-keys
+        group=ssl-keys
+        mode=0755
+        state=directory
+
+- name: change owner of /var/lib/dehydrated to ssl-keys:ssl-cert
+  command: dpkg-statoverride --update --force --add ssl-keys ssl-cert 755 /var/lib/{{ item }}
+  changed_when: false
+  with_items:
+    - dehydrated
+    - dehydrated/acme-challenges

roles/ssl-keys/tasks/main.yml

+---
+
+- include_tasks: common.yml
+
+- include_tasks: self-signed.yml
+  when: not letsencrypt_email
+
+- include_tasks: letsencrypt.yml
+  when: letsencrypt_email

roles/ssl-keys/tasks/self-signed.yml

+---
+
+- name: TODO
+  file:
+    path: /etc/ssl-keys/request.sh
+    state: touch
+
+    mode: 0755

roles/ssl-keys/templates/letsencrypt/config

+#
+# {{ ansible_managed }}
+#
+
+PRIVATE_KEY_RENEW="no"
+HOOK="/etc/dehydrated/hook.sh"
+CONTACT_EMAIL=" {{ letsencrypt_email }}"
+
+DOMAINS_TXT = "{{ ssl_home }}/domains"
+CERTDIR = "{{ ssl_home }}/localcerts"

roles/ssl-keys/templates/letsencrypt/hooks.sh

+#!/bin/bash
+#
+# {{ ansible_managed }}
+
+set -eu
+
+OP=$1
+
+_log () {
+    echo " + ($OP) $*"
+}
+
+reload_apache () {
+    _log "Reloading apache..."
+    sudo apache2ctl graceful
+    # the next cert challenge verification would timeout if attempted right after
+    # not sure what's wrong with it (I observe this behaviour only on magog), so
+    # let's just sleep a bit for now
+    sleep 10
+}
+
+reload_nginx () {
+    _log "Reloading nginx..."
+    sudo service nginx reload
+}
+
+reload_postfix () {
+    _log "Reloading postfix..."
+    sudo service postfix reload
+}
+
+
+case "$OP" in
+    deploy_cert)
+        DOMAIN="$1"
+{% if local_webserver == 'nginx' %}
+        reload_ngnix
+{% elif local_webserver == 'apache' %}
+        reload_apache
+{% endif %}
+        if [ "${DOMAIN}" = "$(hostname -f)" ]; then
+            reload_postfix
+        fi
+        ;;
+    *)
+        ;;
+esac
+

roles/ssl-keys/templates/letsencrypt/nginx.conf

+#
+# {{ ansible_managed }}
+#
+
+location /.well-known/acme-challenge/ {
+    alias /var/lib/dehydrated/acme-challenges/;
+    disable_symlinks off;
+    autoindex off;
+}

roles/ssl-keys/templates/sudoers

+# the SSL auto-renew client should be able to reload services on its own
+ssl-keys ALL=(root) NOPASSWD: /usr/sbin/apache2ctl graceful
+ssl-keys ALL=(root) NOPASSWD: /usr/sbin/service nginx reload
+ssl-keys ALL=(root) NOPASSWD: /usr/sbin/service postfix reload