Commit d66b22c0 authored by Mattia Rizzolo's avatar Mattia Rizzolo

Merge branch 'ssl-keys'

Signed-off-by: Mattia Rizzolo's avatarMattia Rizzolo <mattia@debian.org>
parents b4e49f7f 6fe70609
---
letsencrypt_email: gruppo-sistemisti@liste.ubuntu-it.org
...@@ -14,6 +14,8 @@ ...@@ -14,6 +14,8 @@
- mattia - mattia
- pietro - pietro
- role: ssl-keys
- role: nginx - role: nginx
proxy: proxy:
# code.ubuntu-it.org: spock.lxd:80 # code.ubuntu-it.org: spock.lxd:80
......
...@@ -8,3 +8,15 @@ ...@@ -8,3 +8,15 @@
with_dict: "{{ proxy }}" with_dict: "{{ proxy }}"
notify: notify:
- nginx.reload - nginx.reload
- name: Request an SSL certificate for the domains
lineinfile:
path: /usr/local/share/ssl-keys/domains
line: "{{ item }}"
state: present
with_items: "{{ proxy.keys() }}"
notify:
- ssl-keys.request
...@@ -40,3 +40,12 @@ ...@@ -40,3 +40,12 @@
notify: notify:
- common.reload-firewall - common.reload-firewall
- name: Add an hook to reload nginx when there are new ssl keys
template:
src: reload-nginx.sh
dest: "{{ ssl_home }}/hooks"
mode: 0755
owner: root
group: ssl-keys
#!/bin/bash
#
# {{ ansible_managed }}
#
sudo service nginx reload
---
letsencrypt_email: false
local_webserver: false
ssl_home: /etc/ssl
---
- name: Create the ssl-keys user
user:
name: ssl-keys
comment: User handling this server SSL keys
createhome: yes
home: "{{ ssl_home }}"
shell: /bin/false
generate_ssh_key: no
group: ssl-cert
system: yes
- name: Make sure of ssl_home permissions
file:
path: "{{ ssl_home }}"
state: directory
mode: 0755
owner: root
group: ssl-cert
- name: Create the ssl_home/hooks directory
file:
path: "{{ ssl_home }}/hooks"
state: directory
mode: 0755
owner: root
group: ssl-keys
- name: Create the ssl_home/localcerts directory
file:
path: "{{ ssl_home }}/localcerts"
state: directory
mode: 0740
owner: ssl-keys
group: ssl-cert
- name: Ensure the ssl_home/domains file exists
file:
dest: "{{ ssl_home }}/domains"
force: no
owner: root
group: ssl-cert
- name: configure sudo so cron can renew certs by itself
template:
src: sudoers
dest: /etc/sudoers.d/ssl
owner: root
group: root
mode: 0440
validate: visudo -cf %s
---
- name: Be sure the dehydrated client is installed
apt: name=dehydrated state=present
- name: Copy dehydrated config file
template: src=letsencrypt/config
dest=/etc/dehydrated/conf.d/config.sh
owner=root
group=root
mode=0644
- name: Copy the hooks cript
template: src=letsencrypt/hooks.sh
dest=/etc/dehydrated/hooks.sh
owner=root
group=root
mode=0755
- name: Install the cronjob
cron:
cron_file: ssl
state: present
user: letsencrypt
special_time: weekly
env: "{{ item.env }}"
name: "{{ item.name }}"
job: "{{ item.job }}"
with_items:
- env: true
name: MAILTO
job: root
- env: false
name: ssl-keys
job: chronic dehydrated -c
- name: Install the apache configuration
apt: name=dehydrated-apache2 state=present
when:
- local_webserver == 'apache'
- name: Install the nginx configuration
template:
src: letsencrypt/nginx.conf
dest: /etc/nginx/snippets/dehydrated.conf
owner: root
group: root
mode: 0444
when:
- local_webserver == 'nginx'
- name: Create the acme-challenges directory
file: path=/var/lib/dehydrated/acme-challenges
owner=ssl-keys
group=ssl-keys
mode=0755
state=directory
- name: change owner of /var/lib/dehydrated to ssl-keys:ssl-cert
command: dpkg-statoverride --update --force --add ssl-keys ssl-cert 755 /var/lib/{{ item }}
changed_when: false
with_items:
- dehydrated
- dehydrated/acme-challenges
---
- include_tasks: common.yml
- include_tasks: self-signed.yml
when: not letsencrypt_email
- include_tasks: letsencrypt.yml
when: letsencrypt_email
---
- name: TODO
file:
path: /etc/ssl-keys/request.sh
state: touch
mode: 0755
#
# {{ ansible_managed }}
#
PRIVATE_KEY_RENEW="no"
HOOK="/etc/dehydrated/hook.sh"
CONTACT_EMAIL=" {{ letsencrypt_email }}"
DOMAINS_TXT = "{{ ssl_home }}/domains"
CERTDIR = "{{ ssl_home }}/localcerts"
#!/bin/bash
#
# {{ ansible_managed }}
set -eu
OP=$1
_log () {
echo " + ($OP) $*"
}
reload_apache () {
_log "Reloading apache..."
sudo apache2ctl graceful
# the next cert challenge verification would timeout if attempted right after
# not sure what's wrong with it (I observe this behaviour only on magog), so
# let's just sleep a bit for now
sleep 10
}
reload_nginx () {
_log "Reloading nginx..."
sudo service nginx reload
}
reload_postfix () {
_log "Reloading postfix..."
sudo service postfix reload
}
case "$OP" in
deploy_cert)
DOMAIN="$1"
{% if local_webserver == 'nginx' %}
reload_ngnix
{% elif local_webserver == 'apache' %}
reload_apache
{% endif %}
if [ "${DOMAIN}" = "$(hostname -f)" ]; then
reload_postfix
fi
;;
*)
;;
esac
#
# {{ ansible_managed }}
#
location /.well-known/acme-challenge/ {
alias /var/lib/dehydrated/acme-challenges/;
disable_symlinks off;
autoindex off;
}
# the SSL auto-renew client should be able to reload services on its own
ssl-keys ALL=(root) NOPASSWD: /usr/sbin/apache2ctl graceful
ssl-keys ALL=(root) NOPASSWD: /usr/sbin/service nginx reload
ssl-keys ALL=(root) NOPASSWD: /usr/sbin/service postfix reload
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment