Skip to content
Projects
Groups
Snippets
Help
Loading...
Help
Support
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
S
servers-config
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
0
Issues
0
List
Boards
Labels
Milestones
Merge Requests
0
Merge Requests
0
Analytics
Analytics
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Commits
Issue Boards
Open sidebar
Gruppo Sistemisti
servers-config
Commits
d66b22c0
Commit
d66b22c0
authored
Mar 15, 2018
by
Mattia Rizzolo
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'ssl-keys'
Signed-off-by:
Mattia Rizzolo
<
mattia@debian.org
>
parents
b4e49f7f
6fe70609
Changes
14
Show whitespace changes
Inline
Side-by-side
Showing
14 changed files
with
241 additions
and
0 deletions
+241
-0
envs/prod/group_vars/roadhouse.yml
envs/prod/group_vars/roadhouse.yml
+3
-0
playbooks/roadhouse.yml
playbooks/roadhouse.yml
+2
-0
roles/nginx/tasks/proxy.yml
roles/nginx/tasks/proxy.yml
+12
-0
roles/nginx/tasks/setup.yml
roles/nginx/tasks/setup.yml
+9
-0
roles/nginx/templates/reload-nginx.sh
roles/nginx/templates/reload-nginx.sh
+6
-0
roles/ssl-keys/defaults/main.yml
roles/ssl-keys/defaults/main.yml
+5
-0
roles/ssl-keys/tasks/common.yml
roles/ssl-keys/tasks/common.yml
+52
-0
roles/ssl-keys/tasks/letsencrypt.yml
roles/ssl-keys/tasks/letsencrypt.yml
+64
-0
roles/ssl-keys/tasks/main.yml
roles/ssl-keys/tasks/main.yml
+9
-0
roles/ssl-keys/tasks/self-signed.yml
roles/ssl-keys/tasks/self-signed.yml
+8
-0
roles/ssl-keys/templates/letsencrypt/config
roles/ssl-keys/templates/letsencrypt/config
+10
-0
roles/ssl-keys/templates/letsencrypt/hooks.sh
roles/ssl-keys/templates/letsencrypt/hooks.sh
+48
-0
roles/ssl-keys/templates/letsencrypt/nginx.conf
roles/ssl-keys/templates/letsencrypt/nginx.conf
+9
-0
roles/ssl-keys/templates/sudoers
roles/ssl-keys/templates/sudoers
+4
-0
No files found.
envs/prod/group_vars/roadhouse.yml
0 → 100644
View file @
d66b22c0
---
letsencrypt_email
:
gruppo-sistemisti@liste.ubuntu-it.org
playbooks/roadhouse.yml
View file @
d66b22c0
...
@@ -14,6 +14,8 @@
...
@@ -14,6 +14,8 @@
-
mattia
-
mattia
-
pietro
-
pietro
-
role
:
ssl-keys
-
role
:
nginx
-
role
:
nginx
proxy
:
proxy
:
# code.ubuntu-it.org: spock.lxd:80
# code.ubuntu-it.org: spock.lxd:80
...
...
roles/nginx/tasks/proxy.yml
View file @
d66b22c0
...
@@ -8,3 +8,15 @@
...
@@ -8,3 +8,15 @@
with_dict
:
"
{{
proxy
}}"
with_dict
:
"
{{
proxy
}}"
notify
:
notify
:
-
nginx.reload
-
nginx.reload
-
name
:
Request an SSL certificate for the domains
lineinfile
:
path
:
/usr/local/share/ssl-keys/domains
line
:
"
{{
item
}}"
state
:
present
with_items
:
"
{{
proxy.keys()
}}"
notify
:
-
ssl-keys.request
roles/nginx/tasks/setup.yml
View file @
d66b22c0
...
@@ -40,3 +40,12 @@
...
@@ -40,3 +40,12 @@
notify
:
notify
:
-
common.reload-firewall
-
common.reload-firewall
-
name
:
Add an hook to reload nginx when there are new ssl keys
template
:
src
:
reload-nginx.sh
dest
:
"
{{
ssl_home
}}/hooks"
mode
:
0755
owner
:
root
group
:
ssl-keys
roles/nginx/templates/reload-nginx.sh
0 → 100644
View file @
d66b22c0
#!/bin/bash
#
# {{ ansible_managed }}
#
sudo
service nginx reload
roles/ssl-keys/defaults/main.yml
0 → 100644
View file @
d66b22c0
---
letsencrypt_email
:
false
local_webserver
:
false
ssl_home
:
/etc/ssl
roles/ssl-keys/tasks/common.yml
0 → 100644
View file @
d66b22c0
---
-
name
:
Create the ssl-keys user
user
:
name
:
ssl-keys
comment
:
User handling this server SSL keys
createhome
:
yes
home
:
"
{{
ssl_home
}}"
shell
:
/bin/false
generate_ssh_key
:
no
group
:
ssl-cert
system
:
yes
-
name
:
Make sure of ssl_home permissions
file
:
path
:
"
{{
ssl_home
}}"
state
:
directory
mode
:
0755
owner
:
root
group
:
ssl-cert
-
name
:
Create the ssl_home/hooks directory
file
:
path
:
"
{{
ssl_home
}}/hooks"
state
:
directory
mode
:
0755
owner
:
root
group
:
ssl-keys
-
name
:
Create the ssl_home/localcerts directory
file
:
path
:
"
{{
ssl_home
}}/localcerts"
state
:
directory
mode
:
0740
owner
:
ssl-keys
group
:
ssl-cert
-
name
:
Ensure the ssl_home/domains file exists
file
:
dest
:
"
{{
ssl_home
}}/domains"
force
:
no
owner
:
root
group
:
ssl-cert
-
name
:
configure sudo so cron can renew certs by itself
template
:
src
:
sudoers
dest
:
/etc/sudoers.d/ssl
owner
:
root
group
:
root
mode
:
0440
validate
:
visudo -cf %s
roles/ssl-keys/tasks/letsencrypt.yml
0 → 100644
View file @
d66b22c0
---
-
name
:
Be sure the dehydrated client is installed
apt
:
name=dehydrated state=present
-
name
:
Copy dehydrated config file
template
:
src=letsencrypt/config
dest=/etc/dehydrated/conf.d/config.sh
owner=root
group=root
mode=0644
-
name
:
Copy the hooks cript
template
:
src=letsencrypt/hooks.sh
dest=/etc/dehydrated/hooks.sh
owner=root
group=root
mode=0755
-
name
:
Install the cronjob
cron
:
cron_file
:
ssl
state
:
present
user
:
letsencrypt
special_time
:
weekly
env
:
"
{{
item.env
}}"
name
:
"
{{
item.name
}}"
job
:
"
{{
item.job
}}"
with_items
:
-
env
:
true
name
:
MAILTO
job
:
root
-
env
:
false
name
:
ssl-keys
job
:
chronic dehydrated -c
-
name
:
Install the apache configuration
apt
:
name=dehydrated-apache2 state=present
when
:
-
local_webserver == 'apache'
-
name
:
Install the nginx configuration
template
:
src
:
letsencrypt/nginx.conf
dest
:
/etc/nginx/snippets/dehydrated.conf
owner
:
root
group
:
root
mode
:
0444
when
:
-
local_webserver == 'nginx'
-
name
:
Create the acme-challenges directory
file
:
path=/var/lib/dehydrated/acme-challenges
owner=ssl-keys
group=ssl-keys
mode=0755
state=directory
-
name
:
change owner of /var/lib/dehydrated to ssl-keys:ssl-cert
command
:
dpkg-statoverride --update --force --add ssl-keys ssl-cert 755 /var/lib/{{ item }}
changed_when
:
false
with_items
:
-
dehydrated
-
dehydrated/acme-challenges
roles/ssl-keys/tasks/main.yml
0 → 100644
View file @
d66b22c0
---
-
include_tasks
:
common.yml
-
include_tasks
:
self-signed.yml
when
:
not letsencrypt_email
-
include_tasks
:
letsencrypt.yml
when
:
letsencrypt_email
roles/ssl-keys/tasks/self-signed.yml
0 → 100644
View file @
d66b22c0
---
-
name
:
TODO
file
:
path
:
/etc/ssl-keys/request.sh
state
:
touch
mode
:
0755
roles/ssl-keys/templates/letsencrypt/config
0 → 100644
View file @
d66b22c0
#
# {{ ansible_managed }}
#
PRIVATE_KEY_RENEW="no"
HOOK="/etc/dehydrated/hook.sh"
CONTACT_EMAIL=" {{ letsencrypt_email }}"
DOMAINS_TXT = "{{ ssl_home }}/domains"
CERTDIR = "{{ ssl_home }}/localcerts"
roles/ssl-keys/templates/letsencrypt/hooks.sh
0 → 100644
View file @
d66b22c0
#!/bin/bash
#
# {{ ansible_managed }}
set
-eu
OP
=
$1
_log
()
{
echo
" + (
$OP
)
$*
"
}
reload_apache
()
{
_log
"Reloading apache..."
sudo
apache2ctl graceful
# the next cert challenge verification would timeout if attempted right after
# not sure what's wrong with it (I observe this behaviour only on magog), so
# let's just sleep a bit for now
sleep
10
}
reload_nginx
()
{
_log
"Reloading nginx..."
sudo
service nginx reload
}
reload_postfix
()
{
_log
"Reloading postfix..."
sudo
service postfix reload
}
case
"
$OP
"
in
deploy_cert
)
DOMAIN
=
"
$1
"
{
%
if
local_webserver
==
'nginx'
%
}
reload_ngnix
{
%
elif
local_webserver
==
'apache'
%
}
reload_apache
{
% endif %
}
if
[
"
${
DOMAIN
}
"
=
"
$(
hostname
-f
)
"
]
;
then
reload_postfix
fi
;;
*
)
;;
esac
roles/ssl-keys/templates/letsencrypt/nginx.conf
0 → 100644
View file @
d66b22c0
#
# {{ ansible_managed }}
#
location
/.well-known/acme-challenge/
{
alias
/var/lib/dehydrated/acme-challenges/
;
disable_symlinks
off
;
autoindex
off
;
}
roles/ssl-keys/templates/sudoers
0 → 100644
View file @
d66b22c0
# the SSL auto-renew client should be able to reload services on its own
ssl-keys ALL=(root) NOPASSWD: /usr/sbin/apache2ctl graceful
ssl-keys ALL=(root) NOPASSWD: /usr/sbin/service nginx reload
ssl-keys ALL=(root) NOPASSWD: /usr/sbin/service postfix reload
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment