Generalize https setup into its own role
This commit is contained in:
parent
427804d68b
commit
3e52a522f3
2
roles/https/meta/main.yml
Normal file
2
roles/https/meta/main.yml
Normal file
@ -0,0 +1,2 @@
|
||||
---
|
||||
allow_duplicates: yes
|
74
roles/https/tasks/main.yml
Normal file
74
roles/https/tasks/main.yml
Normal file
@ -0,0 +1,74 @@
|
||||
#!/usr/bin/ansible-playbook
|
||||
# vim:ft=ansible:
|
||||
---
|
||||
- name: "Register certificate for {{ website_url }}"
|
||||
block:
|
||||
- name: Set up PKI filesystem hierarchy
|
||||
file:
|
||||
path: "{{ item.dir }}"
|
||||
mode: "{{ item.mode }}"
|
||||
recurse: yes
|
||||
owner: root
|
||||
group: www-data
|
||||
state: directory
|
||||
loop:
|
||||
- { dir: "/etc/pki", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert/crt", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert/csr", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert/private", mode: "0750" }
|
||||
- name: Create ACME account key
|
||||
openssl_privatekey:
|
||||
path: "/etc/pki/cert/private/account.key"
|
||||
- name: Create certificate key
|
||||
openssl_privatekey:
|
||||
path: "/etc/pki/cert/private/{{ website_url }}.key"
|
||||
- name: Create CSR
|
||||
openssl_csr:
|
||||
path: "/etc/pki/cert/csr/{{ website_url }}.csr"
|
||||
common_name: "{{ website_url }}"
|
||||
privatekey_path: /etc/pki/cert/private/{{ website_url }}.key
|
||||
email_address: "rehashedsalt@cock.li"
|
||||
- name: Create challenge for CSR
|
||||
acme_certificate:
|
||||
acme_directory: "{{ acme_directory }}"
|
||||
acme_version: 2
|
||||
terms_agreed: yes
|
||||
account_email: "rehashedsalt@cock.li"
|
||||
account_key: "/etc/pki/cert/private/account.key"
|
||||
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
|
||||
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
|
||||
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
|
||||
register: com_challenge
|
||||
- name: Fulfill challenge
|
||||
block:
|
||||
- name: Reload Apache
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
||||
- name: Create well-known directory
|
||||
file:
|
||||
path: "{{ website_webroot }}/.well-known/acme-challenge"
|
||||
mode: "0755"
|
||||
recurse: yes
|
||||
state: directory
|
||||
- name: Copy challenge files
|
||||
copy:
|
||||
dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
|
||||
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
|
||||
- name: Create certificate
|
||||
acme_certificate:
|
||||
acme_directory: "{{ acme_directory }}"
|
||||
acme_version: 2
|
||||
account_key: /etc/pki/cert/private/account.key
|
||||
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
|
||||
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
|
||||
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
|
||||
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
|
||||
data: "{{ com_challenge }}"
|
||||
- name: Clean up
|
||||
file:
|
||||
path: "{{ website_webroot }}/.well-known"
|
||||
state: absent
|
||||
when: com_challenge is changed
|
||||
become: yes
|
@ -112,78 +112,20 @@
|
||||
- "a2enmod ssl"
|
||||
- name: Register certificates
|
||||
block:
|
||||
- name: Set up PKI filesystem hierarchy
|
||||
file:
|
||||
path: "{{ item.dir }}"
|
||||
mode: "{{ item.mode }}"
|
||||
recurse: yes
|
||||
owner: root
|
||||
group: www-data
|
||||
state: directory
|
||||
loop:
|
||||
- { dir: "/etc/pki", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert/crt", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert/csr", mode: "0750" }
|
||||
- { dir: "/etc/pki/cert/private", mode: "0750" }
|
||||
- name: Create ACME account key
|
||||
openssl_privatekey:
|
||||
path: "/etc/pki/cert/private/account.key"
|
||||
- name: Create certificate key
|
||||
openssl_privatekey:
|
||||
path: "/etc/pki/cert/private/{{ nextcloud_url }}.key"
|
||||
- name: Create CSR
|
||||
openssl_csr:
|
||||
path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
|
||||
common_name: "{{ nextcloud_url }}"
|
||||
privatekey_path: /etc/pki/cert/private/{{ nextcloud_url }}.key
|
||||
email_address: "rehashedsalt@cock.li"
|
||||
- name: Create challenge for CSR
|
||||
acme_certificate:
|
||||
acme_directory: "{{ acme_directory }}"
|
||||
acme_version: 2
|
||||
terms_agreed: yes
|
||||
account_email: "rehashedsalt@cock.li"
|
||||
account_key: "/etc/pki/cert/private/account.key"
|
||||
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
|
||||
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
|
||||
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
|
||||
register: com_challenge
|
||||
- name: Fulfill challenge
|
||||
block:
|
||||
- name: Configure insecure virtual host configs
|
||||
template:
|
||||
src: apache2-vhost.conf
|
||||
dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
|
||||
- name: Reload Apache
|
||||
service:
|
||||
name: apache2
|
||||
state: reloaded
|
||||
- name: Create well-known directory
|
||||
file:
|
||||
path: "{{ nextcloud_webroot }}/.well-known/acme-challenge"
|
||||
mode: "0755"
|
||||
recurse: yes
|
||||
state: directory
|
||||
- name: Copy challenge files
|
||||
copy:
|
||||
dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}"
|
||||
content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}"
|
||||
- name: Create certificate
|
||||
acme_certificate:
|
||||
acme_directory: "{{ acme_directory }}"
|
||||
acme_version: 2
|
||||
account_key: /etc/pki/cert/private/account.key
|
||||
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
|
||||
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
|
||||
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
|
||||
chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt"
|
||||
data: "{{ com_challenge }}"
|
||||
- name: Clean up
|
||||
file:
|
||||
path: "{{ nextcloud_webroot }}/.well-known"
|
||||
state: absent
|
||||
when: com_challenge is changed
|
||||
# Note: We copy over some insecure configs now
|
||||
# Reason being there's no way for the https role to handle every site's
|
||||
# configuration on its own. If it doesn't have to update the key, it
|
||||
# won't reload Apache and our site will never actually see https downtime
|
||||
- name: Configure insecure virtual host configs
|
||||
template:
|
||||
src: apache2-vhost.conf
|
||||
dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
|
||||
- name: Generate certificate
|
||||
include_role:
|
||||
name: https
|
||||
vars:
|
||||
website_url: "{{ nextcloud_url }}"
|
||||
website_webroot: "{{ nextcloud_webroot }}"
|
||||
- name: Secure Apache
|
||||
block:
|
||||
- name: Copy over virtual host configs
|
||||
|
Loading…
Reference in New Issue
Block a user