diff --git a/roles/https/meta/main.yml b/roles/https/meta/main.yml new file mode 100644 index 0000000..a3b0acf --- /dev/null +++ b/roles/https/meta/main.yml @@ -0,0 +1,2 @@ +--- +allow_duplicates: yes diff --git a/roles/https/tasks/main.yml b/roles/https/tasks/main.yml new file mode 100644 index 0000000..792ab0f --- /dev/null +++ b/roles/https/tasks/main.yml @@ -0,0 +1,74 @@ +#!/usr/bin/ansible-playbook +# vim:ft=ansible: +--- +- name: "Register certificate for {{ website_url }}" + block: + - name: Set up PKI filesystem hierarchy + file: + path: "{{ item.dir }}" + mode: "{{ item.mode }}" + recurse: yes + owner: root + group: www-data + state: directory + loop: + - { dir: "/etc/pki", mode: "0750" } + - { dir: "/etc/pki/cert", mode: "0750" } + - { dir: "/etc/pki/cert/crt", mode: "0750" } + - { dir: "/etc/pki/cert/csr", mode: "0750" } + - { dir: "/etc/pki/cert/private", mode: "0750" } + - name: Create ACME account key + openssl_privatekey: + path: "/etc/pki/cert/private/account.key" + - name: Create certificate key + openssl_privatekey: + path: "/etc/pki/cert/private/{{ website_url }}.key" + - name: Create CSR + openssl_csr: + path: "/etc/pki/cert/csr/{{ website_url }}.csr" + common_name: "{{ website_url }}" + privatekey_path: /etc/pki/cert/private/{{ website_url }}.key + email_address: "rehashedsalt@cock.li" + - name: Create challenge for CSR + acme_certificate: + acme_directory: "{{ acme_directory }}" + acme_version: 2 + terms_agreed: yes + account_email: "rehashedsalt@cock.li" + account_key: "/etc/pki/cert/private/account.key" + csr: "/etc/pki/cert/csr/{{ website_url }}.csr" + dest: "/etc/pki/cert/crt/{{ website_url }}.crt" + fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" + register: com_challenge + - name: Fulfill challenge + block: + - name: Reload Apache + service: + name: apache2 + state: reloaded + - name: Create well-known directory + file: + path: "{{ website_webroot }}/.well-known/acme-challenge" + mode: "0755" + recurse: yes + state: directory + - name: Copy challenge files + copy: + dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}" + content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}" + - name: Create certificate + acme_certificate: + acme_directory: "{{ acme_directory }}" + acme_version: 2 + account_key: /etc/pki/cert/private/account.key + csr: "/etc/pki/cert/csr/{{ website_url }}.csr" + dest: "/etc/pki/cert/crt/{{ website_url }}.crt" + fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" + chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" + data: "{{ com_challenge }}" + - name: Clean up + file: + path: "{{ website_webroot }}/.well-known" + state: absent + when: com_challenge is changed + become: yes diff --git a/roles/nextcloud/tasks/main.yml b/roles/nextcloud/tasks/main.yml index 8761308..ebd3a9a 100644 --- a/roles/nextcloud/tasks/main.yml +++ b/roles/nextcloud/tasks/main.yml @@ -112,78 +112,20 @@ - "a2enmod ssl" - name: Register certificates block: - - name: Set up PKI filesystem hierarchy - file: - path: "{{ item.dir }}" - mode: "{{ item.mode }}" - recurse: yes - owner: root - group: www-data - state: directory - loop: - - { dir: "/etc/pki", mode: "0750" } - - { dir: "/etc/pki/cert", mode: "0750" } - - { dir: "/etc/pki/cert/crt", mode: "0750" } - - { dir: "/etc/pki/cert/csr", mode: "0750" } - - { dir: "/etc/pki/cert/private", mode: "0750" } - - name: Create ACME account key - openssl_privatekey: - path: "/etc/pki/cert/private/account.key" - - name: Create certificate key - openssl_privatekey: - path: "/etc/pki/cert/private/{{ nextcloud_url }}.key" - - name: Create CSR - openssl_csr: - path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr" - common_name: "{{ nextcloud_url }}" - privatekey_path: /etc/pki/cert/private/{{ nextcloud_url }}.key - email_address: "rehashedsalt@cock.li" - - name: Create challenge for CSR - acme_certificate: - acme_directory: "{{ acme_directory }}" - acme_version: 2 - terms_agreed: yes - account_email: "rehashedsalt@cock.li" - account_key: "/etc/pki/cert/private/account.key" - csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr" - dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt" - fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt" - register: com_challenge - - name: Fulfill challenge - block: - - name: Configure insecure virtual host configs - template: - src: apache2-vhost.conf - dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf" - - name: Reload Apache - service: - name: apache2 - state: reloaded - - name: Create well-known directory - file: - path: "{{ nextcloud_webroot }}/.well-known/acme-challenge" - mode: "0755" - recurse: yes - state: directory - - name: Copy challenge files - copy: - dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}" - content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}" - - name: Create certificate - acme_certificate: - acme_directory: "{{ acme_directory }}" - acme_version: 2 - account_key: /etc/pki/cert/private/account.key - csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr" - dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt" - fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt" - chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt" - data: "{{ com_challenge }}" - - name: Clean up - file: - path: "{{ nextcloud_webroot }}/.well-known" - state: absent - when: com_challenge is changed + # Note: We copy over some insecure configs now + # Reason being there's no way for the https role to handle every site's + # configuration on its own. If it doesn't have to update the key, it + # won't reload Apache and our site will never actually see https downtime + - name: Configure insecure virtual host configs + template: + src: apache2-vhost.conf + dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf" + - name: Generate certificate + include_role: + name: https + vars: + website_url: "{{ nextcloud_url }}" + website_webroot: "{{ nextcloud_webroot }}" - name: Secure Apache block: - name: Copy over virtual host configs