Generalize https setup into its own role

This commit is contained in:
Salt 2020-02-10 00:50:56 -06:00
parent 427804d68b
commit 3e52a522f3
3 changed files with 90 additions and 72 deletions

View File

@ -0,0 +1,2 @@
---
allow_duplicates: yes

View File

@ -0,0 +1,74 @@
#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: "Register certificate for {{ website_url }}"
block:
- name: Set up PKI filesystem hierarchy
file:
path: "{{ item.dir }}"
mode: "{{ item.mode }}"
recurse: yes
owner: root
group: www-data
state: directory
loop:
- { dir: "/etc/pki", mode: "0750" }
- { dir: "/etc/pki/cert", mode: "0750" }
- { dir: "/etc/pki/cert/crt", mode: "0750" }
- { dir: "/etc/pki/cert/csr", mode: "0750" }
- { dir: "/etc/pki/cert/private", mode: "0750" }
- name: Create ACME account key
openssl_privatekey:
path: "/etc/pki/cert/private/account.key"
- name: Create certificate key
openssl_privatekey:
path: "/etc/pki/cert/private/{{ website_url }}.key"
- name: Create CSR
openssl_csr:
path: "/etc/pki/cert/csr/{{ website_url }}.csr"
common_name: "{{ website_url }}"
privatekey_path: /etc/pki/cert/private/{{ website_url }}.key
email_address: "rehashedsalt@cock.li"
- name: Create challenge for CSR
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: yes
account_email: "rehashedsalt@cock.li"
account_key: "/etc/pki/cert/private/account.key"
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
register: com_challenge
- name: Fulfill challenge
block:
- name: Reload Apache
service:
name: apache2
state: reloaded
- name: Create well-known directory
file:
path: "{{ website_webroot }}/.well-known/acme-challenge"
mode: "0755"
recurse: yes
state: directory
- name: Copy challenge files
copy:
dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
- name: Create certificate
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: 2
account_key: /etc/pki/cert/private/account.key
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
data: "{{ com_challenge }}"
- name: Clean up
file:
path: "{{ website_webroot }}/.well-known"
state: absent
when: com_challenge is changed
become: yes

View File

@ -112,78 +112,20 @@
- "a2enmod ssl"
- name: Register certificates
block:
- name: Set up PKI filesystem hierarchy
file:
path: "{{ item.dir }}"
mode: "{{ item.mode }}"
recurse: yes
owner: root
group: www-data
state: directory
loop:
- { dir: "/etc/pki", mode: "0750" }
- { dir: "/etc/pki/cert", mode: "0750" }
- { dir: "/etc/pki/cert/crt", mode: "0750" }
- { dir: "/etc/pki/cert/csr", mode: "0750" }
- { dir: "/etc/pki/cert/private", mode: "0750" }
- name: Create ACME account key
openssl_privatekey:
path: "/etc/pki/cert/private/account.key"
- name: Create certificate key
openssl_privatekey:
path: "/etc/pki/cert/private/{{ nextcloud_url }}.key"
- name: Create CSR
openssl_csr:
path: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
common_name: "{{ nextcloud_url }}"
privatekey_path: /etc/pki/cert/private/{{ nextcloud_url }}.key
email_address: "rehashedsalt@cock.li"
- name: Create challenge for CSR
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: 2
terms_agreed: yes
account_email: "rehashedsalt@cock.li"
account_key: "/etc/pki/cert/private/account.key"
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
register: com_challenge
- name: Fulfill challenge
block:
# Note: We copy over some insecure configs now
# Reason being there's no way for the https role to handle every site's
# configuration on its own. If it doesn't have to update the key, it
# won't reload Apache and our site will never actually see https downtime
- name: Configure insecure virtual host configs
template:
src: apache2-vhost.conf
dest: "/etc/apache2/sites-enabled/{{ nextcloud_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
- name: Create well-known directory
file:
path: "{{ nextcloud_webroot }}/.well-known/acme-challenge"
mode: "0755"
recurse: yes
state: directory
- name: Copy challenge files
copy:
dest: "{{ nextcloud_webroot }}/{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][nextcloud_url]['http-01']['resource_value'] }}"
- name: Create certificate
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: 2
account_key: /etc/pki/cert/private/account.key
csr: "/etc/pki/cert/csr/{{ nextcloud_url }}.csr"
dest: "/etc/pki/cert/crt/{{ nextcloud_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ nextcloud_url }}-intermediate.crt"
data: "{{ com_challenge }}"
- name: Clean up
file:
path: "{{ nextcloud_webroot }}/.well-known"
state: absent
when: com_challenge is changed
- name: Generate certificate
include_role:
name: https
vars:
website_url: "{{ nextcloud_url }}"
website_webroot: "{{ nextcloud_webroot }}"
- name: Secure Apache
block:
- name: Copy over virtual host configs