d4science-infrastructure/group_vars/ldap_liferay/all.yml: Enable ssl with the use of letsencrypt certificates.

library/roles/haproxy/files: Fix to the acme scripts, the certificate path has become /etc/pki/haproxy/haproxy.pem. library/roles/openldap-server/tasks/openldap_initializazion.yml: Fix the certificates initialization. library/roles/ubuntu-deb-general/tasks/pki-basics.yml: Create a self signed certificate while waiting the letsencrypt one.
2016-04-20 15:21:19 +02:00 · 2016-04-20 15:21:19 +02:00 · b382db3b25
parent 7581a03035
commit b382db3b25
13 changed files with 148 additions and 25 deletions
--- a/haproxy/defaults/main.yml
+++ b/haproxy/defaults/main.yml
@ -1,9 +1,9 @@
 ---
 haproxy_latest_release: True
 haproxy_version: 1.6
-haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
-# For Ubuntu:
-# haproxy_latest_repo: "ppa:vbernat/haproxy-1.5"
+haproxy_repo_key: 'http://haproxy.debian.net/bernat.debian.org.gpg'
+haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
+haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}"
 haproxy_pkg_state: latest
 haproxy_enabled: True

--- a/haproxy/files/haproxy-letsencrypt-acme.sh
+++ b/haproxy/files/haproxy-letsencrypt-acme.sh
@ -3,7 +3,7 @@
 LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
 LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME
 LE_LOG_DIR=/var/log/letsencrypt
-HAPROXY_CERTDIR=/etc/pki/certs
+HAPROXY_CERTDIR=/etc/pki/haproxy
 HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
 DATE=$( date )

--- a/haproxy/files/haproxy-letsencrypt.sh
+++ b/haproxy/files/haproxy-letsencrypt.sh
@ -3,7 +3,7 @@
 LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
 LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
 LE_LOG_DIR=/var/log/letsencrypt
-HAPROXY_CERTDIR=/etc/pki/certs
+HAPROXY_CERTDIR=/etc/pki/haproxy
 HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
 DATE=$( date )
 echo "$DATE" >> $LE_LOG_DIR/haproxy.log
@ -14,6 +14,8 @@ else
    echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
 fi

+[ ! -d $HAPROXY_CERTDIR ] && mkdir $HAPROXY_CERTDIR
+
 echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
 cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
 chmod 440 ${HAPROXY_CERTFILE}
--- a/haproxy/tasks/haproxy-service.yml
+++ b/haproxy/tasks/haproxy-service.yml
@ -1,19 +1,27 @@
 ---
 - name: Get the haproxy repo key
-  apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
+  apt_key: url={{ haproxy_repo_key }} state=present
  when: haproxy_latest_release
-  register: haproxy_repo
  tags: haproxy

 - name: Define the haproxy repository
-  apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
-  when: haproxy_latest_release
-  register: haproxy_repo
+  apt_repository: repo='{{ haproxy_ubuntu_latest_repo }}' state=present update_cache=yes
+  when:
+    - haproxy_latest_release
+    - is_ubuntu
+  tags: haproxy
+
+- name: Define the haproxy repository
+  apt_repository: repo='{{ haproxy_debian_latest_repo }}' state=present update_cache=yes
+  when:
+    - haproxy_latest_release
+    - is_debian
  tags: haproxy

 - name: Install the haproxy package
  apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
  when: not haproxy_latest_release
+  register: install_haproxy
  tags: haproxy

 - name: Install the haproxy package
@ -21,6 +29,7 @@
  when:
    - haproxy_latest_release
    - is_debian
+  register: install_haproxy
  tags: haproxy

 - name: Install the haproxy package
@ -28,17 +37,20 @@
  when:
    - haproxy_latest_release
    - is_ubuntu
+  register: install_haproxy
  tags: haproxy

 - name: Ensure that haproxy is enabled and started
-  service: name=haproxy state=restarted enabled=yes
+  service: name=haproxy state=started enabled=yes
  when: haproxy_enabled
  ignore_errors: True
  tags: haproxy

 - name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
  service: name=rsyslog state=restarted
-  when: haproxy_enabled
+  when:
+    - haproxy_enabled
+    - ( install_haproxy | changed )
  tags: haproxy

 - name: Ensure that haproxy is stopped and disabled if needed
--- a/letsencrypt-acmetool-client/tasks/main.yml
+++ b/letsencrypt-acmetool-client/tasks/main.yml
@ -23,7 +23,12 @@
  tags: letsencrypt

 - name: Create the letsencrytp acme user
-  user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=yes shell=/bin/bash
+  user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash
+  when: letsencrypt_acme_install
+  tags: letsencrypt
+
+- name: Create the letsencrytp acme home, if it does not exist already. In a separate step because it could be already there.
+  file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
  when: letsencrypt_acme_install
  tags: letsencrypt

--- a/letsencrypt-acmetool-client/templates/cert-requirements.j2
+++ b/letsencrypt-acmetool-client/templates/cert-requirements.j2
@ -11,7 +11,10 @@ request:

 key:
  type: {{ letsencrypt_acme_key_type }}
+{% if letsencrypt_acme_key_type == 'rsa' %}
  rsa-size: {{ letsencrypt_acme_rsa_key_size }}
+{% else %}
  ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
+{% endif %}


--- a/openldap-server/defaults/main.yml
+++ b/openldap-server/defaults/main.yml
@ -8,6 +8,7 @@ openldap_pkg_list:
  - ldapscripts
  - db-util

+openldap_slapd_services: 'ldap:/// ldapi:///'
 openldap_slapd_tcp_port: 389
 openldap_slapd_ssl_port: 636
 openldap_slapd_ssl_only: False
--- a/openldap-server/tasks/openldap-letsencrypt.yml
+++ b/openldap-server/tasks/openldap-letsencrypt.yml
@ -1,6 +1,6 @@
 ---
 - name: Install a script that fix the letsencrypt certificates for openldap and then reload the service
-  copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550
+  copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/openldap owner=root group=root mode=4555
  when:
    - openldap_letsencrypt_managed
    - letsencrypt_acme_install
@ -18,5 +18,8 @@
  args:
    creates: /etc/ldap/.olcSSL.ldif.installed
  notify: Restart openldap 
+  when:
+    - openldap_letsencrypt_managed
+    - letsencrypt_acme_install
  tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]

--- a/openldap-server/tasks/openldap_initializazion.yml
+++ b/openldap-server/tasks/openldap_initializazion.yml
@ -35,4 +35,7 @@
  with_items: '{{ openldap_additional_schemas | default([]) }}'
  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]

+- name: Install the default environment for slapd
+  template: src=slapd-default.j2 dest=/etc/default/slapd owner=root group=root mode=0644
+  tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
  
--- a/openldap-server/templates/slapd-default.j2
+++ b/openldap-server/templates/slapd-default.j2
@ -0,0 +1,49 @@
+# Default location of the slapd.conf file or slapd.d cn=config directory. If
+# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
+# /etc/ldap/slapd.conf).
+SLAPD_CONF=
+
+# System account to run the slapd server under. If empty the server
+# will run as root.
+SLAPD_USER="openldap"
+
+# System group to run the slapd server under. If empty the server will
+# run in the primary group of its user.
+SLAPD_GROUP="openldap"
+
+# Path to the pid file of the slapd server. If not set the init.d script
+# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
+# default)
+SLAPD_PIDFILE=
+
+# slapd normally serves ldap only on all TCP-ports 389. slapd can also
+# service requests on TCP-port 636 (ldaps) and requests via unix
+# sockets.
+# Example usage:
+# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
+{% if openldap_letsencrypt_managed %}
+SLAPD_SERVICES="ldaps:/// {{ openldap_slapd_services }}"
+{% else %}
+SLAPD_SERVICES="{{ openldap_slapd_services }}"
+{% endif %}
+
+# If SLAPD_NO_START is set, the init script will not start or restart
+# slapd (but stop will still work).  Uncomment this if you are
+# starting slapd via some other means or if you don't want slapd normally
+# started at boot.
+#SLAPD_NO_START=1
+
+# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
+# the init script will not start or restart slapd (but stop will still
+# work).  Use this for temporarily disabling startup of slapd (when doing
+# maintenance, for example, or through a configuration management system)
+# when you don't want to edit a configuration file.
+SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
+
+# For Kerberos authentication (via SASL), slapd by default uses the system
+# keytab file (/etc/krb5.keytab).  To use a different keytab file,
+# uncomment this line and change the path.
+#export KRB5_KTNAME=/etc/krb5.keytab
+
+# Additional options to pass to slapd
+SLAPD_OPTIONS=""
--- a/ubuntu-deb-general/tasks/main.yml
+++ b/ubuntu-deb-general/tasks/main.yml
@ -22,7 +22,7 @@
 - include: unattended-upgrades.yml
 - include: install_external_ca_cert.yml
 - include: manage_su_limits.yml
- include: pki-dir.yml
+- include: pki-basics.yml
 - include: disable-unneeded-services.yml


--- a/ubuntu-deb-general/tasks/pki-basics.yml
+++ b/ubuntu-deb-general/tasks/pki-basics.yml
@ -0,0 +1,55 @@
+---
+- name: Ensure that the PKI directory exists
+  file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+
+- name: Ensure that the PKI subdirectories exist
+  file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
+  with_items: '{{ pki_subdirs }}'
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the physical paths
+  file: path={{ item }} mode=0755 state=directory
+  with_items:
+    - '{{ letsencrypt_acme_user_home }}/live'
+    - '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert' 
+    - '{{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert' 
+  when: letsencrypt_acme_install is defined and letsencrypt_acme_install
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+  
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the certificate and private key
+  command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert -days 10 -nodes -subj '/CN=self signed certificate'
+  args:
+    creates: '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert'
+  when: letsencrypt_acme_install is defined and letsencrypt_acme_install
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the private key
+  file: src={{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/privkey state=link
+  when: letsencrypt_acme_install is defined and letsencrypt_acme_install
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+  
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the chain file
+  file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/chain state=link
+  when: letsencrypt_acme_install is defined and letsencrypt_acme_install
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+  
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Check if a certificate already exists
+  stat: path={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}
+  register: true_cert
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one
+  file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert dest={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} state=link
+  when: true_cert.stat.islnk is defined and true_cert.stat.islnk == False
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+  
+- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
+  command: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
+  args:
+    creates: '{{ pki_dir }}/haproxy/haproxy.pem'
+  when:
+    - letsencrypt_acme_install is defined and letsencrypt_acme_install
+    - haproxy_enabled is defined and haproxy_enabled
+  tags: [ 'pki', 'ssl', 'letsencrypt' ]
+
--- a/ubuntu-deb-general/tasks/pki-dir.yml
+++ b/ubuntu-deb-general/tasks/pki-dir.yml
@ -1,10 +0,0 @@
---
- name: Ensure that the PKI directory exists
-  file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
-  tags: [ 'pki', 'ssl' ]
-
- name: Ensure that the PKI subdirectories exist
-  file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
-  with_items: '{{ pki_subdirs }}'
-  tags: [ 'pki', 'ssl' ]
-