forked from ISTI-ansible-roles/ansible-roles
d4science-infrastructure/group_vars/ldap_liferay/all.yml: Enable ssl with the use of letsencrypt certificates.
library/roles/haproxy/files: Fix to the acme scripts, the certificate path has become /etc/pki/haproxy/haproxy.pem. library/roles/openldap-server/tasks/openldap_initializazion.yml: Fix the certificates initialization. library/roles/ubuntu-deb-general/tasks/pki-basics.yml: Create a self signed certificate while waiting the letsencrypt one.
This commit is contained in:
parent
7581a03035
commit
b382db3b25
|
@ -1,9 +1,9 @@
|
|||
---
|
||||
haproxy_latest_release: True
|
||||
haproxy_version: 1.6
|
||||
haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
|
||||
# For Ubuntu:
|
||||
# haproxy_latest_repo: "ppa:vbernat/haproxy-1.5"
|
||||
haproxy_repo_key: 'http://haproxy.debian.net/bernat.debian.org.gpg'
|
||||
haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
|
||||
haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}"
|
||||
haproxy_pkg_state: latest
|
||||
haproxy_enabled: True
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
|
||||
LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
HAPROXY_CERTDIR=/etc/pki/certs
|
||||
HAPROXY_CERTDIR=/etc/pki/haproxy
|
||||
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
|
||||
DATE=$( date )
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
|
||||
LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
|
||||
LE_LOG_DIR=/var/log/letsencrypt
|
||||
HAPROXY_CERTDIR=/etc/pki/certs
|
||||
HAPROXY_CERTDIR=/etc/pki/haproxy
|
||||
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
|
||||
DATE=$( date )
|
||||
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
|
||||
|
@ -14,6 +14,8 @@ else
|
|||
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
|
||||
fi
|
||||
|
||||
[ ! -d $HAPROXY_CERTDIR ] && mkdir $HAPROXY_CERTDIR
|
||||
|
||||
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
|
||||
cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
|
||||
chmod 440 ${HAPROXY_CERTFILE}
|
||||
|
|
|
@ -1,19 +1,27 @@
|
|||
---
|
||||
- name: Get the haproxy repo key
|
||||
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
|
||||
apt_key: url={{ haproxy_repo_key }} state=present
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
tags: haproxy
|
||||
|
||||
- name: Define the haproxy repository
|
||||
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
|
||||
when: haproxy_latest_release
|
||||
register: haproxy_repo
|
||||
apt_repository: repo='{{ haproxy_ubuntu_latest_repo }}' state=present update_cache=yes
|
||||
when:
|
||||
- haproxy_latest_release
|
||||
- is_ubuntu
|
||||
tags: haproxy
|
||||
|
||||
- name: Define the haproxy repository
|
||||
apt_repository: repo='{{ haproxy_debian_latest_repo }}' state=present update_cache=yes
|
||||
when:
|
||||
- haproxy_latest_release
|
||||
- is_debian
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
|
||||
when: not haproxy_latest_release
|
||||
register: install_haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
|
@ -21,6 +29,7 @@
|
|||
when:
|
||||
- haproxy_latest_release
|
||||
- is_debian
|
||||
register: install_haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Install the haproxy package
|
||||
|
@ -28,17 +37,20 @@
|
|||
when:
|
||||
- haproxy_latest_release
|
||||
- is_ubuntu
|
||||
register: install_haproxy
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is enabled and started
|
||||
service: name=haproxy state=restarted enabled=yes
|
||||
service: name=haproxy state=started enabled=yes
|
||||
when: haproxy_enabled
|
||||
ignore_errors: True
|
||||
tags: haproxy
|
||||
|
||||
- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
|
||||
service: name=rsyslog state=restarted
|
||||
when: haproxy_enabled
|
||||
when:
|
||||
- haproxy_enabled
|
||||
- ( install_haproxy | changed )
|
||||
tags: haproxy
|
||||
|
||||
- name: Ensure that haproxy is stopped and disabled if needed
|
||||
|
|
|
@ -23,7 +23,12 @@
|
|||
tags: letsencrypt
|
||||
|
||||
- name: Create the letsencrytp acme user
|
||||
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=yes shell=/bin/bash
|
||||
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
- name: Create the letsencrytp acme home, if it does not exist already. In a separate step because it could be already there.
|
||||
file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
|
||||
when: letsencrypt_acme_install
|
||||
tags: letsencrypt
|
||||
|
||||
|
|
|
@ -11,7 +11,10 @@ request:
|
|||
|
||||
key:
|
||||
type: {{ letsencrypt_acme_key_type }}
|
||||
{% if letsencrypt_acme_key_type == 'rsa' %}
|
||||
rsa-size: {{ letsencrypt_acme_rsa_key_size }}
|
||||
{% else %}
|
||||
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
|
||||
{% endif %}
|
||||
|
||||
|
||||
|
|
|
@ -8,6 +8,7 @@ openldap_pkg_list:
|
|||
- ldapscripts
|
||||
- db-util
|
||||
|
||||
openldap_slapd_services: 'ldap:/// ldapi:///'
|
||||
openldap_slapd_tcp_port: 389
|
||||
openldap_slapd_ssl_port: 636
|
||||
openldap_slapd_ssl_only: False
|
||||
|
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
- name: Install a script that fix the letsencrypt certificates for openldap and then reload the service
|
||||
copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550
|
||||
copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/openldap owner=root group=root mode=4555
|
||||
when:
|
||||
- openldap_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
|
@ -18,5 +18,8 @@
|
|||
args:
|
||||
creates: /etc/ldap/.olcSSL.ldif.installed
|
||||
notify: Restart openldap
|
||||
when:
|
||||
- openldap_letsencrypt_managed
|
||||
- letsencrypt_acme_install
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]
|
||||
|
||||
|
|
|
@ -35,4 +35,7 @@
|
|||
with_items: '{{ openldap_additional_schemas | default([]) }}'
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
- name: Install the default environment for slapd
|
||||
template: src=slapd-default.j2 dest=/etc/default/slapd owner=root group=root mode=0644
|
||||
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
|
||||
|
||||
|
|
|
@ -0,0 +1,49 @@
|
|||
# Default location of the slapd.conf file or slapd.d cn=config directory. If
|
||||
# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
|
||||
# /etc/ldap/slapd.conf).
|
||||
SLAPD_CONF=
|
||||
|
||||
# System account to run the slapd server under. If empty the server
|
||||
# will run as root.
|
||||
SLAPD_USER="openldap"
|
||||
|
||||
# System group to run the slapd server under. If empty the server will
|
||||
# run in the primary group of its user.
|
||||
SLAPD_GROUP="openldap"
|
||||
|
||||
# Path to the pid file of the slapd server. If not set the init.d script
|
||||
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
|
||||
# default)
|
||||
SLAPD_PIDFILE=
|
||||
|
||||
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
|
||||
# service requests on TCP-port 636 (ldaps) and requests via unix
|
||||
# sockets.
|
||||
# Example usage:
|
||||
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
|
||||
{% if openldap_letsencrypt_managed %}
|
||||
SLAPD_SERVICES="ldaps:/// {{ openldap_slapd_services }}"
|
||||
{% else %}
|
||||
SLAPD_SERVICES="{{ openldap_slapd_services }}"
|
||||
{% endif %}
|
||||
|
||||
# If SLAPD_NO_START is set, the init script will not start or restart
|
||||
# slapd (but stop will still work). Uncomment this if you are
|
||||
# starting slapd via some other means or if you don't want slapd normally
|
||||
# started at boot.
|
||||
#SLAPD_NO_START=1
|
||||
|
||||
# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
|
||||
# the init script will not start or restart slapd (but stop will still
|
||||
# work). Use this for temporarily disabling startup of slapd (when doing
|
||||
# maintenance, for example, or through a configuration management system)
|
||||
# when you don't want to edit a configuration file.
|
||||
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
|
||||
|
||||
# For Kerberos authentication (via SASL), slapd by default uses the system
|
||||
# keytab file (/etc/krb5.keytab). To use a different keytab file,
|
||||
# uncomment this line and change the path.
|
||||
#export KRB5_KTNAME=/etc/krb5.keytab
|
||||
|
||||
# Additional options to pass to slapd
|
||||
SLAPD_OPTIONS=""
|
|
@ -22,7 +22,7 @@
|
|||
- include: unattended-upgrades.yml
|
||||
- include: install_external_ca_cert.yml
|
||||
- include: manage_su_limits.yml
|
||||
- include: pki-dir.yml
|
||||
- include: pki-basics.yml
|
||||
- include: disable-unneeded-services.yml
|
||||
|
||||
|
||||
|
|
|
@ -0,0 +1,55 @@
|
|||
---
|
||||
- name: Ensure that the PKI directory exists
|
||||
file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: Ensure that the PKI subdirectories exist
|
||||
file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
|
||||
with_items: '{{ pki_subdirs }}'
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the physical paths
|
||||
file: path={{ item }} mode=0755 state=directory
|
||||
with_items:
|
||||
- '{{ letsencrypt_acme_user_home }}/live'
|
||||
- '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert'
|
||||
- '{{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert'
|
||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the certificate and private key
|
||||
command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert -days 10 -nodes -subj '/CN=self signed certificate'
|
||||
args:
|
||||
creates: '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert'
|
||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the private key
|
||||
file: src={{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/privkey state=link
|
||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the chain file
|
||||
file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/chain state=link
|
||||
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Check if a certificate already exists
|
||||
stat: path={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}
|
||||
register: true_cert
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one
|
||||
file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert dest={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} state=link
|
||||
when: true_cert.stat.islnk is defined and true_cert.stat.islnk == False
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
||||
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
|
||||
command: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
|
||||
args:
|
||||
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
|
||||
when:
|
||||
- letsencrypt_acme_install is defined and letsencrypt_acme_install
|
||||
- haproxy_enabled is defined and haproxy_enabled
|
||||
tags: [ 'pki', 'ssl', 'letsencrypt' ]
|
||||
|
|
@ -1,10 +0,0 @@
|
|||
---
|
||||
- name: Ensure that the PKI directory exists
|
||||
file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
|
||||
tags: [ 'pki', 'ssl' ]
|
||||
|
||||
- name: Ensure that the PKI subdirectories exist
|
||||
file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
|
||||
with_items: '{{ pki_subdirs }}'
|
||||
tags: [ 'pki', 'ssl' ]
|
||||
|
Loading…
Reference in New Issue