d4science-infrastructure/group_vars/ldap_liferay/all.yml: Enable ssl with the use of letsencrypt certificates.

library/roles/haproxy/files: Fix to the acme scripts, the certificate path has become /etc/pki/haproxy/haproxy.pem.
library/roles/openldap-server/tasks/openldap_initializazion.yml: Fix the certificates initialization.
library/roles/ubuntu-deb-general/tasks/pki-basics.yml: Create a self signed certificate while waiting the letsencrypt one.
This commit is contained in:
Andrea Dell'Amico 2016-04-20 15:21:19 +02:00
parent 7581a03035
commit b382db3b25
13 changed files with 148 additions and 25 deletions

View File

@ -1,9 +1,9 @@
---
haproxy_latest_release: True
haproxy_version: 1.6
haproxy_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
# For Ubuntu:
# haproxy_latest_repo: "ppa:vbernat/haproxy-1.5"
haproxy_repo_key: 'http://haproxy.debian.net/bernat.debian.org.gpg'
haproxy_debian_latest_repo: "deb http://haproxy.debian.net {{ ansible_lsb.codename }}-backports-{{ haproxy_version }} main"
haproxy_ubuntu_latest_repo: "ppa:vbernat/haproxy-{{ haproxy_version }}"
haproxy_pkg_state: latest
haproxy_enabled: True

View File

@ -3,7 +3,7 @@
LE_SERVICES_SCRIPT_DIR=/usr/lib/acme/hooks
LE_CERTS_DIR=/var/lib/acme/live/$HOSTNAME
LE_LOG_DIR=/var/log/letsencrypt
HAPROXY_CERTDIR=/etc/pki/certs
HAPROXY_CERTDIR=/etc/pki/haproxy
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
DATE=$( date )

View File

@ -3,7 +3,7 @@
LE_SERVICES_SCRIPT_DIR=/usr/local/lib/letsencrypt
LE_CERTS_DIR=/etc/letsencrypt/live/$HOSTNAME
LE_LOG_DIR=/var/log/letsencrypt
HAPROXY_CERTDIR=/etc/pki/certs
HAPROXY_CERTDIR=/etc/pki/haproxy
HAPROXY_CERTFILE=$HAPROXY_CERTDIR/haproxy.pem
DATE=$( date )
echo "$DATE" >> $LE_LOG_DIR/haproxy.log
@ -14,6 +14,8 @@ else
echo "No letsencrypt default file" >> $LE_LOG_DIR/haproxy.log
fi
[ ! -d $HAPROXY_CERTDIR ] && mkdir $HAPROXY_CERTDIR
echo "Building the new certificate file" >> $LE_LOG_DIR/haproxy.log
cat ${LE_CERTS_DIR}/{fullchain.pem,privkey.pem} > ${HAPROXY_CERTFILE}
chmod 440 ${HAPROXY_CERTFILE}

View File

@ -1,19 +1,27 @@
---
- name: Get the haproxy repo key
apt_key: url=http://haproxy.debian.net/bernat.debian.org.gpg state=present
apt_key: url={{ haproxy_repo_key }} state=present
when: haproxy_latest_release
register: haproxy_repo
tags: haproxy
- name: Define the haproxy repository
apt_repository: repo='{{ haproxy_latest_repo }}' state=present update_cache=yes
when: haproxy_latest_release
register: haproxy_repo
apt_repository: repo='{{ haproxy_ubuntu_latest_repo }}' state=present update_cache=yes
when:
- haproxy_latest_release
- is_ubuntu
tags: haproxy
- name: Define the haproxy repository
apt_repository: repo='{{ haproxy_debian_latest_repo }}' state=present update_cache=yes
when:
- haproxy_latest_release
- is_debian
tags: haproxy
- name: Install the haproxy package
apt: name=haproxy state=present default_release={{ ansible_lsb.codename }}-backports
when: not haproxy_latest_release
register: install_haproxy
tags: haproxy
- name: Install the haproxy package
@ -21,6 +29,7 @@
when:
- haproxy_latest_release
- is_debian
register: install_haproxy
tags: haproxy
- name: Install the haproxy package
@ -28,17 +37,20 @@
when:
- haproxy_latest_release
- is_ubuntu
register: install_haproxy
tags: haproxy
- name: Ensure that haproxy is enabled and started
service: name=haproxy state=restarted enabled=yes
service: name=haproxy state=started enabled=yes
when: haproxy_enabled
ignore_errors: True
tags: haproxy
- name: Haproxy puts a new rsyslog directive. Restart rsyslog to activate it. Reload is not sufficient
service: name=rsyslog state=restarted
when: haproxy_enabled
when:
- haproxy_enabled
- ( install_haproxy | changed )
tags: haproxy
- name: Ensure that haproxy is stopped and disabled if needed

View File

@ -23,7 +23,12 @@
tags: letsencrypt
- name: Create the letsencrytp acme user
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=yes shell=/bin/bash
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/bin/bash
when: letsencrypt_acme_install
tags: letsencrypt
- name: Create the letsencrytp acme home, if it does not exist already. In a separate step because it could be already there.
file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
when: letsencrypt_acme_install
tags: letsencrypt

View File

@ -11,7 +11,10 @@ request:
key:
type: {{ letsencrypt_acme_key_type }}
{% if letsencrypt_acme_key_type == 'rsa' %}
rsa-size: {{ letsencrypt_acme_rsa_key_size }}
{% else %}
ecdsa-curve: {{ letsencrypt_acme_ecdsa_curve }}
{% endif %}

View File

@ -8,6 +8,7 @@ openldap_pkg_list:
- ldapscripts
- db-util
openldap_slapd_services: 'ldap:/// ldapi:///'
openldap_slapd_tcp_port: 389
openldap_slapd_ssl_port: 636
openldap_slapd_ssl_only: False

View File

@ -1,6 +1,6 @@
---
- name: Install a script that fix the letsencrypt certificates for openldap and then reload the service
copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/haproxy owner=root group=root mode=4550
copy: src=openldap-letsencrypt-acme.sh dest={{ letsencrypt_acme_services_scripts_dir }}/openldap owner=root group=root mode=4555
when:
- openldap_letsencrypt_managed
- letsencrypt_acme_install
@ -18,5 +18,8 @@
args:
creates: /etc/ldap/.olcSSL.ldif.installed
notify: Restart openldap
when:
- openldap_letsencrypt_managed
- letsencrypt_acme_install
tags: [ 'ldap_server', 'ldap', 'ldap_conf', 'letsencrypt' ]

View File

@ -35,4 +35,7 @@
with_items: '{{ openldap_additional_schemas | default([]) }}'
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]
- name: Install the default environment for slapd
template: src=slapd-default.j2 dest=/etc/default/slapd owner=root group=root mode=0644
tags: [ 'ldap_server', 'ldap', 'ldap_conf' ]

View File

@ -0,0 +1,49 @@
# Default location of the slapd.conf file or slapd.d cn=config directory. If
# empty, use the compiled-in default (/etc/ldap/slapd.d with a fallback to
# /etc/ldap/slapd.conf).
SLAPD_CONF=
# System account to run the slapd server under. If empty the server
# will run as root.
SLAPD_USER="openldap"
# System group to run the slapd server under. If empty the server will
# run in the primary group of its user.
SLAPD_GROUP="openldap"
# Path to the pid file of the slapd server. If not set the init.d script
# will try to figure it out from $SLAPD_CONF (/etc/ldap/slapd.d by
# default)
SLAPD_PIDFILE=
# slapd normally serves ldap only on all TCP-ports 389. slapd can also
# service requests on TCP-port 636 (ldaps) and requests via unix
# sockets.
# Example usage:
# SLAPD_SERVICES="ldap://127.0.0.1:389/ ldaps:/// ldapi:///"
{% if openldap_letsencrypt_managed %}
SLAPD_SERVICES="ldaps:/// {{ openldap_slapd_services }}"
{% else %}
SLAPD_SERVICES="{{ openldap_slapd_services }}"
{% endif %}
# If SLAPD_NO_START is set, the init script will not start or restart
# slapd (but stop will still work). Uncomment this if you are
# starting slapd via some other means or if you don't want slapd normally
# started at boot.
#SLAPD_NO_START=1
# If SLAPD_SENTINEL_FILE is set to path to a file and that file exists,
# the init script will not start or restart slapd (but stop will still
# work). Use this for temporarily disabling startup of slapd (when doing
# maintenance, for example, or through a configuration management system)
# when you don't want to edit a configuration file.
SLAPD_SENTINEL_FILE=/etc/ldap/noslapd
# For Kerberos authentication (via SASL), slapd by default uses the system
# keytab file (/etc/krb5.keytab). To use a different keytab file,
# uncomment this line and change the path.
#export KRB5_KTNAME=/etc/krb5.keytab
# Additional options to pass to slapd
SLAPD_OPTIONS=""

View File

@ -22,7 +22,7 @@
- include: unattended-upgrades.yml
- include: install_external_ca_cert.yml
- include: manage_su_limits.yml
- include: pki-dir.yml
- include: pki-basics.yml
- include: disable-unneeded-services.yml

View File

@ -0,0 +1,55 @@
---
- name: Ensure that the PKI directory exists
file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: Ensure that the PKI subdirectories exist
file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
with_items: '{{ pki_subdirs }}'
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the physical paths
file: path={{ item }} mode=0755 state=directory
with_items:
- '{{ letsencrypt_acme_user_home }}/live'
- '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert'
- '{{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert'
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the certificate and private key
command: openssl req -x509 -newkey rsa:2048 -keyout {{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey -out {{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert -days 10 -nodes -subj '/CN=self signed certificate'
args:
creates: '{{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert'
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the private key
file: src={{ letsencrypt_acme_user_home }}/keys/fakeselfsignedcert/privkey dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/privkey state=link
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the chain file
file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/cert dest={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert/chain state=link
when: letsencrypt_acme_install is defined and letsencrypt_acme_install
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Check if a certificate already exists
stat: path={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}
register: true_cert
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now the symbolic links for the certificate if there is not one
file: src={{ letsencrypt_acme_user_home }}/certs/fakeselfsignedcert dest={{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }} state=link
when: true_cert.stat.islnk is defined and true_cert.stat.islnk == False
tags: [ 'pki', 'ssl', 'letsencrypt' ]
- name: When we are going to install letsencrypt certificates, create a preliminary path and a self signed cert. Now handle the haproxy special case
command: mkdir {{ pki_dir }}/haproxy ; cat {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/privkey {{ letsencrypt_acme_user_home }}/live/{{ ansible_fqdn }}/cert > {{ pki_dir }}/haproxy/haproxy.pem
args:
creates: '{{ pki_dir }}/haproxy/haproxy.pem'
when:
- letsencrypt_acme_install is defined and letsencrypt_acme_install
- haproxy_enabled is defined and haproxy_enabled
tags: [ 'pki', 'ssl', 'letsencrypt' ]

View File

@ -1,10 +0,0 @@
---
- name: Ensure that the PKI directory exists
file: path={{ pki_dir }} state=directory owner=root group=root mode=0755
tags: [ 'pki', 'ssl' ]
- name: Ensure that the PKI subdirectories exist
file: path={{ pki_dir }}/{{ item }} state=directory owner=root group=root mode=0755
with_items: '{{ pki_subdirs }}'
tags: [ 'pki', 'ssl' ]