some initial tests with uacme

author: Christian Pointner <equinox@spreadspace.org> 2022-12-23 03:35:46 +0100
committer: Christian Pointner <equinox@spreadspace.org> 2022-12-23 03:35:46 +0100
commit: 6132ae855f999b70092552a9ceed4fec451cc8f7 (patch)
tree: 16a897cff15fa41bcc94d02dfd01c95e672b47d5
parent: acmetool: minor refactroing (diff)
23 files changed, 105 insertions, 31 deletions
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml
new file mode 100644
index 00000000..e349a3c3
--- /dev/null
+++ b/dan/sk-testvm.yml
@@ -0,0 +1,11 @@
+---
+- name: Basic Setup
+  hosts: sk-testvm
+  roles:
+  - role: apt-repo/base
+  - role: core/base
+  - role: core/sshd/base
+  - role: core/zsh
+  - role: core/ntp
+  - role: x509/uacme/base
+  - role: nginx/base
diff --git a/files/chaos-at-home/bind-zones/db.spreadspace b/files/chaos-at-home/bind-zones/db.spreadspace
index 3d24b76e..787048d9 100644
--- a/files/chaos-at-home/bind-zones/db.spreadspace
+++ b/files/chaos-at-home/bind-zones/db.spreadspace
@@ -1,7 +1,7 @@
 $TTL 1h
 
 @                     SOA     ns0.chaos-at-home.org. hostmaster (
-                                2022111400
+                                2022122200
                                 1h
                                 5m
                                 30d
@@ -28,6 +28,7 @@ stream          1200  CNAME   mimas.chaos-at-home.org.
 
 git             1200  A       116.203.212.131
 
+test                  A       178.63.180.143
 
 ; GLT
 
diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml
index 415af613..f72f71ef 100644
--- a/inventory/group_vars/all/vars.yml
+++ b/inventory/group_vars/all/vars.yml
@@ -116,3 +116,16 @@ apt_repo_providers:
     kali:
       host: http.kali.org
       path: /kali
+
+
+acme_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory"
+acme_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory"
+
+acme_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory"
+acme_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+acme_directory_server: "{{ acme_directory_server_le_staging_v2 }}"
+
+## at least acmetool can't be used to change this after the account has been created (aka after the first run)
+## and it's not recommended to keep this empty so we don't define it here to force the user to define it
+# acme_account_email:
diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml
index 8e1f3db1..ad80c3b2 100644
--- a/inventory/group_vars/chaos-at-home/vars.yml
+++ b/inventory/group_vars/chaos-at-home/vars.yml
@@ -4,7 +4,7 @@ zsh_banner: chaos-at-home
 admin_users_group:
   - equinox
 
-acmetool_account_email: admin@chaos-at-home.org
+acme_account_email: admin@chaos-at-home.org
 
 apt_repo_provider: anexia
 
diff --git a/inventory/group_vars/elevate/vars.yml b/inventory/group_vars/elevate/vars.yml
index e108d8f2..075618e6 100644
--- a/inventory/group_vars/elevate/vars.yml
+++ b/inventory/group_vars/elevate/vars.yml
@@ -1,7 +1,7 @@
 ---
 zsh_banner: elevate
 
-acmetool_account_email: equinox@elevate.at
+acme_account_email: equinox@elevate.at
 
 apt_repo_blackmagic_auth:
   username: "elevate"
diff --git a/inventory/group_vars/glt-live/vars.yml b/inventory/group_vars/glt-live/vars.yml
index da8ea042..65287b3a 100644
--- a/inventory/group_vars/glt-live/vars.yml
+++ b/inventory/group_vars/glt-live/vars.yml
@@ -5,8 +5,8 @@ ssh_users_root:
   - equinox
   - spel
 
-acmetool_account_email: equinox@spreadspace.org
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_account_email: equinox@spreadspace.org
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 
 apt_repo_blackmagic_auth:
   username: "glt"
diff --git a/inventory/group_vars/schlagergarten-gloria/vars.yml b/inventory/group_vars/schlagergarten-gloria/vars.yml
index 6b60af4b..595b3f7a 100644
--- a/inventory/group_vars/schlagergarten-gloria/vars.yml
+++ b/inventory/group_vars/schlagergarten-gloria/vars.yml
@@ -1,5 +1,5 @@
 ---
 zsh_banner: lendwirbel
 
-acmetool_account_email: equinox@spreadspace.org
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_account_email: equinox@spreadspace.org
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/group_vars/skillz/vars.yml b/inventory/group_vars/skillz/vars.yml
index 83765f7b..8314a19d 100644
--- a/inventory/group_vars/skillz/vars.yml
+++ b/inventory/group_vars/skillz/vars.yml
@@ -9,4 +9,4 @@ admin_users_group:
   - equinox
   - dan
 
-acmetool_account_email: equinox@spreadspace.org
+acme_account_email: equinox@spreadspace.org
diff --git a/inventory/group_vars/spreadspace/vars.yml b/inventory/group_vars/spreadspace/vars.yml
index a9f37087..5cf4b321 100644
--- a/inventory/group_vars/spreadspace/vars.yml
+++ b/inventory/group_vars/spreadspace/vars.yml
@@ -1,7 +1,7 @@
 ---
 zsh_banner: spreadspace
 
-acmetool_account_email: equinox@spreadspace.org
+acme_account_email: equinox@spreadspace.org
 
 apt_repo_blackmagic_auth:
   username: "spreadspace"
diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml
index 1d3bc561..070fbfd6 100644
--- a/inventory/host_vars/ch-http-proxy.yml
+++ b/inventory/host_vars/ch-http-proxy.yml
@@ -33,4 +33,4 @@ network:
   - *_network_primary_
 
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/host_vars/ch-imap-proxy.yml b/inventory/host_vars/ch-imap-proxy.yml
index 1d3bc561..070fbfd6 100644
--- a/inventory/host_vars/ch-imap-proxy.yml
+++ b/inventory/host_vars/ch-imap-proxy.yml
@@ -33,4 +33,4 @@ network:
   - *_network_primary_
 
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml
index 32db8f65..ac7f1748 100644
--- a/inventory/host_vars/ch-mimas.yml
+++ b/inventory/host_vars/ch-mimas.yml
@@ -28,7 +28,7 @@ ntp_variant: systemd-timesyncd
 
 
 nginx_server_names_hash_bucket_size: 64
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 
 
 zfs_arc_size:
diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml
index 5beabb31..c6459315 100644
--- a/inventory/host_vars/ch-pan.yml
+++ b/inventory/host_vars/ch-pan.yml
@@ -65,7 +65,7 @@ wireguard_p2p_peers:
 
 
 nginx_server_names_hash_bucket_size: 64
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 
 
 dyndns:
diff --git a/inventory/host_vars/ele-coturn.yml b/inventory/host_vars/ele-coturn.yml
index 4288bc15..c51b5e54 100644
--- a/inventory/host_vars/ele-coturn.yml
+++ b/inventory/host_vars/ele-coturn.yml
@@ -23,7 +23,7 @@ kubelet_storage:
 spreadspace_apt_repo_components:
   - container
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 
 
 kubernetes_version: 1.22.5
diff --git a/inventory/host_vars/ele-jitsi.yml b/inventory/host_vars/ele-jitsi.yml
index 157f8449..b6aa0db4 100644
--- a/inventory/host_vars/ele-jitsi.yml
+++ b/inventory/host_vars/ele-jitsi.yml
@@ -27,7 +27,7 @@ ssh_users_root:
   - equinox
   - datacop
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 
 
 kubernetes_version: 1.24.2
diff --git a/inventory/host_vars/ele-lt.yml b/inventory/host_vars/ele-lt.yml
index adbaa1d8..a53141e0 100644
--- a/inventory/host_vars/ele-lt.yml
+++ b/inventory/host_vars/ele-lt.yml
@@ -28,7 +28,7 @@ liquidtruth_mongodb_app_username: lt
 liquidtruth_mongodb_app_password: "{{ vault_liquidtruth_mongodb_app_password }}"
 
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 
 liquidtruth_hostnames:
 #  - liquidtruth.at
diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml
index cdd60e6c..c11b9c42 100644
--- a/inventory/host_vars/ele-media.yml
+++ b/inventory/host_vars/ele-media.yml
@@ -84,7 +84,7 @@ wireguard_gateway_tunnels:
       - 0.0.0.0/0
 
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 
 
 elevate_media_share_storage:
diff --git a/inventory/host_vars/sk-cloudio/vars.yml b/inventory/host_vars/sk-cloudio/vars.yml
index 1ba308a6..1e1cc0c5 100644
--- a/inventory/host_vars/sk-cloudio/vars.yml
+++ b/inventory/host_vars/sk-cloudio/vars.yml
@@ -85,4 +85,4 @@ postfix_base_inet_protocols:
   - "ipv4"
 
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml
index 79ee582f..feac026c 100644
--- a/inventory/host_vars/sk-tomnext-nc.yml
+++ b/inventory/host_vars/sk-tomnext-nc.yml
@@ -98,7 +98,7 @@ postfix_base_mynetworks:
   - "{{ kubernetes_standalone_pod_cidr }}"
 
 
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
 nginx_server_names_hash_bucket_size: 64
 
 
diff --git a/roles/x509/acmetool/base/defaults/main.yml b/roles/x509/acmetool/base/defaults/main.yml
index df82d26c..f824d9f7 100644
--- a/roles/x509/acmetool/base/defaults/main.yml
+++ b/roles/x509/acmetool/base/defaults/main.yml
@@ -1,14 +1,6 @@
 ---
-acmetool_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory"
-acmetool_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory"
-
-acmetool_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory"
-acmetool_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory"
-
-## this can't be changed after the account as been created (aka after the first run)
-## and it's not recommended to keep this empty so we don't define it here which will lead to an error
-# acmetool_account_email:
-acmetool_directory_server: "{{ acmetool_directory_server_le_staging_v2 }}"
+acmetool_account_email: "{{ acme_account_email }}"
+acmetool_directory_server: "{{ acme_directory_server }}"
 
 #### optionally set http(s)_proxy
 # acmetool_http_proxy:
diff --git a/roles/x509/acmetool/base/tasks/main.yml b/roles/x509/acmetool/base/tasks/main.yml
index 5ad03257..7a53906b 100644
--- a/roles/x509/acmetool/base/tasks/main.yml
+++ b/roles/x509/acmetool/base/tasks/main.yml
@@ -22,10 +22,10 @@
     dest: /var/lib/acme/conf/responses
 
 - name: create non-standard acmetool webroot path
+  when: acmetool_challenge_webroot_path is defined
   file:
     name: "{{ acmetool_challenge_webroot_path }}"
     state: directory
-  when: acmetool_challenge_webroot_path is defined
 
 - name: run quickstart to create account and default target configuration
   command: acmetool --batch quickstart
@@ -39,13 +39,13 @@
   include_tasks: selfsigned.yml
 
 - name: install service reload configuration
+  when: acmetool_reload_services is defined
   template:
     src: acme-reload.j2
     dest: /etc/default/acme-reload
     owner: root
     group: root
     mode: 0644
-  when: acmetool_reload_services is defined
 
 - name: create system unit snippet directory
   file:
diff --git a/roles/x509/uacme/base/defaults/main.yml b/roles/x509/uacme/base/defaults/main.yml
new file mode 100644
index 00000000..50ac8019
--- /dev/null
+++ b/roles/x509/uacme/base/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+uacme_account_email: "{{ acme_account_email }}"
+uacme_directory_server: "{{ acme_directory_server }}"
+
+### this defaults to '/var/run/acme/acme-challenge'
+# uacme_challenge_webroot_path: "/path/to/acme-challenge"
diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml
new file mode 100644
index 00000000..b40c52b5
--- /dev/null
+++ b/roles/x509/uacme/base/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+- name: install needed packages
+  apt:
+    name:
+    - uacme
+    - "{{ python_basename }}-openssl"
+    state: present
+
+- name: create acme account key
+  command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y new '{{ uacme_account_email }}'"
+  args:
+    creates: /var/lib/uacme.d/private/key.pem
+
+- name: create standard uacme webroot path
+  when: uacme_challenge_webroot_path is not defined
+  block:
+  - name: install systemd tmpfiles config
+    copy:
+      dest: /usr/lib/tmpfiles.d/uacme.conf
+      content: |
+        d /var/run/acme/acme-challenge 0755 root root - -
+    register: uacme_systemd_tmpfiles_config
+
+  - name: trigger systemd-tmpfiles
+    when: uacme_systemd_tmpfiles_config is changed
+    command: systemd-tmpfiles --create
+
+- name: create non-standard uacme webroot path
+  when: uacme_challenge_webroot_path is defined
+  file:
+    name: "{{ uacme_challenge_webroot_path }}"
+    state: directory
+
+- name: make sure nginx snipped directory exists
+  file:
+    path: /etc/nginx/snippets
+    state: directory
+
+- name: generate nginx snippet for webroot challenges
+  copy:
+    dest: /etc/nginx/snippets/uacme.conf
+    content: |
+      location /.well-known/acme-challenge/ {
+        alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge/') }};
+      }
+
+## TODO: implement this
+# - name: generate selfsigned interim certificate
+#   include_tasks: selfsigned.yml
+
+## TODO: add global automatic refresher?
author	Christian Pointner <equinox@spreadspace.org>	2022-12-23 03:35:46 +0100
committer	Christian Pointner <equinox@spreadspace.org>	2022-12-23 03:35:46 +0100
commit	6132ae855f999b70092552a9ceed4fec451cc8f7 (patch)
tree	16a897cff15fa41bcc94d02dfd01c95e672b47d5
parent	acmetool: minor refactroing (diff)