summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorChristian Pointner <equinox@spreadspace.org>2022-12-23 03:35:46 +0100
committerChristian Pointner <equinox@spreadspace.org>2022-12-23 03:35:46 +0100
commit6132ae855f999b70092552a9ceed4fec451cc8f7 (patch)
tree16a897cff15fa41bcc94d02dfd01c95e672b47d5
parentacmetool: minor refactroing (diff)
some initial tests with uacme
-rw-r--r--dan/sk-testvm.yml11
-rw-r--r--files/chaos-at-home/bind-zones/db.spreadspace3
-rw-r--r--inventory/group_vars/all/vars.yml13
-rw-r--r--inventory/group_vars/chaos-at-home/vars.yml2
-rw-r--r--inventory/group_vars/elevate/vars.yml2
-rw-r--r--inventory/group_vars/glt-live/vars.yml4
-rw-r--r--inventory/group_vars/schlagergarten-gloria/vars.yml4
-rw-r--r--inventory/group_vars/skillz/vars.yml2
-rw-r--r--inventory/group_vars/spreadspace/vars.yml2
-rw-r--r--inventory/host_vars/ch-http-proxy.yml2
-rw-r--r--inventory/host_vars/ch-imap-proxy.yml2
-rw-r--r--inventory/host_vars/ch-mimas.yml2
-rw-r--r--inventory/host_vars/ch-pan.yml2
-rw-r--r--inventory/host_vars/ele-coturn.yml2
-rw-r--r--inventory/host_vars/ele-jitsi.yml2
-rw-r--r--inventory/host_vars/ele-lt.yml2
-rw-r--r--inventory/host_vars/ele-media.yml2
-rw-r--r--inventory/host_vars/sk-cloudio/vars.yml2
-rw-r--r--inventory/host_vars/sk-tomnext-nc.yml2
-rw-r--r--roles/x509/acmetool/base/defaults/main.yml12
-rw-r--r--roles/x509/acmetool/base/tasks/main.yml4
-rw-r--r--roles/x509/uacme/base/defaults/main.yml6
-rw-r--r--roles/x509/uacme/base/tasks/main.yml51
23 files changed, 105 insertions, 31 deletions
diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml
new file mode 100644
index 00000000..e349a3c3
--- /dev/null
+++ b/dan/sk-testvm.yml
@@ -0,0 +1,11 @@
+---
+- name: Basic Setup
+ hosts: sk-testvm
+ roles:
+ - role: apt-repo/base
+ - role: core/base
+ - role: core/sshd/base
+ - role: core/zsh
+ - role: core/ntp
+ - role: x509/uacme/base
+ - role: nginx/base
diff --git a/files/chaos-at-home/bind-zones/db.spreadspace b/files/chaos-at-home/bind-zones/db.spreadspace
index 3d24b76e..787048d9 100644
--- a/files/chaos-at-home/bind-zones/db.spreadspace
+++ b/files/chaos-at-home/bind-zones/db.spreadspace
@@ -1,7 +1,7 @@
$TTL 1h
@ SOA ns0.chaos-at-home.org. hostmaster (
- 2022111400
+ 2022122200
1h
5m
30d
@@ -28,6 +28,7 @@ stream 1200 CNAME mimas.chaos-at-home.org.
git 1200 A 116.203.212.131
+test A 178.63.180.143
; GLT
diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml
index 415af613..f72f71ef 100644
--- a/inventory/group_vars/all/vars.yml
+++ b/inventory/group_vars/all/vars.yml
@@ -116,3 +116,16 @@ apt_repo_providers:
kali:
host: http.kali.org
path: /kali
+
+
+acme_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory"
+acme_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory"
+
+acme_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory"
+acme_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+acme_directory_server: "{{ acme_directory_server_le_staging_v2 }}"
+
+## at least acmetool can't be used to change this after the account has been created (aka after the first run)
+## and it's not recommended to keep this empty so we don't define it here to force the user to define it
+# acme_account_email:
diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml
index 8e1f3db1..ad80c3b2 100644
--- a/inventory/group_vars/chaos-at-home/vars.yml
+++ b/inventory/group_vars/chaos-at-home/vars.yml
@@ -4,7 +4,7 @@ zsh_banner: chaos-at-home
admin_users_group:
- equinox
-acmetool_account_email: admin@chaos-at-home.org
+acme_account_email: admin@chaos-at-home.org
apt_repo_provider: anexia
diff --git a/inventory/group_vars/elevate/vars.yml b/inventory/group_vars/elevate/vars.yml
index e108d8f2..075618e6 100644
--- a/inventory/group_vars/elevate/vars.yml
+++ b/inventory/group_vars/elevate/vars.yml
@@ -1,7 +1,7 @@
---
zsh_banner: elevate
-acmetool_account_email: equinox@elevate.at
+acme_account_email: equinox@elevate.at
apt_repo_blackmagic_auth:
username: "elevate"
diff --git a/inventory/group_vars/glt-live/vars.yml b/inventory/group_vars/glt-live/vars.yml
index da8ea042..65287b3a 100644
--- a/inventory/group_vars/glt-live/vars.yml
+++ b/inventory/group_vars/glt-live/vars.yml
@@ -5,8 +5,8 @@ ssh_users_root:
- equinox
- spel
-acmetool_account_email: equinox@spreadspace.org
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_account_email: equinox@spreadspace.org
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
apt_repo_blackmagic_auth:
username: "glt"
diff --git a/inventory/group_vars/schlagergarten-gloria/vars.yml b/inventory/group_vars/schlagergarten-gloria/vars.yml
index 6b60af4b..595b3f7a 100644
--- a/inventory/group_vars/schlagergarten-gloria/vars.yml
+++ b/inventory/group_vars/schlagergarten-gloria/vars.yml
@@ -1,5 +1,5 @@
---
zsh_banner: lendwirbel
-acmetool_account_email: equinox@spreadspace.org
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_account_email: equinox@spreadspace.org
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/group_vars/skillz/vars.yml b/inventory/group_vars/skillz/vars.yml
index 83765f7b..8314a19d 100644
--- a/inventory/group_vars/skillz/vars.yml
+++ b/inventory/group_vars/skillz/vars.yml
@@ -9,4 +9,4 @@ admin_users_group:
- equinox
- dan
-acmetool_account_email: equinox@spreadspace.org
+acme_account_email: equinox@spreadspace.org
diff --git a/inventory/group_vars/spreadspace/vars.yml b/inventory/group_vars/spreadspace/vars.yml
index a9f37087..5cf4b321 100644
--- a/inventory/group_vars/spreadspace/vars.yml
+++ b/inventory/group_vars/spreadspace/vars.yml
@@ -1,7 +1,7 @@
---
zsh_banner: spreadspace
-acmetool_account_email: equinox@spreadspace.org
+acme_account_email: equinox@spreadspace.org
apt_repo_blackmagic_auth:
username: "spreadspace"
diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml
index 1d3bc561..070fbfd6 100644
--- a/inventory/host_vars/ch-http-proxy.yml
+++ b/inventory/host_vars/ch-http-proxy.yml
@@ -33,4 +33,4 @@ network:
- *_network_primary_
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/host_vars/ch-imap-proxy.yml b/inventory/host_vars/ch-imap-proxy.yml
index 1d3bc561..070fbfd6 100644
--- a/inventory/host_vars/ch-imap-proxy.yml
+++ b/inventory/host_vars/ch-imap-proxy.yml
@@ -33,4 +33,4 @@ network:
- *_network_primary_
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml
index 32db8f65..ac7f1748 100644
--- a/inventory/host_vars/ch-mimas.yml
+++ b/inventory/host_vars/ch-mimas.yml
@@ -28,7 +28,7 @@ ntp_variant: systemd-timesyncd
nginx_server_names_hash_bucket_size: 64
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
zfs_arc_size:
diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml
index 5beabb31..c6459315 100644
--- a/inventory/host_vars/ch-pan.yml
+++ b/inventory/host_vars/ch-pan.yml
@@ -65,7 +65,7 @@ wireguard_p2p_peers:
nginx_server_names_hash_bucket_size: 64
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
dyndns:
diff --git a/inventory/host_vars/ele-coturn.yml b/inventory/host_vars/ele-coturn.yml
index 4288bc15..c51b5e54 100644
--- a/inventory/host_vars/ele-coturn.yml
+++ b/inventory/host_vars/ele-coturn.yml
@@ -23,7 +23,7 @@ kubelet_storage:
spreadspace_apt_repo_components:
- container
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
kubernetes_version: 1.22.5
diff --git a/inventory/host_vars/ele-jitsi.yml b/inventory/host_vars/ele-jitsi.yml
index 157f8449..b6aa0db4 100644
--- a/inventory/host_vars/ele-jitsi.yml
+++ b/inventory/host_vars/ele-jitsi.yml
@@ -27,7 +27,7 @@ ssh_users_root:
- equinox
- datacop
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
kubernetes_version: 1.24.2
diff --git a/inventory/host_vars/ele-lt.yml b/inventory/host_vars/ele-lt.yml
index adbaa1d8..a53141e0 100644
--- a/inventory/host_vars/ele-lt.yml
+++ b/inventory/host_vars/ele-lt.yml
@@ -28,7 +28,7 @@ liquidtruth_mongodb_app_username: lt
liquidtruth_mongodb_app_password: "{{ vault_liquidtruth_mongodb_app_password }}"
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
liquidtruth_hostnames:
# - liquidtruth.at
diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml
index cdd60e6c..c11b9c42 100644
--- a/inventory/host_vars/ele-media.yml
+++ b/inventory/host_vars/ele-media.yml
@@ -84,7 +84,7 @@ wireguard_gateway_tunnels:
- 0.0.0.0/0
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
elevate_media_share_storage:
diff --git a/inventory/host_vars/sk-cloudio/vars.yml b/inventory/host_vars/sk-cloudio/vars.yml
index 1ba308a6..1e1cc0c5 100644
--- a/inventory/host_vars/sk-cloudio/vars.yml
+++ b/inventory/host_vars/sk-cloudio/vars.yml
@@ -85,4 +85,4 @@ postfix_base_inet_protocols:
- "ipv4"
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml
index 79ee582f..feac026c 100644
--- a/inventory/host_vars/sk-tomnext-nc.yml
+++ b/inventory/host_vars/sk-tomnext-nc.yml
@@ -98,7 +98,7 @@ postfix_base_mynetworks:
- "{{ kubernetes_standalone_pod_cidr }}"
-acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}"
+acme_directory_server: "{{ acme_directory_server_le_live_v2 }}"
nginx_server_names_hash_bucket_size: 64
diff --git a/roles/x509/acmetool/base/defaults/main.yml b/roles/x509/acmetool/base/defaults/main.yml
index df82d26c..f824d9f7 100644
--- a/roles/x509/acmetool/base/defaults/main.yml
+++ b/roles/x509/acmetool/base/defaults/main.yml
@@ -1,14 +1,6 @@
---
-acmetool_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory"
-acmetool_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory"
-
-acmetool_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory"
-acmetool_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory"
-
-## this can't be changed after the account as been created (aka after the first run)
-## and it's not recommended to keep this empty so we don't define it here which will lead to an error
-# acmetool_account_email:
-acmetool_directory_server: "{{ acmetool_directory_server_le_staging_v2 }}"
+acmetool_account_email: "{{ acme_account_email }}"
+acmetool_directory_server: "{{ acme_directory_server }}"
#### optionally set http(s)_proxy
# acmetool_http_proxy:
diff --git a/roles/x509/acmetool/base/tasks/main.yml b/roles/x509/acmetool/base/tasks/main.yml
index 5ad03257..7a53906b 100644
--- a/roles/x509/acmetool/base/tasks/main.yml
+++ b/roles/x509/acmetool/base/tasks/main.yml
@@ -22,10 +22,10 @@
dest: /var/lib/acme/conf/responses
- name: create non-standard acmetool webroot path
+ when: acmetool_challenge_webroot_path is defined
file:
name: "{{ acmetool_challenge_webroot_path }}"
state: directory
- when: acmetool_challenge_webroot_path is defined
- name: run quickstart to create account and default target configuration
command: acmetool --batch quickstart
@@ -39,13 +39,13 @@
include_tasks: selfsigned.yml
- name: install service reload configuration
+ when: acmetool_reload_services is defined
template:
src: acme-reload.j2
dest: /etc/default/acme-reload
owner: root
group: root
mode: 0644
- when: acmetool_reload_services is defined
- name: create system unit snippet directory
file:
diff --git a/roles/x509/uacme/base/defaults/main.yml b/roles/x509/uacme/base/defaults/main.yml
new file mode 100644
index 00000000..50ac8019
--- /dev/null
+++ b/roles/x509/uacme/base/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+uacme_account_email: "{{ acme_account_email }}"
+uacme_directory_server: "{{ acme_directory_server }}"
+
+### this defaults to '/var/run/acme/acme-challenge'
+# uacme_challenge_webroot_path: "/path/to/acme-challenge"
diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml
new file mode 100644
index 00000000..b40c52b5
--- /dev/null
+++ b/roles/x509/uacme/base/tasks/main.yml
@@ -0,0 +1,51 @@
+---
+- name: install needed packages
+ apt:
+ name:
+ - uacme
+ - "{{ python_basename }}-openssl"
+ state: present
+
+- name: create acme account key
+ command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y new '{{ uacme_account_email }}'"
+ args:
+ creates: /var/lib/uacme.d/private/key.pem
+
+- name: create standard uacme webroot path
+ when: uacme_challenge_webroot_path is not defined
+ block:
+ - name: install systemd tmpfiles config
+ copy:
+ dest: /usr/lib/tmpfiles.d/uacme.conf
+ content: |
+ d /var/run/acme/acme-challenge 0755 root root - -
+ register: uacme_systemd_tmpfiles_config
+
+ - name: trigger systemd-tmpfiles
+ when: uacme_systemd_tmpfiles_config is changed
+ command: systemd-tmpfiles --create
+
+- name: create non-standard uacme webroot path
+ when: uacme_challenge_webroot_path is defined
+ file:
+ name: "{{ uacme_challenge_webroot_path }}"
+ state: directory
+
+- name: make sure nginx snipped directory exists
+ file:
+ path: /etc/nginx/snippets
+ state: directory
+
+- name: generate nginx snippet for webroot challenges
+ copy:
+ dest: /etc/nginx/snippets/uacme.conf
+ content: |
+ location /.well-known/acme-challenge/ {
+ alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge/') }};
+ }
+
+## TODO: implement this
+# - name: generate selfsigned interim certificate
+# include_tasks: selfsigned.yml
+
+## TODO: add global automatic refresher?