diff options
| author | Christian Pointner <equinox@spreadspace.org> | 2024-01-20 01:59:58 +0100 |
|---|---|---|
| committer | Christian Pointner <equinox@spreadspace.org> | 2024-01-20 01:59:58 +0100 |
| commit | 6d42ecdced5c2ac02c5094b4dfbd9ea5c4dd069e (patch) | |
| tree | 6ba37e081bf0d2bd6c755ec024aaf0f8c2744cd9 /roles/apps/whawty/auth/instance/tasks | |
| parent | add initial version for greenbone (diff) | |
apps/whawty/auth: almost done
Diffstat (limited to 'roles/apps/whawty/auth/instance/tasks')
| -rw-r--r-- | roles/apps/whawty/auth/instance/tasks/main.yml | 127 |
1 files changed, 81 insertions, 46 deletions
diff --git a/roles/apps/whawty/auth/instance/tasks/main.yml b/roles/apps/whawty/auth/instance/tasks/main.yml index a5872839..1e2f6c0d 100644 --- a/roles/apps/whawty/auth/instance/tasks/main.yml +++ b/roles/apps/whawty/auth/instance/tasks/main.yml @@ -1,10 +1,12 @@ --- -## TODO: add storage handling! -- set_fact: - whawty_auth_instance_basepath: "/srv/whawty/{{ whawty_auth_instance }}" -## +- name: prepare storage volume + vars: + storage_volume: "{{ whawty_auth_instances[whawty_auth_instance].storage }}" + include_role: + name: "storage/{{ whawty_auth_instances[whawty_auth_instance].storage.type }}/volume" -## TODO: custom user +- set_fact: + whawty_auth_instance_basepath: "{{ storage_volume_mountpoint }}" - name: create instance config directory file: @@ -25,47 +27,47 @@ mode: 0400 owner: app -- name: set up tls config - when: "'tls' in whawty_auth_instances[whawty_auth_instance]" - block: - - name: create tls directory - file: - path: "{{ whawty_auth_instance_basepath }}/config/tls" - state: directory - mode: 0500 - owner: app +- name: create instance tls directory + file: + path: "{{ whawty_auth_instance_basepath }}/tls" + state: directory + owner: app + mode: 0500 - - name: generate/install/fetch TLS certificate - vars: - x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}" - x509_certificate_hostnames: "{{ whawty_auth_instances[whawty_auth_instance].hostnames }}" - x509_certificate_renewal: - install: - - dest: "{{ whawty_auth_instance_basepath }}/config/tls/cert.pem" - src: - - fullchain - mode: "0400" - owner: app - - dest: "{{ whawty_auth_instance_basepath }}/config/tls/key.pem" - src: - - key - mode: "0400" - owner: app - reload: | - pod_id=$(crictl pods -q --state ready --name "^whawty-auth-{{ whawty_auth_instance }}-{{ ansible_nodename }}$") - [ -n "$pod_id" ] || exit 0 - container_id=$(crictl ps -q --name '^app$' -p "$pod_id") - [ -n "$container_id" ] || exit 0 - crictl stop "$container_id" - include_role: - name: "x509/{{ whawty_auth_instances[whawty_auth_instance].tls.certificate_provider }}/cert" +- name: generate/install TLS certificates for publishment + vars: + x509_certificate_name: "whawty-auth-{{ whawty_auth_instance }}_publish" + x509_certificate_hostnames: [] + x509_certificate_config: + ca: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_ca_config }}" + cert: + common_name: "whawty-auth-{{ whawty_auth_instance }}" + extended_key_usage: + - serverAuth + extended_key_usage_critical: yes + create_subject_key_identifier: yes + not_after: +100w + x509_certificate_renewal: + install: + - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-crt.pem" + src: + - fullchain + owner: app + mode: "0444" + - dest: "{{ whawty_auth_instance_basepath }}/tls/publish-key.pem" + src: + - key + owner: app + mode: "0400" + include_role: + name: "x509/{{ whawty_auth_instances[whawty_auth_instance].publish.zone.certificate_provider }}/cert" - - name: generate app web config - template: - src: web.yml.j2 - dest: "{{ whawty_auth_instance_basepath }}/config/web.yml" - mode: 0400 - owner: app +- name: generate app web config + template: + src: web.yml.j2 + dest: "{{ whawty_auth_instance_basepath }}/config/web.yml" + mode: 0400 + owner: app - name: set up sync config when: "'sync' in whawty_auth_instances[whawty_auth_instance]" @@ -104,9 +106,7 @@ vars: whawty_auth_instance_config_hash_items__yaml: | - path: "{{ whawty_auth_instance_basepath }}/config/store.yml" - {% if 'tls' in whawty_auth_instances[whawty_auth_instance] %} - path: "{{ whawty_auth_instance_basepath }}/config/web.yml" - {% endif %} {% if 'sync' in whawty_auth_instances[whawty_auth_instance] %} - path: "{{ whawty_auth_instance_basepath }}/sync/authorized_keys" - path: "{{ whawty_auth_instance_basepath }}/sync/group" @@ -121,3 +121,38 @@ config_hash_items: "{{ whawty_auth_instance_config_hash_items__yaml | from_yaml }}" include_role: name: kubernetes/standalone/pod + +- name: configure nginx vhost for publishment + vars: + nginx_vhost__yaml: | + {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %} + name: "whawty-auth-{{ whawty_auth_instance }}" + {% else %} + name: "whawty-auth-{{ whawty_auth_instance }}-{{ inventory_hostname }}" + {% endif %} + template: generic + {% if 'tls' in whawty_auth_instances[whawty_auth_instance].publish %} + tls: + {{ whawty_auth_instances[whawty_auth_instance].publish.tls | to_nice_yaml(indent=2) | indent(2) }} + {% endif %} + hostnames: + {% for hostname in whawty_auth_instances[whawty_auth_instance].publish.hostnames %} + - {{ hostname }} + {% endfor %} + locations: + '/': + {% if whawty_auth_instances[whawty_auth_instance].publish.zone.publisher == inventory_hostname %} + proxy_pass: "https://127.0.0.1:{{ whawty_auth_instances[whawty_auth_instance].port }}" + {% else %} + proxy_pass: "https://{{ ansible_default_ipv4.address }}:{{ whawty_auth_instances[whawty_auth_instance].port }}" + {% endif %} + proxy_ssl: + trusted_certificate: "/etc/ssl/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}/apps-publish-{{ whawty_auth_instances[whawty_auth_instance].publish.zone.name }}-ca-crt.pem" + verify: "on" + name: "whawty-auth-{{ whawty_auth_instance }}" + protocols: "TLSv1.3" + nginx_vhost: "{{ nginx_vhost__yaml | from_yaml }}" + include_role: + name: nginx/vhost + apply: + delegate_to: "{{ whawty_auth_instances[whawty_auth_instance].publish.zone.publisher }}" |