nginx/vhost: major change in certifcate/tls handling (WIP)

author: Christian Pointner <equinox@spreadspace.org> 2023-08-09 14:38:23 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2023-08-20 22:12:03 +0200
commit: bc98352d3e331003db625be96139b3c1f95f63b2 (patch)
tree: 6f05ce12309fb46aaa9c9eee692573b49b692e4d /roles
parent: prepare test setups for new acme/cert roles (diff)
26 files changed, 86 insertions, 39 deletions
diff --git a/roles/apps/bluespice/tasks/main.yml b/roles/apps/bluespice/tasks/main.yml
index 899d1e1d..49ef2418 100644
--- a/roles/apps/bluespice/tasks/main.yml
+++ b/roles/apps/bluespice/tasks/main.yml
@@ -49,7 +49,8 @@
     nginx_vhost:
       name: "bluespice-{{ item.key }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames:
       - "{{ item.value.hostname }}"
       locations:
diff --git a/roles/apps/collabora/code/tasks/main.yml b/roles/apps/collabora/code/tasks/main.yml
index db28bb65..8f4acc76 100644
--- a/roles/apps/collabora/code/tasks/main.yml
+++ b/roles/apps/collabora/code/tasks/main.yml
@@ -53,7 +53,8 @@
     nginx_vhost:
       name: "collabora-code-{{ item.key }}"
       content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames:
       - "{{ item.value.hostname }}"
   include_role:
diff --git a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2
index 04358976..8dd67fb7 100644
--- a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2
+++ b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2
@@ -3,7 +3,7 @@ server {
     listen [::]:80;
     server_name {{ item.value.hostname }};
 
-    include snippets/acmetool.conf;
+    include snippets/{{ acme_client }}.conf;
 
     location / {
         return 301 https://$host$request_uri;
@@ -15,7 +15,7 @@ server {
     listen [::]:443 ssl http2;
     server_name {{ item.value.hostname }};
 
-    include snippets/acmetool.conf;
+    include snippets/{{ acme_client }}.conf;
     include snippets/tls.conf;
     ssl_certificate     {{ x509_certificate_path_fullchain }};
     ssl_certificate_key {{ x509_certificate_path_key }};
diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml
index 42ccd2b3..bab53d99 100644
--- a/roles/apps/coturn/tasks/main.yml
+++ b/roles/apps/coturn/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: check if acme_client is set to acmetool
+  assert:
+    msg: "this role currently only works with acmetool"
+    that:
+    - acme_client == "acmetool"
+
 - name: add group for coturn
   group:
     name: coturn
@@ -64,7 +70,8 @@
     nginx_vhost:
       name: "coturn-{{ coturn_realm }}"
       content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
-      acme: true
+      tls:
+        certificate_provider: acmetool
       hostnames: "{{ coturn_hostnames }}"
   include_role:
     name: nginx/vhost
diff --git a/roles/apps/etherpad-lite/tasks/main.yml b/roles/apps/etherpad-lite/tasks/main.yml
index 072a6c09..495a0387 100644
--- a/roles/apps/etherpad-lite/tasks/main.yml
+++ b/roles/apps/etherpad-lite/tasks/main.yml
@@ -114,7 +114,8 @@
     nginx_vhost:
       name: "etherpad-lite-{{ item.key }}"
       content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames: "{{ item.value.hostnames }}"
   include_role:
     name: nginx/vhost
diff --git a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2
index 0ac9d0f0..c572a7eb 100644
--- a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2
+++ b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2
@@ -3,7 +3,7 @@ server {
     listen [::]:80;
     server_name {{ item.value.hostnames | join(' ') }};
 
-    include snippets/acmetool.conf;
+    include snippets/{{ acme_client }}.conf;
 
     location / {
         return 301 https://$host$request_uri;
@@ -15,7 +15,7 @@ server {
     listen [::]:443 ssl http2;
     server_name {{ item.value.hostnames | join(' ') }};
 
-    include snippets/acmetool.conf;
+    include snippets/{{ acme_client }}.conf;
     include snippets/tls.conf;
     ssl_certificate     {{ x509_certificate_path_fullchain }};
     ssl_certificate_key {{ x509_certificate_path_key }};
diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml
index eff8232b..1d55fc78 100644
--- a/roles/apps/jitsi/meet/tasks/main.yml
+++ b/roles/apps/jitsi/meet/tasks/main.yml
@@ -151,7 +151,8 @@
     nginx_vhost:
       name: "jitsi-meet-{{ jitsi_meet_inst_name }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames:
       - "{{ jitsi_meet_hostname }}"
       locations: "{{ nginx_vhost_locations_base | combine(nginx_vhost_locations_streamui) }}"
diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml
index 68806458..c3e93666 100644
--- a/roles/apps/keycloak/tasks/main.yml
+++ b/roles/apps/keycloak/tasks/main.yml
@@ -96,7 +96,8 @@
     nginx_vhost:
       name: "keycloak-{{ item.key }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames:
       - "{{ item.value.hostname }}"
       locations:
diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml
index 33331dca..92659b66 100644
--- a/roles/apps/mumble/tasks/main.yml
+++ b/roles/apps/mumble/tasks/main.yml
@@ -1,4 +1,10 @@
 ---
+- name: check if acme_client is set to acmetool
+  assert:
+    msg: "this role currently only works with acmetool"
+    that:
+    - acme_client == "acmetool"
+
 - name: add group for mumble
   group:
     name: mumble
diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml
index 29ab9c39..c9a9061c 100644
--- a/roles/apps/nextcloud/tasks/main.yml
+++ b/roles/apps/nextcloud/tasks/main.yml
@@ -160,7 +160,8 @@
     nginx_vhost:
       name: "nextcloud-{{ item.key }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames: "{{ item.value.hostnames }}"
       locations:
         '/':
diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml
index 957d8afe..960e811b 100644
--- a/roles/apps/onlyoffice/tasks/main.yml
+++ b/roles/apps/onlyoffice/tasks/main.yml
@@ -140,7 +140,8 @@
     nginx_vhost:
       name: "onlyoffice-{{ item.key }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames:
       - "{{ item.value.hostname }}"
       locations:
diff --git a/roles/apps/pigallery2/tasks/main.yml b/roles/apps/pigallery2/tasks/main.yml
index b8b0166d..2a758da1 100644
--- a/roles/apps/pigallery2/tasks/main.yml
+++ b/roles/apps/pigallery2/tasks/main.yml
@@ -67,7 +67,8 @@
     nginx_vhost:
       name: "pigallery2-{{ item.key }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames:
       - "{{ item.value.hostname }}"
       locations:
diff --git a/roles/apps/wikijs/tasks/main.yml b/roles/apps/wikijs/tasks/main.yml
index e2b03d24..10b0aa54 100644
--- a/roles/apps/wikijs/tasks/main.yml
+++ b/roles/apps/wikijs/tasks/main.yml
@@ -73,7 +73,8 @@
     nginx_vhost:
       name: "wikijs-{{ item.key }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames:
       - "{{ item.value.hostname }}"
       locations:
diff --git a/roles/elevate/liquidtruth/tasks/main.yml b/roles/elevate/liquidtruth/tasks/main.yml
index 837d2fd0..aa73adb5 100644
--- a/roles/elevate/liquidtruth/tasks/main.yml
+++ b/roles/elevate/liquidtruth/tasks/main.yml
@@ -18,7 +18,8 @@
     nginx_vhost:
       name: liquidtruth
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames: "{{ liquidtruth_hostnames }}"
       locations:
         '/':
diff --git a/roles/elevate/media/tasks/nextcloud-app.yml b/roles/elevate/media/tasks/nextcloud-app.yml
index 2e533ec6..42a351e4 100644
--- a/roles/elevate/media/tasks/nextcloud-app.yml
+++ b/roles/elevate/media/tasks/nextcloud-app.yml
@@ -102,7 +102,8 @@
     nginx_vhost:
       name: "nextcloud-{{ elevate_media_nextcloud_instance_name }}"
       template: generic
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames: "{{ elevate_media_nextcloud_instance.hostnames }}"
       locations:
         '/':
diff --git a/roles/gitolite/http/tasks/main.yml b/roles/gitolite/http/tasks/main.yml
index a3055902..1006283a 100644
--- a/roles/gitolite/http/tasks/main.yml
+++ b/roles/gitolite/http/tasks/main.yml
@@ -54,7 +54,8 @@
   vars:
     nginx_vhost:
       name: "gitolite-{{ gitolite_instance }}"
-      acme: true
+      tls:
+        certificate_provider: "{{ acme_client }}"
       hostnames: "{{ gitolite_instances[gitolite_instance].http.hostnames }}"
       content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}"
   include_role:
diff --git a/roles/gitolite/http/templates/nginx-vhost.conf.j2 b/roles/gitolite/http/templates/nginx-vhost.conf.j2
index 3386d956..f656d48f 100644
--- a/roles/gitolite/http/templates/nginx-vhost.conf.j2
+++ b/roles/gitolite/http/templates/nginx-vhost.conf.j2
@@ -6,7 +6,7 @@
     access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log;
     error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log;
 
-    include snippets/acmetool.conf;
+    include snippets/{{ acme_client }}.conf;
 
     location / {
         return 301 https://$host$request_uri;
@@ -21,7 +21,7 @@ server {
     access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log;
     error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log;
 
-    include snippets/acmetool.conf;
+    include snippets/{{ acme_client }}.conf;
     include snippets/tls.conf;
     ssl_certificate     {{ x509_certificate_path_fullchain }};
     ssl_certificate_key {{ x509_certificate_path_key }};
diff --git a/roles/monitoring/landingpage/defaults/main.yml b/roles/monitoring/landingpage/defaults/main.yml
index ad2a3895..88e1b133 100644
--- a/roles/monitoring/landingpage/defaults/main.yml
+++ b/roles/monitoring/landingpage/defaults/main.yml
@@ -2,6 +2,7 @@
 # monitoring_landingpage_hostnames:
 #   - "mon.example.com"
 
-monitoring_landingpage_acme: no
+# monitoring_landingpage_tls:
+#   certificate_provider: "{{ acme_client }}"
 
 #monitoring_landingpage_title: "Example Monitoring Host"
diff --git a/roles/monitoring/landingpage/tasks/main.yml b/roles/monitoring/landingpage/tasks/main.yml
index 3158770b..225cab10 100644
--- a/roles/monitoring/landingpage/tasks/main.yml
+++ b/roles/monitoring/landingpage/tasks/main.yml
@@ -15,7 +15,8 @@
       name: landingpage
       template: generic
       hostnames: "{{ monitoring_landingpage_hostnames }}"
-      acme: "{{ monitoring_landingpage_acme }}"
+      ### make tls settings optional?
+      #tls: "{{ monitoring_landingpage_tls }}"
       locations:
         '/':
           root: /var/www/landingpage
diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml
index c69c6e05..3cedc042 100644
--- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml
+++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml
@@ -21,10 +21,14 @@
 - name: create TLS certificate and key
   import_tasks: tls.yml
 
+- name: render nginx-vhost config template
+  set_fact:
+    prometheus_exporter_nginx_vhost_content: "{{ lookup('template', 'nginx-vhost.j2') }}"
+
 - name: configure nginx vhost
-  import_role:
-    name: nginx/vhost
   vars:
     nginx_vhost:
       name: prometheus-exporter
-      content: "{{ lookup('template', 'nginx-vhost.j2') }}"
+      content: "{{ prometheus_exporter_nginx_vhost_content }}"
+  import_role:
+    name: nginx/vhost
diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml
index b80a5442..5984e623 100644
--- a/roles/nginx/vhost/defaults/main.yml
+++ b/roles/nginx/vhost/defaults/main.yml
@@ -3,7 +3,8 @@
 #   default: yes
 #   name: example
 #   template: generic
-#   acme: yes
+#   tls:
+#     certificate_provider: acmetool
 #   hostnames:
 #   - example.com
 #   - www.example.com
@@ -26,7 +27,10 @@
 # nginx_vhost:
 #   name: mixed-static-and-proxy
 #   template: generic
-#   acme: yes
+#   tls:
+#     variant: legacy
+#     hsts: false
+#     certificate_provider: acmetool
 #   hostnames:
 #   - static.example.com
 #   extra_directives: |-
diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml
index 424c86a0..c5e68732 100644
--- a/roles/nginx/vhost/tasks/main.yml
+++ b/roles/nginx/vhost/tasks/main.yml
@@ -1,11 +1,12 @@
 ---
 - name: ensure certificate exists (fake it, until you make it)
-  when: "'acme' in nginx_vhost  and  nginx_vhost.acme"
-  import_role:
-    name: x509/acmetool/cert/prepare
+  when: "'tls' in nginx_vhost"
+  include_role:
+    name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare"
+    public: true
   vars:
-    acmetool_cert_name: "{{ nginx_vhost.name }}"
-    acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}"
+    x509_certificate_name: "{{ nginx_vhost.name }}"
+    x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
 
 - name: install nginx configs from template
   when: "'template' in nginx_vhost"
@@ -31,14 +32,14 @@
   notify: reload nginx
 
 - name: generate acme certificate
-  when: "'acme' in nginx_vhost  and  nginx_vhost.acme"
+  when: "'tls' in nginx_vhost"
   block:
   - name: make sure nginx config has been (re)loaded
     meta: flush_handlers
 
   - name: actually request the certificate
-    import_role:
-      name: x509/acmetool/cert/finalize
+    include_role:
+      name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize"
     vars:
-      acmetool_cert_name: "{{ nginx_vhost.name }}"
-      acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}"
+      x509_certificate_name: "{{ nginx_vhost.name }}"
+      x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}"
diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2
index 5c7576e7..434fa679 100644
--- a/roles/nginx/vhost/templates/generic.conf.j2
+++ b/roles/nginx/vhost/templates/generic.conf.j2
@@ -3,9 +3,11 @@ server {
     listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
     server_name {{ nginx_vhost.hostnames | join(' ') }};
 
-{% if 'acme' in nginx_vhost and nginx_vhost.acme %}
+{% if 'tls' in nginx_vhost %}
+{%   if nginx_vhost.tls.certificate_provider == 'acmetool' %}
     include snippets/acmetool.conf;
 
+{% endif %}
     location / {
         return 301 https://$host$request_uri;
     }
@@ -16,11 +18,15 @@ server {
     listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %};
     server_name {{ nginx_vhost.hostnames | join(' ') }};
 
+{%   if nginx_vhost.tls.certificate_provider == 'acmetool' %}
     include snippets/acmetool.conf;
-    include snippets/tls{% if 'tls_variant' in nginx_vhost %}-{{ nginx_vhost.tls_variant }}{% endif %}.conf;
+{% endif %}
+    include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf;
     ssl_certificate     {{ x509_certificate_path_fullchain }};
     ssl_certificate_key {{ x509_certificate_path_key }};
+{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %}
     include snippets/hsts.conf;
+{% endif %}
 
 {% endif %}
 {% if 'extra_directives' in nginx_vhost %}
diff --git a/roles/x509/acmetool/cert/finalize/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml
index ab0afaa3..b9a80136 100644
--- a/roles/x509/acmetool/cert/finalize/defaults/main.yml
+++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml
@@ -1,2 +1,5 @@
 ---
+acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}"
+acmetool_cert_name: "{{ x509_certificate_name | default(acmetool_cert_hostnames[0]) }}"
+
 acmetool_reconcile_disabled: false
diff --git a/roles/x509/acmetool/cert/finalize/tasks/main.yml b/roles/x509/acmetool/cert/finalize/tasks/main.yml
index 91bf5157..abb2d4cb 100644
--- a/roles/x509/acmetool/cert/finalize/tasks/main.yml
+++ b/roles/x509/acmetool/cert/finalize/tasks/main.yml
@@ -6,5 +6,5 @@
         names: "{{ acmetool_cert_hostnames }}"
   copy:
     content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}"
-    dest: "/var/lib/acme/desired/{{ acmetool_cert_name | default(acmetool_cert_hostnames[0]) }}"
+    dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}"
   notify: reconcile acmetool
diff --git a/roles/x509/acmetool/cert/prepare/defaults/main.yml b/roles/x509/acmetool/cert/prepare/defaults/main.yml
new file mode 100644
index 00000000..d4eb7c86
--- /dev/null
+++ b/roles/x509/acmetool/cert/prepare/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}"
author	Christian Pointner <equinox@spreadspace.org>	2023-08-09 14:38:23 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2023-08-20 22:12:03 +0200
commit	bc98352d3e331003db625be96139b3c1f95f63b2 (patch)
tree	6f05ce12309fb46aaa9c9eee692573b49b692e4d /roles
parent	prepare test setups for new acme/cert roles (diff)