diff options
16 files changed, 61 insertions, 29 deletions
diff --git a/chaos-at-home/ch-http-proxy.yml b/chaos-at-home/ch-http-proxy.yml index 0376fcd5..67e3521a 100644 --- a/chaos-at-home/ch-http-proxy.yml +++ b/chaos-at-home/ch-http-proxy.yml @@ -6,6 +6,10 @@ - role: core/base - role: core/sshd/base - role: core/zsh + +- name: Payload Setup + hosts: ch-http-proxy + roles: - role: apt-repo/spreadspace - role: x509/acmetool/base - role: nginx/base diff --git a/chaos-at-home/ch-imap-proxy.yml b/chaos-at-home/ch-imap-proxy.yml index 936140bc..1c05f28b 100644 --- a/chaos-at-home/ch-imap-proxy.yml +++ b/chaos-at-home/ch-imap-proxy.yml @@ -6,10 +6,15 @@ - role: core/base - role: core/sshd/base - role: core/zsh + +- name: Payload Setup + hosts: ch-imap-proxy + roles: - role: apt-repo/spreadspace - role: x509/acmetool/base - role: x509/acmetool/cert - acmetool_cert_name: "imap.chaos-at-home.org" + acmetool_cert_hostnames: + - "imap.chaos-at-home.org" acmetool_cert_config: request: challenge: @@ -25,8 +30,8 @@ dest: /etc/stunnel/imap.conf content: | pid = /var/run/stunnel-imap.pid - cert = /var/lib/acme/live/imap.chaos-at-home.org/fullchain - key = /var/lib/acme/live/imap.chaos-at-home.org/privkey + cert = {{ x509_certificate_path_fullchain }} + key = {{ x509_certificate_path_key }} [imap] client = yes diff --git a/dan/k8s-emc.yml b/dan/k8s-emc.yml index 86fea6c5..b8358fee 100644 --- a/dan/k8s-emc.yml +++ b/dan/k8s-emc.yml @@ -16,7 +16,8 @@ roles: - role: x509/acmetool/base - role: x509/acmetool/cert - acmetool_cert_name: "{{ host_name }}.{{ host_domain }}" + acmetool_cert_hostnames: + - "{{ host_name }}.{{ host_domain }}" - role: storage/lvm/volume lvm_volume: vg: storage diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml index e349a3c3..93e20776 100644 --- a/dan/sk-testvm.yml +++ b/dan/sk-testvm.yml @@ -7,5 +7,10 @@ - role: core/sshd/base - role: core/zsh - role: core/ntp - - role: x509/uacme/base + +- name: Payload Setup + hosts: sk-testvm + roles: +# - role: x509/acmetool/base +# - role: x509/uacme/base - role: nginx/base diff --git a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 index d56d77a0..04358976 100644 --- a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 +++ b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 @@ -17,8 +17,8 @@ server { include snippets/acmetool.conf; include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ item.value.hostname }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ item.value.hostname }}/privkey; + ssl_certificate {{ x509_certificate_path_fullchain }}; + ssl_certificate_key {{ x509_certificate_path_key }}; include snippets/hsts.conf; diff --git a/roles/apps/coturn/templates/nginx-vhost.conf.j2 b/roles/apps/coturn/templates/nginx-vhost.conf.j2 index 0639fbe1..577c33b4 100644 --- a/roles/apps/coturn/templates/nginx-vhost.conf.j2 +++ b/roles/apps/coturn/templates/nginx-vhost.conf.j2 @@ -17,8 +17,8 @@ server { include snippets/acmetool.conf; include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ coturn_hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ coturn_hostnames[0] }}/privkey; + ssl_certificate {{ x509_certificate_path_fullchain }}; + ssl_certificate_key {{ x509_certificate_path_key }}; include snippets/hsts.conf; location / { diff --git a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 index b59701fc..0ac9d0f0 100644 --- a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 +++ b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 @@ -17,8 +17,8 @@ server { include snippets/acmetool.conf; include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ item.value.hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ item.value.hostnames[0] }}/privkey; + ssl_certificate {{ x509_certificate_path_fullchain }}; + ssl_certificate_key {{ x509_certificate_path_key }}; include snippets/hsts.conf; location / { diff --git a/roles/gitolite/http/templates/nginx-vhost.conf.j2 b/roles/gitolite/http/templates/nginx-vhost.conf.j2 index add7a719..3386d956 100644 --- a/roles/gitolite/http/templates/nginx-vhost.conf.j2 +++ b/roles/gitolite/http/templates/nginx-vhost.conf.j2 @@ -23,8 +23,8 @@ server { include snippets/acmetool.conf; include snippets/tls.conf; - ssl_certificate /var/lib/acme/live/{{ gitolite_instances[gitolite_instance].http.hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ gitolite_instances[gitolite_instance].http.hostnames[0] }}/privkey; + ssl_certificate {{ x509_certificate_path_fullchain }}; + ssl_certificate_key {{ x509_certificate_path_key }}; include snippets/hsts.conf; location = / { diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml index 1b5e3392..424c86a0 100644 --- a/roles/nginx/vhost/tasks/main.yml +++ b/roles/nginx/vhost/tasks/main.yml @@ -1,4 +1,12 @@ --- +- name: ensure certificate exists (fake it, until you make it) + when: "'acme' in nginx_vhost and nginx_vhost.acme" + import_role: + name: x509/acmetool/cert/prepare + vars: + acmetool_cert_name: "{{ nginx_vhost.name }}" + acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" + - name: install nginx configs from template when: "'template' in nginx_vhost" template: @@ -24,4 +32,13 @@ - name: generate acme certificate when: "'acme' in nginx_vhost and nginx_vhost.acme" - include_tasks: acme.yml + block: + - name: make sure nginx config has been (re)loaded + meta: flush_handlers + + - name: actually request the certificate + import_role: + name: x509/acmetool/cert/finalize + vars: + acmetool_cert_name: "{{ nginx_vhost.name }}" + acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 index 08bf7a60..5c7576e7 100644 --- a/roles/nginx/vhost/templates/generic.conf.j2 +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -18,8 +18,8 @@ server { include snippets/acmetool.conf; include snippets/tls{% if 'tls_variant' in nginx_vhost %}-{{ nginx_vhost.tls_variant }}{% endif %}.conf; - ssl_certificate /var/lib/acme/live/{{ nginx_vhost.hostnames[0] }}/fullchain; - ssl_certificate_key /var/lib/acme/live/{{ nginx_vhost.hostnames[0] }}/privkey; + ssl_certificate {{ x509_certificate_path_fullchain }}; + ssl_certificate_key {{ x509_certificate_path_key }}; include snippets/hsts.conf; {% endif %} diff --git a/roles/x509/acmetool/cert/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml index ab0afaa3..ab0afaa3 100644 --- a/roles/x509/acmetool/cert/defaults/main.yml +++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml diff --git a/roles/x509/acmetool/cert/handlers/main.yml b/roles/x509/acmetool/cert/finalize/handlers/main.yml index a7fc43ed..a7fc43ed 100644 --- a/roles/x509/acmetool/cert/handlers/main.yml +++ b/roles/x509/acmetool/cert/finalize/handlers/main.yml diff --git a/roles/x509/acmetool/cert/tasks/main.yml b/roles/x509/acmetool/cert/finalize/tasks/main.yml index 09980dad..91bf5157 100644 --- a/roles/x509/acmetool/cert/tasks/main.yml +++ b/roles/x509/acmetool/cert/finalize/tasks/main.yml @@ -3,8 +3,8 @@ vars: acmetool_cert_satisfy: satisfy: - names: "{{ acmetool_cert_hostnames | default([acmetool_cert_name]) }}" + names: "{{ acmetool_cert_hostnames }}" copy: content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}" - dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}" + dest: "/var/lib/acme/desired/{{ acmetool_cert_name | default(acmetool_cert_hostnames[0]) }}" notify: reconcile acmetool diff --git a/roles/x509/acmetool/cert/meta/main.yml b/roles/x509/acmetool/cert/meta/main.yml new file mode 100644 index 00000000..8e6ac88d --- /dev/null +++ b/roles/x509/acmetool/cert/meta/main.yml @@ -0,0 +1,3 @@ +dependencies: + - role: x509/acmetool/cert/prepare + - role: x509/acmetool/cert/finalize diff --git a/roles/x509/acmetool/cert/filter_plugins/acme_certs.py b/roles/x509/acmetool/cert/prepare/filter_plugins/acme_certs.py index 179f71e9..179f71e9 100644 --- a/roles/x509/acmetool/cert/filter_plugins/acme_certs.py +++ b/roles/x509/acmetool/cert/prepare/filter_plugins/acme_certs.py diff --git a/roles/nginx/vhost/tasks/acme.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml index 8a6cddb7..1f7dc724 100644 --- a/roles/nginx/vhost/tasks/acme.yml +++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml @@ -1,6 +1,6 @@ --- - name: check if acme certs already exist - loop: "{{ nginx_vhost.hostnames }}" + loop: "{{ acmetool_cert_hostnames }}" loop_control: loop_var: acme_hostname stat: @@ -9,7 +9,7 @@ - name: set acmecert_missing_hostnames variable set_fact: - acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(nginx_vhost.hostnames) }}" + acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(acmetool_cert_hostnames) }}" - name: link nonexistent hostnames to self-signed interim cert when: acmecert_missing_hostnames | length > 0 @@ -33,12 +33,9 @@ dest: "/var/lib/acme/live/{{ acme_missing_hostname }}" state: link -- name: make sure nginx config has been (re)loaded - meta: flush_handlers - -- name: get certificate using acmetool - import_role: - name: x509/acmetool/cert - vars: - acmetool_cert_name: "{{ nginx_vhost.name }}" - acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/privkey" + x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain" + x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert" + x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain" |