From 6132ae855f999b70092552a9ceed4fec451cc8f7 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 23 Dec 2022 03:35:46 +0100 Subject: some initial tests with uacme --- dan/sk-testvm.yml | 11 +++++ files/chaos-at-home/bind-zones/db.spreadspace | 3 +- inventory/group_vars/all/vars.yml | 13 ++++++ inventory/group_vars/chaos-at-home/vars.yml | 2 +- inventory/group_vars/elevate/vars.yml | 2 +- inventory/group_vars/glt-live/vars.yml | 4 +- .../group_vars/schlagergarten-gloria/vars.yml | 4 +- inventory/group_vars/skillz/vars.yml | 2 +- inventory/group_vars/spreadspace/vars.yml | 2 +- inventory/host_vars/ch-http-proxy.yml | 2 +- inventory/host_vars/ch-imap-proxy.yml | 2 +- inventory/host_vars/ch-mimas.yml | 2 +- inventory/host_vars/ch-pan.yml | 2 +- inventory/host_vars/ele-coturn.yml | 2 +- inventory/host_vars/ele-jitsi.yml | 2 +- inventory/host_vars/ele-lt.yml | 2 +- inventory/host_vars/ele-media.yml | 2 +- inventory/host_vars/sk-cloudio/vars.yml | 2 +- inventory/host_vars/sk-tomnext-nc.yml | 2 +- roles/x509/acmetool/base/defaults/main.yml | 12 +---- roles/x509/acmetool/base/tasks/main.yml | 4 +- roles/x509/uacme/base/defaults/main.yml | 6 +++ roles/x509/uacme/base/tasks/main.yml | 51 ++++++++++++++++++++++ 23 files changed, 105 insertions(+), 31 deletions(-) create mode 100644 dan/sk-testvm.yml create mode 100644 roles/x509/uacme/base/defaults/main.yml create mode 100644 roles/x509/uacme/base/tasks/main.yml diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml new file mode 100644 index 00000000..e349a3c3 --- /dev/null +++ b/dan/sk-testvm.yml @@ -0,0 +1,11 @@ +--- +- name: Basic Setup + hosts: sk-testvm + roles: + - role: apt-repo/base + - role: core/base + - role: core/sshd/base + - role: core/zsh + - role: core/ntp + - role: x509/uacme/base + - role: nginx/base diff --git a/files/chaos-at-home/bind-zones/db.spreadspace b/files/chaos-at-home/bind-zones/db.spreadspace index 3d24b76e..787048d9 100644 --- a/files/chaos-at-home/bind-zones/db.spreadspace +++ b/files/chaos-at-home/bind-zones/db.spreadspace @@ -1,7 +1,7 @@ $TTL 1h @ SOA ns0.chaos-at-home.org. hostmaster ( - 2022111400 + 2022122200 1h 5m 30d @@ -28,6 +28,7 @@ stream 1200 CNAME mimas.chaos-at-home.org. git 1200 A 116.203.212.131 +test A 178.63.180.143 ; GLT diff --git a/inventory/group_vars/all/vars.yml b/inventory/group_vars/all/vars.yml index 415af613..f72f71ef 100644 --- a/inventory/group_vars/all/vars.yml +++ b/inventory/group_vars/all/vars.yml @@ -116,3 +116,16 @@ apt_repo_providers: kali: host: http.kali.org path: /kali + + +acme_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory" +acme_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory" + +acme_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory" +acme_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory" + +acme_directory_server: "{{ acme_directory_server_le_staging_v2 }}" + +## at least acmetool can't be used to change this after the account has been created (aka after the first run) +## and it's not recommended to keep this empty so we don't define it here to force the user to define it +# acme_account_email: diff --git a/inventory/group_vars/chaos-at-home/vars.yml b/inventory/group_vars/chaos-at-home/vars.yml index 8e1f3db1..ad80c3b2 100644 --- a/inventory/group_vars/chaos-at-home/vars.yml +++ b/inventory/group_vars/chaos-at-home/vars.yml @@ -4,7 +4,7 @@ zsh_banner: chaos-at-home admin_users_group: - equinox -acmetool_account_email: admin@chaos-at-home.org +acme_account_email: admin@chaos-at-home.org apt_repo_provider: anexia diff --git a/inventory/group_vars/elevate/vars.yml b/inventory/group_vars/elevate/vars.yml index e108d8f2..075618e6 100644 --- a/inventory/group_vars/elevate/vars.yml +++ b/inventory/group_vars/elevate/vars.yml @@ -1,7 +1,7 @@ --- zsh_banner: elevate -acmetool_account_email: equinox@elevate.at +acme_account_email: equinox@elevate.at apt_repo_blackmagic_auth: username: "elevate" diff --git a/inventory/group_vars/glt-live/vars.yml b/inventory/group_vars/glt-live/vars.yml index da8ea042..65287b3a 100644 --- a/inventory/group_vars/glt-live/vars.yml +++ b/inventory/group_vars/glt-live/vars.yml @@ -5,8 +5,8 @@ ssh_users_root: - equinox - spel -acmetool_account_email: equinox@spreadspace.org -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_account_email: equinox@spreadspace.org +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" apt_repo_blackmagic_auth: username: "glt" diff --git a/inventory/group_vars/schlagergarten-gloria/vars.yml b/inventory/group_vars/schlagergarten-gloria/vars.yml index 6b60af4b..595b3f7a 100644 --- a/inventory/group_vars/schlagergarten-gloria/vars.yml +++ b/inventory/group_vars/schlagergarten-gloria/vars.yml @@ -1,5 +1,5 @@ --- zsh_banner: lendwirbel -acmetool_account_email: equinox@spreadspace.org -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_account_email: equinox@spreadspace.org +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" diff --git a/inventory/group_vars/skillz/vars.yml b/inventory/group_vars/skillz/vars.yml index 83765f7b..8314a19d 100644 --- a/inventory/group_vars/skillz/vars.yml +++ b/inventory/group_vars/skillz/vars.yml @@ -9,4 +9,4 @@ admin_users_group: - equinox - dan -acmetool_account_email: equinox@spreadspace.org +acme_account_email: equinox@spreadspace.org diff --git a/inventory/group_vars/spreadspace/vars.yml b/inventory/group_vars/spreadspace/vars.yml index a9f37087..5cf4b321 100644 --- a/inventory/group_vars/spreadspace/vars.yml +++ b/inventory/group_vars/spreadspace/vars.yml @@ -1,7 +1,7 @@ --- zsh_banner: spreadspace -acmetool_account_email: equinox@spreadspace.org +acme_account_email: equinox@spreadspace.org apt_repo_blackmagic_auth: username: "spreadspace" diff --git a/inventory/host_vars/ch-http-proxy.yml b/inventory/host_vars/ch-http-proxy.yml index 1d3bc561..070fbfd6 100644 --- a/inventory/host_vars/ch-http-proxy.yml +++ b/inventory/host_vars/ch-http-proxy.yml @@ -33,4 +33,4 @@ network: - *_network_primary_ -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/ch-imap-proxy.yml b/inventory/host_vars/ch-imap-proxy.yml index 1d3bc561..070fbfd6 100644 --- a/inventory/host_vars/ch-imap-proxy.yml +++ b/inventory/host_vars/ch-imap-proxy.yml @@ -33,4 +33,4 @@ network: - *_network_primary_ -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/ch-mimas.yml b/inventory/host_vars/ch-mimas.yml index 32db8f65..ac7f1748 100644 --- a/inventory/host_vars/ch-mimas.yml +++ b/inventory/host_vars/ch-mimas.yml @@ -28,7 +28,7 @@ ntp_variant: systemd-timesyncd nginx_server_names_hash_bucket_size: 64 -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" zfs_arc_size: diff --git a/inventory/host_vars/ch-pan.yml b/inventory/host_vars/ch-pan.yml index 5beabb31..c6459315 100644 --- a/inventory/host_vars/ch-pan.yml +++ b/inventory/host_vars/ch-pan.yml @@ -65,7 +65,7 @@ wireguard_p2p_peers: nginx_server_names_hash_bucket_size: 64 -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" dyndns: diff --git a/inventory/host_vars/ele-coturn.yml b/inventory/host_vars/ele-coturn.yml index 4288bc15..c51b5e54 100644 --- a/inventory/host_vars/ele-coturn.yml +++ b/inventory/host_vars/ele-coturn.yml @@ -23,7 +23,7 @@ kubelet_storage: spreadspace_apt_repo_components: - container -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" kubernetes_version: 1.22.5 diff --git a/inventory/host_vars/ele-jitsi.yml b/inventory/host_vars/ele-jitsi.yml index 157f8449..b6aa0db4 100644 --- a/inventory/host_vars/ele-jitsi.yml +++ b/inventory/host_vars/ele-jitsi.yml @@ -27,7 +27,7 @@ ssh_users_root: - equinox - datacop -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" kubernetes_version: 1.24.2 diff --git a/inventory/host_vars/ele-lt.yml b/inventory/host_vars/ele-lt.yml index adbaa1d8..a53141e0 100644 --- a/inventory/host_vars/ele-lt.yml +++ b/inventory/host_vars/ele-lt.yml @@ -28,7 +28,7 @@ liquidtruth_mongodb_app_username: lt liquidtruth_mongodb_app_password: "{{ vault_liquidtruth_mongodb_app_password }}" -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" liquidtruth_hostnames: # - liquidtruth.at diff --git a/inventory/host_vars/ele-media.yml b/inventory/host_vars/ele-media.yml index cdd60e6c..c11b9c42 100644 --- a/inventory/host_vars/ele-media.yml +++ b/inventory/host_vars/ele-media.yml @@ -84,7 +84,7 @@ wireguard_gateway_tunnels: - 0.0.0.0/0 -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" elevate_media_share_storage: diff --git a/inventory/host_vars/sk-cloudio/vars.yml b/inventory/host_vars/sk-cloudio/vars.yml index 1ba308a6..1e1cc0c5 100644 --- a/inventory/host_vars/sk-cloudio/vars.yml +++ b/inventory/host_vars/sk-cloudio/vars.yml @@ -85,4 +85,4 @@ postfix_base_inet_protocols: - "ipv4" -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" diff --git a/inventory/host_vars/sk-tomnext-nc.yml b/inventory/host_vars/sk-tomnext-nc.yml index 79ee582f..feac026c 100644 --- a/inventory/host_vars/sk-tomnext-nc.yml +++ b/inventory/host_vars/sk-tomnext-nc.yml @@ -98,7 +98,7 @@ postfix_base_mynetworks: - "{{ kubernetes_standalone_pod_cidr }}" -acmetool_directory_server: "{{ acmetool_directory_server_le_live_v2 }}" +acme_directory_server: "{{ acme_directory_server_le_live_v2 }}" nginx_server_names_hash_bucket_size: 64 diff --git a/roles/x509/acmetool/base/defaults/main.yml b/roles/x509/acmetool/base/defaults/main.yml index df82d26c..f824d9f7 100644 --- a/roles/x509/acmetool/base/defaults/main.yml +++ b/roles/x509/acmetool/base/defaults/main.yml @@ -1,14 +1,6 @@ --- -acmetool_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory" -acmetool_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory" - -acmetool_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory" -acmetool_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory" - -## this can't be changed after the account as been created (aka after the first run) -## and it's not recommended to keep this empty so we don't define it here which will lead to an error -# acmetool_account_email: -acmetool_directory_server: "{{ acmetool_directory_server_le_staging_v2 }}" +acmetool_account_email: "{{ acme_account_email }}" +acmetool_directory_server: "{{ acme_directory_server }}" #### optionally set http(s)_proxy # acmetool_http_proxy: diff --git a/roles/x509/acmetool/base/tasks/main.yml b/roles/x509/acmetool/base/tasks/main.yml index 5ad03257..7a53906b 100644 --- a/roles/x509/acmetool/base/tasks/main.yml +++ b/roles/x509/acmetool/base/tasks/main.yml @@ -22,10 +22,10 @@ dest: /var/lib/acme/conf/responses - name: create non-standard acmetool webroot path + when: acmetool_challenge_webroot_path is defined file: name: "{{ acmetool_challenge_webroot_path }}" state: directory - when: acmetool_challenge_webroot_path is defined - name: run quickstart to create account and default target configuration command: acmetool --batch quickstart @@ -39,13 +39,13 @@ include_tasks: selfsigned.yml - name: install service reload configuration + when: acmetool_reload_services is defined template: src: acme-reload.j2 dest: /etc/default/acme-reload owner: root group: root mode: 0644 - when: acmetool_reload_services is defined - name: create system unit snippet directory file: diff --git a/roles/x509/uacme/base/defaults/main.yml b/roles/x509/uacme/base/defaults/main.yml new file mode 100644 index 00000000..50ac8019 --- /dev/null +++ b/roles/x509/uacme/base/defaults/main.yml @@ -0,0 +1,6 @@ +--- +uacme_account_email: "{{ acme_account_email }}" +uacme_directory_server: "{{ acme_directory_server }}" + +### this defaults to '/var/run/acme/acme-challenge' +# uacme_challenge_webroot_path: "/path/to/acme-challenge" diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml new file mode 100644 index 00000000..b40c52b5 --- /dev/null +++ b/roles/x509/uacme/base/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: install needed packages + apt: + name: + - uacme + - "{{ python_basename }}-openssl" + state: present + +- name: create acme account key + command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y new '{{ uacme_account_email }}'" + args: + creates: /var/lib/uacme.d/private/key.pem + +- name: create standard uacme webroot path + when: uacme_challenge_webroot_path is not defined + block: + - name: install systemd tmpfiles config + copy: + dest: /usr/lib/tmpfiles.d/uacme.conf + content: | + d /var/run/acme/acme-challenge 0755 root root - - + register: uacme_systemd_tmpfiles_config + + - name: trigger systemd-tmpfiles + when: uacme_systemd_tmpfiles_config is changed + command: systemd-tmpfiles --create + +- name: create non-standard uacme webroot path + when: uacme_challenge_webroot_path is defined + file: + name: "{{ uacme_challenge_webroot_path }}" + state: directory + +- name: make sure nginx snipped directory exists + file: + path: /etc/nginx/snippets + state: directory + +- name: generate nginx snippet for webroot challenges + copy: + dest: /etc/nginx/snippets/uacme.conf + content: | + location /.well-known/acme-challenge/ { + alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge/') }}; + } + +## TODO: implement this +# - name: generate selfsigned interim certificate +# include_tasks: selfsigned.yml + +## TODO: add global automatic refresher? -- cgit v1.2.3