From bc98352d3e331003db625be96139b3c1f95f63b2 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Wed, 9 Aug 2023 14:38:23 +0200 Subject: nginx/vhost: major change in certifcate/tls handling (WIP) --- roles/apps/bluespice/tasks/main.yml | 3 ++- roles/apps/collabora/code/tasks/main.yml | 3 ++- .../collabora/code/templates/nginx-vhost.conf.j2 | 4 ++-- roles/apps/coturn/tasks/main.yml | 9 ++++++++- roles/apps/etherpad-lite/tasks/main.yml | 3 ++- .../etherpad-lite/templates/nginx-vhost.conf.j2 | 4 ++-- roles/apps/jitsi/meet/tasks/main.yml | 3 ++- roles/apps/keycloak/tasks/main.yml | 3 ++- roles/apps/mumble/tasks/main.yml | 6 ++++++ roles/apps/nextcloud/tasks/main.yml | 3 ++- roles/apps/onlyoffice/tasks/main.yml | 3 ++- roles/apps/pigallery2/tasks/main.yml | 3 ++- roles/apps/wikijs/tasks/main.yml | 3 ++- roles/elevate/liquidtruth/tasks/main.yml | 3 ++- roles/elevate/media/tasks/nextcloud-app.yml | 3 ++- roles/gitolite/http/tasks/main.yml | 3 ++- roles/gitolite/http/templates/nginx-vhost.conf.j2 | 4 ++-- roles/monitoring/landingpage/defaults/main.yml | 3 ++- roles/monitoring/landingpage/tasks/main.yml | 3 ++- .../prometheus/exporter/base/tasks/main.yml | 10 +++++++--- roles/nginx/vhost/defaults/main.yml | 8 ++++++-- roles/nginx/vhost/tasks/main.yml | 21 +++++++++++---------- roles/nginx/vhost/templates/generic.conf.j2 | 10 ++++++++-- roles/x509/acmetool/cert/finalize/defaults/main.yml | 3 +++ roles/x509/acmetool/cert/finalize/tasks/main.yml | 2 +- roles/x509/acmetool/cert/prepare/defaults/main.yml | 2 ++ 26 files changed, 86 insertions(+), 39 deletions(-) create mode 100644 roles/x509/acmetool/cert/prepare/defaults/main.yml (limited to 'roles') diff --git a/roles/apps/bluespice/tasks/main.yml b/roles/apps/bluespice/tasks/main.yml index 899d1e1d..49ef2418 100644 --- a/roles/apps/bluespice/tasks/main.yml +++ b/roles/apps/bluespice/tasks/main.yml @@ -49,7 +49,8 @@ nginx_vhost: name: "bluespice-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/collabora/code/tasks/main.yml b/roles/apps/collabora/code/tasks/main.yml index db28bb65..8f4acc76 100644 --- a/roles/apps/collabora/code/tasks/main.yml +++ b/roles/apps/collabora/code/tasks/main.yml @@ -53,7 +53,8 @@ nginx_vhost: name: "collabora-code-{{ item.key }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" include_role: diff --git a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 index 04358976..8dd67fb7 100644 --- a/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 +++ b/roles/apps/collabora/code/templates/nginx-vhost.conf.j2 @@ -3,7 +3,7 @@ server { listen [::]:80; server_name {{ item.value.hostname }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; location / { return 301 https://$host$request_uri; @@ -15,7 +15,7 @@ server { listen [::]:443 ssl http2; server_name {{ item.value.hostname }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; include snippets/tls.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; diff --git a/roles/apps/coturn/tasks/main.yml b/roles/apps/coturn/tasks/main.yml index 42ccd2b3..bab53d99 100644 --- a/roles/apps/coturn/tasks/main.yml +++ b/roles/apps/coturn/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: check if acme_client is set to acmetool + assert: + msg: "this role currently only works with acmetool" + that: + - acme_client == "acmetool" + - name: add group for coturn group: name: coturn @@ -64,7 +70,8 @@ nginx_vhost: name: "coturn-{{ coturn_realm }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true + tls: + certificate_provider: acmetool hostnames: "{{ coturn_hostnames }}" include_role: name: nginx/vhost diff --git a/roles/apps/etherpad-lite/tasks/main.yml b/roles/apps/etherpad-lite/tasks/main.yml index 072a6c09..495a0387 100644 --- a/roles/apps/etherpad-lite/tasks/main.yml +++ b/roles/apps/etherpad-lite/tasks/main.yml @@ -114,7 +114,8 @@ nginx_vhost: name: "etherpad-lite-{{ item.key }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ item.value.hostnames }}" include_role: name: nginx/vhost diff --git a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 index 0ac9d0f0..c572a7eb 100644 --- a/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 +++ b/roles/apps/etherpad-lite/templates/nginx-vhost.conf.j2 @@ -3,7 +3,7 @@ server { listen [::]:80; server_name {{ item.value.hostnames | join(' ') }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; location / { return 301 https://$host$request_uri; @@ -15,7 +15,7 @@ server { listen [::]:443 ssl http2; server_name {{ item.value.hostnames | join(' ') }}; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; include snippets/tls.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; diff --git a/roles/apps/jitsi/meet/tasks/main.yml b/roles/apps/jitsi/meet/tasks/main.yml index eff8232b..1d55fc78 100644 --- a/roles/apps/jitsi/meet/tasks/main.yml +++ b/roles/apps/jitsi/meet/tasks/main.yml @@ -151,7 +151,8 @@ nginx_vhost: name: "jitsi-meet-{{ jitsi_meet_inst_name }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ jitsi_meet_hostname }}" locations: "{{ nginx_vhost_locations_base | combine(nginx_vhost_locations_streamui) }}" diff --git a/roles/apps/keycloak/tasks/main.yml b/roles/apps/keycloak/tasks/main.yml index 68806458..c3e93666 100644 --- a/roles/apps/keycloak/tasks/main.yml +++ b/roles/apps/keycloak/tasks/main.yml @@ -96,7 +96,8 @@ nginx_vhost: name: "keycloak-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml index 33331dca..92659b66 100644 --- a/roles/apps/mumble/tasks/main.yml +++ b/roles/apps/mumble/tasks/main.yml @@ -1,4 +1,10 @@ --- +- name: check if acme_client is set to acmetool + assert: + msg: "this role currently only works with acmetool" + that: + - acme_client == "acmetool" + - name: add group for mumble group: name: mumble diff --git a/roles/apps/nextcloud/tasks/main.yml b/roles/apps/nextcloud/tasks/main.yml index 29ab9c39..c9a9061c 100644 --- a/roles/apps/nextcloud/tasks/main.yml +++ b/roles/apps/nextcloud/tasks/main.yml @@ -160,7 +160,8 @@ nginx_vhost: name: "nextcloud-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ item.value.hostnames }}" locations: '/': diff --git a/roles/apps/onlyoffice/tasks/main.yml b/roles/apps/onlyoffice/tasks/main.yml index 957d8afe..960e811b 100644 --- a/roles/apps/onlyoffice/tasks/main.yml +++ b/roles/apps/onlyoffice/tasks/main.yml @@ -140,7 +140,8 @@ nginx_vhost: name: "onlyoffice-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/pigallery2/tasks/main.yml b/roles/apps/pigallery2/tasks/main.yml index b8b0166d..2a758da1 100644 --- a/roles/apps/pigallery2/tasks/main.yml +++ b/roles/apps/pigallery2/tasks/main.yml @@ -67,7 +67,8 @@ nginx_vhost: name: "pigallery2-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/apps/wikijs/tasks/main.yml b/roles/apps/wikijs/tasks/main.yml index e2b03d24..10b0aa54 100644 --- a/roles/apps/wikijs/tasks/main.yml +++ b/roles/apps/wikijs/tasks/main.yml @@ -73,7 +73,8 @@ nginx_vhost: name: "wikijs-{{ item.key }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: - "{{ item.value.hostname }}" locations: diff --git a/roles/elevate/liquidtruth/tasks/main.yml b/roles/elevate/liquidtruth/tasks/main.yml index 837d2fd0..aa73adb5 100644 --- a/roles/elevate/liquidtruth/tasks/main.yml +++ b/roles/elevate/liquidtruth/tasks/main.yml @@ -18,7 +18,8 @@ nginx_vhost: name: liquidtruth template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ liquidtruth_hostnames }}" locations: '/': diff --git a/roles/elevate/media/tasks/nextcloud-app.yml b/roles/elevate/media/tasks/nextcloud-app.yml index 2e533ec6..42a351e4 100644 --- a/roles/elevate/media/tasks/nextcloud-app.yml +++ b/roles/elevate/media/tasks/nextcloud-app.yml @@ -102,7 +102,8 @@ nginx_vhost: name: "nextcloud-{{ elevate_media_nextcloud_instance_name }}" template: generic - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ elevate_media_nextcloud_instance.hostnames }}" locations: '/': diff --git a/roles/gitolite/http/tasks/main.yml b/roles/gitolite/http/tasks/main.yml index a3055902..1006283a 100644 --- a/roles/gitolite/http/tasks/main.yml +++ b/roles/gitolite/http/tasks/main.yml @@ -54,7 +54,8 @@ vars: nginx_vhost: name: "gitolite-{{ gitolite_instance }}" - acme: true + tls: + certificate_provider: "{{ acme_client }}" hostnames: "{{ gitolite_instances[gitolite_instance].http.hostnames }}" content: "{{ lookup('template', 'nginx-vhost.conf.j2') }}" include_role: diff --git a/roles/gitolite/http/templates/nginx-vhost.conf.j2 b/roles/gitolite/http/templates/nginx-vhost.conf.j2 index 3386d956..f656d48f 100644 --- a/roles/gitolite/http/templates/nginx-vhost.conf.j2 +++ b/roles/gitolite/http/templates/nginx-vhost.conf.j2 @@ -6,7 +6,7 @@ access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; location / { return 301 https://$host$request_uri; @@ -21,7 +21,7 @@ server { access_log /var/log/nginx/git-{{ gitolite_instance }}_access.log; error_log /var/log/nginx/git-{{ gitolite_instance }}_error.log; - include snippets/acmetool.conf; + include snippets/{{ acme_client }}.conf; include snippets/tls.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; diff --git a/roles/monitoring/landingpage/defaults/main.yml b/roles/monitoring/landingpage/defaults/main.yml index ad2a3895..88e1b133 100644 --- a/roles/monitoring/landingpage/defaults/main.yml +++ b/roles/monitoring/landingpage/defaults/main.yml @@ -2,6 +2,7 @@ # monitoring_landingpage_hostnames: # - "mon.example.com" -monitoring_landingpage_acme: no +# monitoring_landingpage_tls: +# certificate_provider: "{{ acme_client }}" #monitoring_landingpage_title: "Example Monitoring Host" diff --git a/roles/monitoring/landingpage/tasks/main.yml b/roles/monitoring/landingpage/tasks/main.yml index 3158770b..225cab10 100644 --- a/roles/monitoring/landingpage/tasks/main.yml +++ b/roles/monitoring/landingpage/tasks/main.yml @@ -15,7 +15,8 @@ name: landingpage template: generic hostnames: "{{ monitoring_landingpage_hostnames }}" - acme: "{{ monitoring_landingpage_acme }}" + ### make tls settings optional? + #tls: "{{ monitoring_landingpage_tls }}" locations: '/': root: /var/www/landingpage diff --git a/roles/monitoring/prometheus/exporter/base/tasks/main.yml b/roles/monitoring/prometheus/exporter/base/tasks/main.yml index c69c6e05..3cedc042 100644 --- a/roles/monitoring/prometheus/exporter/base/tasks/main.yml +++ b/roles/monitoring/prometheus/exporter/base/tasks/main.yml @@ -21,10 +21,14 @@ - name: create TLS certificate and key import_tasks: tls.yml +- name: render nginx-vhost config template + set_fact: + prometheus_exporter_nginx_vhost_content: "{{ lookup('template', 'nginx-vhost.j2') }}" + - name: configure nginx vhost - import_role: - name: nginx/vhost vars: nginx_vhost: name: prometheus-exporter - content: "{{ lookup('template', 'nginx-vhost.j2') }}" + content: "{{ prometheus_exporter_nginx_vhost_content }}" + import_role: + name: nginx/vhost diff --git a/roles/nginx/vhost/defaults/main.yml b/roles/nginx/vhost/defaults/main.yml index b80a5442..5984e623 100644 --- a/roles/nginx/vhost/defaults/main.yml +++ b/roles/nginx/vhost/defaults/main.yml @@ -3,7 +3,8 @@ # default: yes # name: example # template: generic -# acme: yes +# tls: +# certificate_provider: acmetool # hostnames: # - example.com # - www.example.com @@ -26,7 +27,10 @@ # nginx_vhost: # name: mixed-static-and-proxy # template: generic -# acme: yes +# tls: +# variant: legacy +# hsts: false +# certificate_provider: acmetool # hostnames: # - static.example.com # extra_directives: |- diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml index 424c86a0..c5e68732 100644 --- a/roles/nginx/vhost/tasks/main.yml +++ b/roles/nginx/vhost/tasks/main.yml @@ -1,11 +1,12 @@ --- - name: ensure certificate exists (fake it, until you make it) - when: "'acme' in nginx_vhost and nginx_vhost.acme" - import_role: - name: x509/acmetool/cert/prepare + when: "'tls' in nginx_vhost" + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare" + public: true vars: - acmetool_cert_name: "{{ nginx_vhost.name }}" - acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_name: "{{ nginx_vhost.name }}" + x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" - name: install nginx configs from template when: "'template' in nginx_vhost" @@ -31,14 +32,14 @@ notify: reload nginx - name: generate acme certificate - when: "'acme' in nginx_vhost and nginx_vhost.acme" + when: "'tls' in nginx_vhost" block: - name: make sure nginx config has been (re)loaded meta: flush_handlers - name: actually request the certificate - import_role: - name: x509/acmetool/cert/finalize + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize" vars: - acmetool_cert_name: "{{ nginx_vhost.name }}" - acmetool_cert_hostnames: "{{ nginx_vhost.hostnames }}" + x509_certificate_name: "{{ nginx_vhost.name }}" + x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" diff --git a/roles/nginx/vhost/templates/generic.conf.j2 b/roles/nginx/vhost/templates/generic.conf.j2 index 5c7576e7..434fa679 100644 --- a/roles/nginx/vhost/templates/generic.conf.j2 +++ b/roles/nginx/vhost/templates/generic.conf.j2 @@ -3,9 +3,11 @@ server { listen [::]:80{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; -{% if 'acme' in nginx_vhost and nginx_vhost.acme %} +{% if 'tls' in nginx_vhost %} +{% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; +{% endif %} location / { return 301 https://$host$request_uri; } @@ -16,11 +18,15 @@ server { listen [::]:443 ssl http2{% if 'default' in nginx_vhost and nginx_vhost.default %} default_server{% endif %}; server_name {{ nginx_vhost.hostnames | join(' ') }}; +{% if nginx_vhost.tls.certificate_provider == 'acmetool' %} include snippets/acmetool.conf; - include snippets/tls{% if 'tls_variant' in nginx_vhost %}-{{ nginx_vhost.tls_variant }}{% endif %}.conf; +{% endif %} + include snippets/tls{% if 'variant' in nginx_vhost.tls %}-{{ nginx_vhost.tls.variant }}{% endif %}.conf; ssl_certificate {{ x509_certificate_path_fullchain }}; ssl_certificate_key {{ x509_certificate_path_key }}; +{% if 'hsts' not in nginx_vhost.tls or nginx_vhost.tls.hsts %} include snippets/hsts.conf; +{% endif %} {% endif %} {% if 'extra_directives' in nginx_vhost %} diff --git a/roles/x509/acmetool/cert/finalize/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml index ab0afaa3..b9a80136 100644 --- a/roles/x509/acmetool/cert/finalize/defaults/main.yml +++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml @@ -1,2 +1,5 @@ --- +acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}" +acmetool_cert_name: "{{ x509_certificate_name | default(acmetool_cert_hostnames[0]) }}" + acmetool_reconcile_disabled: false diff --git a/roles/x509/acmetool/cert/finalize/tasks/main.yml b/roles/x509/acmetool/cert/finalize/tasks/main.yml index 91bf5157..abb2d4cb 100644 --- a/roles/x509/acmetool/cert/finalize/tasks/main.yml +++ b/roles/x509/acmetool/cert/finalize/tasks/main.yml @@ -6,5 +6,5 @@ names: "{{ acmetool_cert_hostnames }}" copy: content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}" - dest: "/var/lib/acme/desired/{{ acmetool_cert_name | default(acmetool_cert_hostnames[0]) }}" + dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}" notify: reconcile acmetool diff --git a/roles/x509/acmetool/cert/prepare/defaults/main.yml b/roles/x509/acmetool/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..d4eb7c86 --- /dev/null +++ b/roles/x509/acmetool/cert/prepare/defaults/main.yml @@ -0,0 +1,2 @@ +--- +acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}" -- cgit v1.2.3