diff options
| author | Lars Wirzenius <liw@liw.fi> | 2018-04-04 22:58:06 +0300 |
|---|---|---|
| committer | Lars Wirzenius <liw@liw.fi> | 2018-04-04 22:58:06 +0300 |
| commit | aa7b08900ba915fdb9f98d57ba68c63e9e43d30f (patch) | |
| tree | 3c435f3911ca3a5ca8555a1240ea0e67c10af12b /roles | |
| parent | add4595f66730a3c09436b4724518e6304dedf5e (diff) | |
| download | ick2-ansible-aa7b08900ba915fdb9f98d57ba68c63e9e43d30f.tar.gz | |
Add: Let's Encrypt TLS certificates for controller, artifact store
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/haproxy/templates/haproxy.cfg.j2 | 2 | ||||
| -rw-r--r-- | roles/letsencrypt/defaults/main.yml | 7 | ||||
| -rw-r--r-- | roles/letsencrypt/tasks/main.yml | 56 | ||||
| -rw-r--r-- | roles/letsencrypt/templates/deploy_certs_haproxy | 8 |
4 files changed, 72 insertions, 1 deletions
diff --git a/roles/haproxy/templates/haproxy.cfg.j2 b/roles/haproxy/templates/haproxy.cfg.j2 index 65a3b19..5d41bef 100644 --- a/roles/haproxy/templates/haproxy.cfg.j2 +++ b/roles/haproxy/templates/haproxy.cfg.j2 @@ -32,7 +32,7 @@ defaults frontend http-in bind *:80 - bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/ssl/ick.pem + bind *:443 ssl no-sslv3 no-tlsv10 crt /etc/haproxy/haproxy.pem rspadd Strict-Transport-Security:\ max-age=15768000 diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml new file mode 100644 index 0000000..5f8c438 --- /dev/null +++ b/roles/letsencrypt/defaults/main.yml @@ -0,0 +1,7 @@ +# Specify a properly configured and functional domain name +letsencrypt_domain: FIXME + +# Specify a working email address +letsencrypt_email: FIXME + +letsencrypt_server_haproxy_crt: /etc/haproxy/haproxy.pem diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml new file mode 100644 index 0000000..9483ac0 --- /dev/null +++ b/roles/letsencrypt/tasks/main.yml @@ -0,0 +1,56 @@ +- name: check required variables + fail: + msg: "value of {{ item }} should no be FIXME!" + with_items: + - letsencrypt_domain + - letsencrypt_email + - letsencrypt_server + when: item == "FIXME" + +- name: install deploy_certs_haproxy + template: + src: deploy_certs_haproxy + dest: /usr/local/sbin/deploy_certs_haproxy + owner: root + group: root + mode: 0755 + +- name: install certbot + apt: + name: certbot + default_release: stretch-backports + +- name: stop haproxy + systemd: + name: haproxy + state: stopped + +- name: fetch new certificate + command: > + certbot certonly + --standalone + --noninteractive + --domain "{{ letsencrypt_domain }}" + --email "{{ letsencrypt_email }}" + --agree-tos + +- name: install new cert for haproxy + command: /usr/local/sbin/deploy_certs_haproxy + +- name: start haproxy + systemd: + name: haproxy + state: started + +- name: add cron job + cron: + name: letsencrypt + hour: 23 + minute: 42 + user: root + job: > + certbot renew + --standalone + --quiet + --pre-hook "systemctl stop haproxy" + --post-hook "/usr/local/sbin/deploy_certs_haproxy && systemctl start haproxy" diff --git a/roles/letsencrypt/templates/deploy_certs_haproxy b/roles/letsencrypt/templates/deploy_certs_haproxy new file mode 100644 index 0000000..6c93a80 --- /dev/null +++ b/roles/letsencrypt/templates/deploy_certs_haproxy @@ -0,0 +1,8 @@ +#!/bin/sh + +set -eu + +cat "/etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem" \ + "/etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem" \ + > "{{ letsencrypt_server_haproxy_crt }}" +chmod 600 "{{ letsencrypt_server_haproxy_crt }}" |