summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLars Wirzenius <liw@liw.fi>2021-01-23 09:49:43 +0000
committerLars Wirzenius <liw@liw.fi>2021-01-23 09:49:43 +0000
commitb5da156d8857f1e43006a59f0c972f3471c7fd44 (patch)
tree4847cf4ab4667d9b8e1fd2ca3d9fbc92b7196655
parent093a15c354a71382212bfc2e4a564f81781755a8 (diff)
parent06d00d7d0028e6b39e768d6e43650c518808ea53 (diff)
downloadobnam2-b5da156d8857f1e43006a59f0c972f3471c7fd44.tar.gz
Merge branch 'cert' into 'main'
Use Let's Encrypt for server TLS certificates Closes #39 See merge request larswirzenius/obnam!69
-rw-r--r--README.md52
-rw-r--r--ansible/files/server.yaml2
-rw-r--r--ansible/obnam-server.retry1
-rw-r--r--ansible/obnam-server.yml105
-rw-r--r--ansible/templates/server.yaml.j24
5 files changed, 135 insertions, 29 deletions
diff --git a/README.md b/README.md
index 44610d7..af9d6e1 100644
--- a/README.md
+++ b/README.md
@@ -2,12 +2,58 @@
Obnam2 is a project to develop a backup system.
-You probably want to read the [obnam.md](obnam.md) subplot file. This
-README is just a placeholder.
+You probably want to read the [obnam.md](obnam.md) subplot file.
+
+## Client installation
+
+See instructions at <https://obnam.org/download/> for installing the
+client. It's not duplicated here to avoid having to keep the
+information in sync in two places.
+
+## Server installation
+
+To install the Obnam server component, you need a Debian host with
+sufficient disk space, and Ansible installed locally. Run the
+following commands in the Obnam source tree, replacing
+`obnam.example.com` with the domain name of your server:
+
+```sh
+$ cd ansible
+$ printf '[obnam-server]\nobnam.example.com\n' > hosts
+$ ansible-playbook -i hosts obnam-server.yml -e domain=obnam.example.com
+```
+
+The above gets a free TLS certificate from [Let's Encrypt][], but only
+works if the server is accessible from the public Internet. For a
+private host use the following instead:
+
+```sh
+$ cd ansible
+$ printf '[obnam-server]\nprivate-vm\n' > hosts
+$ ansible-playbook -i hosts obnam-server.yml
+```
+
+This uses a pre-created self-signed certificate from
+`files/server.key` and `files/server.pem` and is probably only good
+for trying out Obnam. You may want to generate your own certificates
+instead.
+
+To create a self-signed certificate, something like the following
+command might work, using [OpenSSL]:
+
+```sh
+$ openssl req -x509 -newkey rsa:4096 -passout pass:hunter2 \
+ -keyout key.pem -out cert.pem -days 365 -subj /CN=localhost
+```
+
+
+[Let's Encrypt]: https://letsencrypt.org/
+[OpenSSL]: https://www.openssl.org/
+
## Legalese
-Copyright 2020 Lars Wirzenius
+Copyright 2020-2021 Lars Wirzenius
This program is free software: you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
diff --git a/ansible/files/server.yaml b/ansible/files/server.yaml
index 0277b52..bbba77c 100644
--- a/ansible/files/server.yaml
+++ b/ansible/files/server.yaml
@@ -1,4 +1,4 @@
-address: 0.0.0.0:8888
+address: 0.0.0.0:443
chunks: /srv/obnam/chunks
tls_key: /etc/obnam/server.key
tls_cert: /etc/obnam/server.pem
diff --git a/ansible/obnam-server.retry b/ansible/obnam-server.retry
deleted file mode 100644
index ef785e6..0000000
--- a/ansible/obnam-server.retry
+++ /dev/null
@@ -1 +0,0 @@
-obnam0
diff --git a/ansible/obnam-server.yml b/ansible/obnam-server.yml
index 110dcce..426ca74 100644
--- a/ansible/obnam-server.yml
+++ b/ansible/obnam-server.yml
@@ -1,39 +1,96 @@
-- hosts: obnam-server
+- hosts: server
remote_user: root
tasks:
- - file:
+ - name: add Obnam package repository to APT
+ apt_repository:
+ repo: "deb [trusted=yes] http://ci-prod-controller.vm.liw.fi/debian unstable-ci main"
+
+ - name: refresh APT package lists and upgrade all installed packages
+ apt:
+ update_cache: true
+ upgrade: true
+
+ - name: install packages for an Obnam server
+ apt:
+ name:
+ - obnam
+ - psmisc
+
+ - name: "install packages for Let's Encrypt TLS certificates"
+ apt:
+ name:
+ - apache2
+ - dehydrated
+ - dehydrated-apache2
+ when: domain is defined
+
+ - name: create Obnam configuration directory
+ file:
path: /etc/obnam
state: directory
- - file:
+
+ - name: create Obnam directory for chunk storage
+ file:
path: /srv/obnam/chunks
state: directory
- - filesystem:
- dev: "{{ chunkdev }}"
- fstype: ext4
- opts: -Lchunks
- - mount:
- src: LABEL=chunks
- path: /srv/obnam/chunks
- fstype: auto
- state: mounted
- - apt_repository:
- repo: "deb [trusted=yes] http://ci-prod-controller.vm.liw.fi/debian unstable-ci main"
- - apt:
- name: obnam
- - copy:
- src: obnam.service
- dest: /etc/systemd/system/obnam.service
- - copy:
+
+ - name: "install Obnam server configuration for provided TLS certifiactes"
+ copy:
src: "{{ item }}"
dest: "/etc/obnam/{{ item }}"
with_items:
- server.yaml
- server.key
- server.pem
- - systemd:
+ when: domain is not defined
+
+ - name: "install Obnam server configuration for Let's Encrypt TLS certifiactes"
+ template:
+ src: server.yaml.j2
+ dest: /etc/obnam/server.yaml
+ when: domain is defined
+
+ - name: install Obnam service file for systemd
+ copy:
+ src: obnam.service
+ dest: /etc/systemd/system/obnam.service
+
+ - name: configure domains for TLS certificates
+ copy:
+ content: |
+ {{ domain }}
+ dest: /etc/dehydrated/domains.txt
+ when: domain is defined
+
+ - name: stop Obnam service for getting TLS certificates
+ systemd:
+ daemon_reload: true
+ name: obnam
+ state: stopped
+ when: domain is defined
+
+ - name: start Apache server for getting TLS certificates
+ systemd:
+ name: apache2
+ state: started
+ when: domain is defined
+
+ - name: get TLS certificates
+ shell: |
+ dehydrated --register --accept-terms
+ dehydrated -c
+ when: domain is defined
+
+ - name: stop Apache server so Obnam server can be started again
+ systemd:
+ name: apache2
+ state: stopped
+ when: domain is defined
+
+ - name: start Obnam server
+ systemd:
name: obnam
- enabled: true
state: restarted
- daemon_reload: true
vars:
- chunkdev: /dev/vdb
+ tls_key_path: "/var/lib/dehydrated/certs/{{ domain }}/privkey.pem"
+ tls_cert_path: "/var/lib/dehydrated/certs/{{ domain }}/cert.pem"
diff --git a/ansible/templates/server.yaml.j2 b/ansible/templates/server.yaml.j2
new file mode 100644
index 0000000..dc8b965
--- /dev/null
+++ b/ansible/templates/server.yaml.j2
@@ -0,0 +1,4 @@
+address: 0.0.0.0:443
+chunks: /srv/obnam/chunks
+tls_key: "{{ tls_key_path }}"
+tls_cert: "{{ tls_cert_path }}"