diff --git a/group_vars/kitchen b/group_vars/kitchen index cf08144..76d5abb 100644 --- a/group_vars/kitchen +++ b/group_vars/kitchen @@ -1,5 +1,8 @@ --- +acme_dnskey_file: /etc/acme/nsupdate.key +acme_dnskey_server: neon.binary-kitchen.net + dhcpd_failover: true dhcpd_primary: 172.23.2.3 dhcpd_secondary: 172.23.2.4 diff --git a/roles/acme-dnskey-generate/defaults/main.yml b/roles/acme-dnskey-generate/defaults/main.yml index d0d23da..69d762b 100644 --- a/roles/acme-dnskey-generate/defaults/main.yml +++ b/roles/acme-dnskey-generate/defaults/main.yml @@ -1,5 +1,5 @@ --- -acme_dnskey_file: "/etc/acme/nsupdate.key" -acme_dnskey_algorithm: "hmac-sha512" -acme_dnskey_server: "neon.binary-kitchen.net" +acme_dnskey_file: /etc/acme/nsupdate.key +acme_dnskey_algorithm: hmac-sha512 +acme_dnskey_server: neon.binary-kitchen.net diff --git a/roles/librenms/meta/main.yml b/roles/librenms/meta/main.yml index 34de459..8d2c010 100644 --- a/roles/librenms/meta/main.yml +++ b/roles/librenms/meta/main.yml @@ -1,4 +1,5 @@ --- dependencies: -- { role: nginx, nginx_ssl: False } +- { role: certmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/librenms/tasks/main.yml b/roles/librenms/tasks/main.yml index 584d1de..0244196 100644 --- a/roles/librenms/tasks/main.yml +++ b/roles/librenms/tasks/main.yml @@ -48,6 +48,19 @@ - name: Configure librenms template: src=config.php.j2 dest=/usr/share/librenms/config.php owner=librenms group=www-data mode=0440 +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt + notify: Restart nginx + +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ librenms_domain }}" + +- name: Configure certificate manager for librenms + template: src=certs.j2 dest=/etc/acme/domains.d/{{ librenms_domain }}.conf + - name: Configure vhost template: src=vhost.j2 dest=/etc/nginx/sites-available/librenms notify: Restart nginx diff --git a/roles/librenms/templates/certs.j2 b/roles/librenms/templates/certs.j2 new file mode 100644 index 0000000..4a3a68e --- /dev/null +++ b/roles/librenms/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ librenms_domain }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/nginx/ssl/{{ librenms_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ librenms_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/librenms/templates/vhost.j2 b/roles/librenms/templates/vhost.j2 index d7d457b..6f090b7 100644 --- a/roles/librenms/templates/vhost.j2 +++ b/roles/librenms/templates/vhost.j2 @@ -4,6 +4,20 @@ server { server_name {{ librenms_domain }}; + location / { + return 301 https://{{ librenms_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ librenms_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ librenms_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ librenms_domain }}.crt; + root /usr/share/librenms/html; index index.php; diff --git a/roles/racktables/meta/main.yml b/roles/racktables/meta/main.yml index 34de459..8d2c010 100644 --- a/roles/racktables/meta/main.yml +++ b/roles/racktables/meta/main.yml @@ -1,4 +1,5 @@ --- dependencies: -- { role: nginx, nginx_ssl: False } +- { role: certmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/racktables/tasks/main.yml b/roles/racktables/tasks/main.yml index 27648c8..d26c8f4 100644 --- a/roles/racktables/tasks/main.yml +++ b/roles/racktables/tasks/main.yml @@ -27,6 +27,19 @@ - name: Configure RackTables template: src=secret.php.j2 dest=/opt/racktables/wwwroot/inc/secret.php owner=www-data group=www-data mode=0400 +- name: Ensure certificates are available + command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ racktables_domain }}.key -out /etc/nginx/ssl/{{ racktables_domain }}.crt -days 730 -subj "/CN={{ racktables_domain }}" creates=/etc/nginx/ssl/{{ racktables_domain }}.crt + notify: Restart nginx + +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ racktables_domain }}" + +- name: Configure certificate manager for racktables + template: src=certs.j2 dest=/etc/acme/domains.d/{{ racktables_domain }}.conf + - name: Configure vhost template: src=vhost.j2 dest=/etc/nginx/sites-available/racktables notify: Restart nginx diff --git a/roles/racktables/templates/certs.j2 b/roles/racktables/templates/certs.j2 new file mode 100644 index 0000000..3a293d6 --- /dev/null +++ b/roles/racktables/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ racktables_domain }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/nginx/ssl/{{ racktables_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ racktables_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/roles/racktables/templates/vhost.j2 b/roles/racktables/templates/vhost.j2 index 7757aec..5f3b898 100644 --- a/roles/racktables/templates/vhost.j2 +++ b/roles/racktables/templates/vhost.j2 @@ -4,6 +4,20 @@ server { server_name {{ racktables_domain }}; + location / { + return 301 https://{{ racktables_domain }}$request_uri; + } +} + +server { + listen 443 ssl http2; + listen [::]:443 ssl http2; + + server_name {{ racktables_domain }}; + + ssl_certificate_key /etc/nginx/ssl/{{ racktables_domain }}.key; + ssl_certificate /etc/nginx/ssl/{{ racktables_domain }}.crt; + root /opt/racktables/wwwroot; index index.php;