forked from infra/ansible
librenms & racktables: use LE certificates
This commit is contained in:
parent
766ece5b10
commit
b47be3287a
@ -1,5 +1,8 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
|
acme_dnskey_file: /etc/acme/nsupdate.key
|
||||||
|
acme_dnskey_server: neon.binary-kitchen.net
|
||||||
|
|
||||||
dhcpd_failover: true
|
dhcpd_failover: true
|
||||||
dhcpd_primary: 172.23.2.3
|
dhcpd_primary: 172.23.2.3
|
||||||
dhcpd_secondary: 172.23.2.4
|
dhcpd_secondary: 172.23.2.4
|
||||||
|
@ -1,5 +1,5 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
acme_dnskey_file: "/etc/acme/nsupdate.key"
|
acme_dnskey_file: /etc/acme/nsupdate.key
|
||||||
acme_dnskey_algorithm: "hmac-sha512"
|
acme_dnskey_algorithm: hmac-sha512
|
||||||
acme_dnskey_server: "neon.binary-kitchen.net"
|
acme_dnskey_server: neon.binary-kitchen.net
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- { role: nginx, nginx_ssl: False }
|
- { role: certmgr }
|
||||||
|
- { role: nginx, nginx_ssl: True }
|
||||||
|
@ -48,6 +48,19 @@
|
|||||||
- name: Configure librenms
|
- name: Configure librenms
|
||||||
template: src=config.php.j2 dest=/usr/share/librenms/config.php owner=librenms group=www-data mode=0440
|
template: src=config.php.j2 dest=/usr/share/librenms/config.php owner=librenms group=www-data mode=0440
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Request nsupdate key for certificate
|
||||||
|
include_role: name=acme-dnskey-generate
|
||||||
|
vars:
|
||||||
|
acme_dnskey_san_domains:
|
||||||
|
- "{{ librenms_domain }}"
|
||||||
|
|
||||||
|
- name: Configure certificate manager for librenms
|
||||||
|
template: src=certs.j2 dest=/etc/acme/domains.d/{{ librenms_domain }}.conf
|
||||||
|
|
||||||
- name: Configure vhost
|
- name: Configure vhost
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/librenms
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/librenms
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
18
roles/librenms/templates/certs.j2
Normal file
18
roles/librenms/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
{{ librenms_domain }}:
|
||||||
|
- mode: dns.nsupdate
|
||||||
|
nsupdate_server: {{ acme_dnskey_server }}
|
||||||
|
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||||
|
- path: /etc/nginx/ssl/{{ librenms_domain }}.key
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
||||||
|
- path: /etc/nginx/ssl/{{ librenms_domain }}.crt
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
@ -4,6 +4,20 @@ server {
|
|||||||
|
|
||||||
server_name {{ librenms_domain }};
|
server_name {{ librenms_domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://{{ librenms_domain }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ librenms_domain }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ librenms_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ librenms_domain }}.crt;
|
||||||
|
|
||||||
root /usr/share/librenms/html;
|
root /usr/share/librenms/html;
|
||||||
|
|
||||||
index index.php;
|
index index.php;
|
||||||
|
@ -1,4 +1,5 @@
|
|||||||
---
|
---
|
||||||
|
|
||||||
dependencies:
|
dependencies:
|
||||||
- { role: nginx, nginx_ssl: False }
|
- { role: certmgr }
|
||||||
|
- { role: nginx, nginx_ssl: True }
|
||||||
|
@ -27,6 +27,19 @@
|
|||||||
- name: Configure RackTables
|
- name: Configure RackTables
|
||||||
template: src=secret.php.j2 dest=/opt/racktables/wwwroot/inc/secret.php owner=www-data group=www-data mode=0400
|
template: src=secret.php.j2 dest=/opt/racktables/wwwroot/inc/secret.php owner=www-data group=www-data mode=0400
|
||||||
|
|
||||||
|
- name: Ensure certificates are available
|
||||||
|
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ racktables_domain }}.key -out /etc/nginx/ssl/{{ racktables_domain }}.crt -days 730 -subj "/CN={{ racktables_domain }}" creates=/etc/nginx/ssl/{{ racktables_domain }}.crt
|
||||||
|
notify: Restart nginx
|
||||||
|
|
||||||
|
- name: Request nsupdate key for certificate
|
||||||
|
include_role: name=acme-dnskey-generate
|
||||||
|
vars:
|
||||||
|
acme_dnskey_san_domains:
|
||||||
|
- "{{ racktables_domain }}"
|
||||||
|
|
||||||
|
- name: Configure certificate manager for racktables
|
||||||
|
template: src=certs.j2 dest=/etc/acme/domains.d/{{ racktables_domain }}.conf
|
||||||
|
|
||||||
- name: Configure vhost
|
- name: Configure vhost
|
||||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/racktables
|
template: src=vhost.j2 dest=/etc/nginx/sites-available/racktables
|
||||||
notify: Restart nginx
|
notify: Restart nginx
|
||||||
|
18
roles/racktables/templates/certs.j2
Normal file
18
roles/racktables/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
|||||||
|
---
|
||||||
|
|
||||||
|
{{ racktables_domain }}:
|
||||||
|
- mode: dns.nsupdate
|
||||||
|
nsupdate_server: {{ acme_dnskey_server }}
|
||||||
|
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||||
|
- path: /etc/nginx/ssl/{{ racktables_domain }}.key
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: key
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
||||||
|
- path: /etc/nginx/ssl/{{ racktables_domain }}.crt
|
||||||
|
user: root
|
||||||
|
group: root
|
||||||
|
perm: '400'
|
||||||
|
format: crt,ca
|
||||||
|
action: '/usr/sbin/service nginx restart'
|
@ -4,6 +4,20 @@ server {
|
|||||||
|
|
||||||
server_name {{ racktables_domain }};
|
server_name {{ racktables_domain }};
|
||||||
|
|
||||||
|
location / {
|
||||||
|
return 301 https://{{ racktables_domain }}$request_uri;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
server {
|
||||||
|
listen 443 ssl http2;
|
||||||
|
listen [::]:443 ssl http2;
|
||||||
|
|
||||||
|
server_name {{ racktables_domain }};
|
||||||
|
|
||||||
|
ssl_certificate_key /etc/nginx/ssl/{{ racktables_domain }}.key;
|
||||||
|
ssl_certificate /etc/nginx/ssl/{{ racktables_domain }}.crt;
|
||||||
|
|
||||||
root /opt/racktables/wwwroot;
|
root /opt/racktables/wwwroot;
|
||||||
|
|
||||||
index index.php;
|
index index.php;
|
||||||
|
Loading…
Reference in New Issue
Block a user