From 0154bded19cf7ff34692fbff668da3eba0b39328 Mon Sep 17 00:00:00 2001 From: Markus Hauschild Date: Thu, 17 Nov 2022 16:00:20 +0100 Subject: [PATCH] doorlock: first steps towards an auweg doorlock --- group_vars/auweg | 2 ++ roles/doorlock/handlers/main.yml | 7 +++++++ roles/doorlock/meta/main.yml | 5 +++++ roles/doorlock/tasks/main.yml | 20 ++++++++++++++++++++ roles/doorlock/templates/certs.j2 | 18 ++++++++++++++++++ site.yml | 5 +++++ 6 files changed, 57 insertions(+) create mode 100644 roles/doorlock/handlers/main.yml create mode 100644 roles/doorlock/meta/main.yml create mode 100644 roles/doorlock/tasks/main.yml create mode 100644 roles/doorlock/templates/certs.j2 diff --git a/group_vars/auweg b/group_vars/auweg index deac54d..2852bb7 100644 --- a/group_vars/auweg +++ b/group_vars/auweg @@ -5,6 +5,8 @@ dhcpd_primary: 172.23.13.3 dns_primary: 172.23.13.3 +doorlock_domain: lock-auweg.binary.kitchen + name_servers: - 172.23.13.3 diff --git a/roles/doorlock/handlers/main.yml b/roles/doorlock/handlers/main.yml new file mode 100644 index 0000000..d707d25 --- /dev/null +++ b/roles/doorlock/handlers/main.yml @@ -0,0 +1,7 @@ +--- + +- name: Run acertmgr + command: /usr/bin/acertmgr + +- name: Restart nginx + service: name=nginx state=restarted diff --git a/roles/doorlock/meta/main.yml b/roles/doorlock/meta/main.yml new file mode 100644 index 0000000..8fcf724 --- /dev/null +++ b/roles/doorlock/meta/main.yml @@ -0,0 +1,5 @@ +--- + +dependencies: +- { role: acertmgr } +- { role: nginx, nginx_ssl: True } diff --git a/roles/doorlock/tasks/main.yml b/roles/doorlock/tasks/main.yml new file mode 100644 index 0000000..fa8b133 --- /dev/null +++ b/roles/doorlock/tasks/main.yml @@ -0,0 +1,20 @@ +--- + +- name: Ensure certificates are available + command: + cmd: > + openssl req -x509 -nodes -newkey rsa:2048 + -keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt + -days 730 -subj "/CN={{ doorlock_domain }}" + creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt + notify: Restart nginx + +- name: Request nsupdate key for certificate + include_role: name=acme-dnskey-generate + vars: + acme_dnskey_san_domains: + - "{{ doorlock_domain }}" + +- name: Configure certificate manager for doorlock + template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf + notify: Run acertmgr diff --git a/roles/doorlock/templates/certs.j2 b/roles/doorlock/templates/certs.j2 new file mode 100644 index 0000000..45209b7 --- /dev/null +++ b/roles/doorlock/templates/certs.j2 @@ -0,0 +1,18 @@ +--- + +{{ doorlock_domain }}: +- mode: dns.nsupdate + nsupdate_server: {{ acme_dnskey_server }} + nsupdate_keyfile: {{ acme_dnskey_file }} +- path: /etc/nginx/ssl/{{ doorlock_domain }}.key + user: root + group: root + perm: '400' + format: key + action: '/usr/sbin/service nginx restart' +- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt + user: root + group: root + perm: '400' + format: crt,ca + action: '/usr/sbin/service nginx restart' diff --git a/site.yml b/site.yml index 4187fe5..3eefc0c 100644 --- a/site.yml +++ b/site.yml @@ -58,6 +58,11 @@ - fileserver - pbs +- name: Setup doorlock + hosts: lock-auweg.binary.kitchen + roles: + - doorlock + - name: Setup ldap server hosts: helium.binary-kitchen.net roles: