librenms & racktables: use LE certificates

2019-02-13 15:57:46 +01:00 · 2019-02-13 15:57:46 +01:00 · b47be3287a
commit b47be3287a
parent 766ece5b10
10 changed files with 100 additions and 5 deletions
--- a/group_vars/kitchen
+++ b/group_vars/kitchen
@ -1,5 +1,8 @@
 ---
 acme_dnskey_file: /etc/acme/nsupdate.key
 acme_dnskey_server: neon.binary-kitchen.net
 dhcpd_failover: true
 dhcpd_primary: 172.23.2.3
 dhcpd_secondary: 172.23.2.4
--- a/roles/acme-dnskey-generate/defaults/main.yml
+++ b/roles/acme-dnskey-generate/defaults/main.yml
@ -1,5 +1,5 @@
 ---
-acme_dnskey_file: "/etc/acme/nsupdate.key"
+acme_dnskey_file: /etc/acme/nsupdate.key
-acme_dnskey_algorithm: "hmac-sha512"
+acme_dnskey_algorithm: hmac-sha512
-acme_dnskey_server: "neon.binary-kitchen.net"
+acme_dnskey_server: neon.binary-kitchen.net
--- a/roles/librenms/meta/main.yml
+++ b/roles/librenms/meta/main.yml
@ -1,4 +1,5 @@
 ---
 dependencies:
- { role: nginx, nginx_ssl: False }
+- { role: certmgr }
 - { role: nginx, nginx_ssl: True }
--- a/roles/librenms/tasks/main.yml
+++ b/roles/librenms/tasks/main.yml
@ -48,6 +48,19 @@
 - name: Configure librenms
  template: src=config.php.j2 dest=/usr/share/librenms/config.php owner=librenms group=www-data mode=0440
 - name: Ensure certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
  notify: Restart nginx
 - name: Request nsupdate key for certificate
  include_role: name=acme-dnskey-generate
  vars:
    acme_dnskey_san_domains:
    - "{{ librenms_domain }}"
 - name: Configure certificate manager for librenms
  template: src=certs.j2 dest=/etc/acme/domains.d/{{ librenms_domain }}.conf
 - name: Configure vhost
  template: src=vhost.j2 dest=/etc/nginx/sites-available/librenms
  notify: Restart nginx
--- a/roles/librenms/templates/certs.j2
+++ b/roles/librenms/templates/certs.j2
@ -0,0 +1,18 @@
 ---
 {{ librenms_domain }}:
 - mode: dns.nsupdate
  nsupdate_server: {{ acme_dnskey_server }}
  nsupdate_keyfile: {{ acme_dnskey_file }}
 - path: /etc/nginx/ssl/{{ librenms_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
 - path: /etc/nginx/ssl/{{ librenms_domain }}.crt
  user: root
  group: root
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service nginx restart'
--- a/roles/librenms/templates/vhost.j2
+++ b/roles/librenms/templates/vhost.j2
@ -4,6 +4,20 @@ server {
 	server_name {{ librenms_domain }};
 	location / {
 		return 301 https://{{ librenms_domain }}$request_uri;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ librenms_domain }};
 	ssl_certificate_key /etc/nginx/ssl/{{ librenms_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ librenms_domain }}.crt;
 	root /usr/share/librenms/html;
 	index index.php;
--- a/roles/racktables/meta/main.yml
+++ b/roles/racktables/meta/main.yml
@ -1,4 +1,5 @@
 ---
 dependencies:
- { role: nginx, nginx_ssl: False }
+- { role: certmgr }
 - { role: nginx, nginx_ssl: True }
--- a/roles/racktables/tasks/main.yml
+++ b/roles/racktables/tasks/main.yml
@ -27,6 +27,19 @@
 - name: Configure RackTables
  template: src=secret.php.j2 dest=/opt/racktables/wwwroot/inc/secret.php owner=www-data group=www-data mode=0400
 - name: Ensure certificates are available
  command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ racktables_domain }}.key -out /etc/nginx/ssl/{{ racktables_domain }}.crt -days 730 -subj "/CN={{ racktables_domain }}" creates=/etc/nginx/ssl/{{ racktables_domain }}.crt
  notify: Restart nginx
 - name: Request nsupdate key for certificate
  include_role: name=acme-dnskey-generate
  vars:
    acme_dnskey_san_domains:
    - "{{ racktables_domain }}"
 - name: Configure certificate manager for racktables
  template: src=certs.j2 dest=/etc/acme/domains.d/{{ racktables_domain }}.conf
 - name: Configure vhost
  template: src=vhost.j2 dest=/etc/nginx/sites-available/racktables
  notify: Restart nginx
--- a/roles/racktables/templates/certs.j2
+++ b/roles/racktables/templates/certs.j2
@ -0,0 +1,18 @@
 ---
 {{ racktables_domain }}:
 - mode: dns.nsupdate
  nsupdate_server: {{ acme_dnskey_server }}
  nsupdate_keyfile: {{ acme_dnskey_file }}
 - path: /etc/nginx/ssl/{{ racktables_domain }}.key
  user: root
  group: root
  perm: '400'
  format: key
  action: '/usr/sbin/service nginx restart'
 - path: /etc/nginx/ssl/{{ racktables_domain }}.crt
  user: root
  group: root
  perm: '400'
  format: crt,ca
  action: '/usr/sbin/service nginx restart'
--- a/roles/racktables/templates/vhost.j2
+++ b/roles/racktables/templates/vhost.j2
@ -4,6 +4,20 @@ server {
 	server_name {{ racktables_domain }};
 	location / {
 		return 301 https://{{ racktables_domain }}$request_uri;
 	}
 }
 server {
 	listen 443 ssl http2;
 	listen [::]:443 ssl http2;
 	server_name {{ racktables_domain }};
 	ssl_certificate_key /etc/nginx/ssl/{{ racktables_domain }}.key;
 	ssl_certificate /etc/nginx/ssl/{{ racktables_domain }}.crt;
 	root /opt/racktables/wwwroot;
 	index index.php;