From 9dcdbdf983a7d0686ffaafe9446e4400e319e1eb Mon Sep 17 00:00:00 2001 From: Kishi Date: Mon, 10 Sep 2018 22:52:41 +0200 Subject: [PATCH 1/4] acme.sh role --- host_vars/nabia.binary.kitchen | 4 ++ roles/acme/defaults/main.yml | 10 ++++ roles/acme/files/reload.sh | 0 roles/acme/tasks/main.yml | 79 +++++++++++++++++++++++++ roles/acme/templates/acme.sh.request.j2 | 19 ++++++ roles/acme/templates/nsupdate.key.j2 | 4 ++ simulatepb.sh | 4 -- site.yml | 1 + 8 files changed, 117 insertions(+), 4 deletions(-) create mode 100644 host_vars/nabia.binary.kitchen create mode 100644 roles/acme/defaults/main.yml create mode 100755 roles/acme/files/reload.sh create mode 100644 roles/acme/tasks/main.yml create mode 100644 roles/acme/templates/acme.sh.request.j2 create mode 100644 roles/acme/templates/nsupdate.key.j2 mode change 100755 => 100644 simulatepb.sh diff --git a/host_vars/nabia.binary.kitchen b/host_vars/nabia.binary.kitchen new file mode 100644 index 0000000..ed636ad --- /dev/null +++ b/host_vars/nabia.binary.kitchen @@ -0,0 +1,4 @@ +--- +acme_san_domains: +- "librenms.binary.kitchen" +- "racktables.binary.kitchen" diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml new file mode 100644 index 0000000..dc7ceb0 --- /dev/null +++ b/roles/acme/defaults/main.yml @@ -0,0 +1,10 @@ +--- +acme_home: "/opt/acme" +acme_staging: False + +acme_nsupdate_key: "/opt/acme/nsupdate.key" +acme_nsupdate_keyalgo: "hmac-sha512" +acme_nsupdate_server: "neon.binary-kitchen.net" + +acme_sh_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh" +acme_dns_nsupdate_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/dnsapi/dns_nsupdate.sh" diff --git a/roles/acme/files/reload.sh b/roles/acme/files/reload.sh new file mode 100755 index 0000000..e69de29 diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml new file mode 100644 index 0000000..21b567f --- /dev/null +++ b/roles/acme/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: Create acme home directory + file: + path: "{{ acme_home }}" + state: "directory" + +- name: Get nsupdate.key + shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'" + register: "pdns_nsupdate_key" + failed_when: "False" + changed_when: "False" + delegate_to: "{{ acme_nsupdate_server }}" + +- name: Generate nsupdate.key + shell: "pdnsutil generate-tsig-key 'acme-{{ inventory_hostname }}.' '{{ acme_nsupdate_keyalgo }}'" + register: "pdns_nsupdate_genkey" + when: "pdns_nsupdate_key is defined and pdns_nsupdate_key.rc != 0" + delegate_to: "{{ acme_nsupdate_server }}" + +- name: Get nsupdate.key again + shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'" + register: "pdns_nsupdate_key" + when: "pdns_nsupdate_genkey is defined" + changed_when: "False" + delegate_to: "{{ acme_nsupdate_server }}" + +- name: Write nsupdate.key to file + template: + src: "nsupdate.key.j2" + dest: "{{ acme_nsupdate_key }}" + when: "pdns_nsupdate_key is defined" + +- name: Check acme.sh exists + stat: + path: "{{ acme_home }}/acme.sh" + register: "stat_acme_sh" + +- name: Fetch acme.sh + get_url: + url: "{{ acme_sh_url }}" + dest: "/tmp/acme.sh" + mode: "0755" + register: "fetch_acme_sh" + when: "not stat_acme_sh.stat.exists" + +- name: Install acme.sh + shell: "./acme.sh --home '{{ acme_home }}' --install" + args: + chdir: "/tmp" + creates: "{{ acme_home }}/acme.sh" + when: "fetch_acme_sh is defined" + +- name: Create acme dnsapi directory + file: + path: "{{ acme_home }}/dnsapi" + state: "directory" + +- name: Fetch acme.sh dns_nsupdate + get_url: + url: "{{ acme_dns_nsupdate_url }}" + dest: "{{ acme_home }}/dnsapi/" + mode: "0755" + +- name: Create acme certificate directory + file: + path: "{{ acme_home }}/{{ inventory_hostname }}" + state: "directory" + +- name: Copy reload.sh + copy: + src: "reload.sh" + dest: "{{ acme_home }}/{{ inventory_hostname }}/reload.sh" + mode: "0755" + +- name: Issue certificate + shell: "{{ lookup('template','acme.sh.request.j2').replace('\n',' ') }}" + args: + chdir: "{{ acme_home }}" + creates: "{{ acme_home }}/{{ inventory_hostname }}/{{ inventory_hostname }}.key" diff --git a/roles/acme/templates/acme.sh.request.j2 b/roles/acme/templates/acme.sh.request.j2 new file mode 100644 index 0000000..53358e3 --- /dev/null +++ b/roles/acme/templates/acme.sh.request.j2 @@ -0,0 +1,19 @@ +NSUPDATE_KEY="{{ acme_nsupdate_key }}" +NSUPDATE_SERVER="{{ acme_nsupdate_server }}" +"{{ acme_home }}/acme.sh" +--home "{{ acme_home }}" +--reloadCmd "{{ acme_home }}/{{ inventory_hostname }}/reload.sh" +--log +--issue +-k 4096 +-d "{{ inventory_hostname }}" +--dns dns_nsupdate +{% if acme_san_domains is defined %} +{% for domain in acme_san_domains %} +-d "{{ domain }}" +{% endfor %} +{% endif %} +{% if acme_staging is defined and acme_staging %} +--staging +{% endif %} +; diff --git a/roles/acme/templates/nsupdate.key.j2 b/roles/acme/templates/nsupdate.key.j2 new file mode 100644 index 0000000..b1aad71 --- /dev/null +++ b/roles/acme/templates/nsupdate.key.j2 @@ -0,0 +1,4 @@ +key acme-{{ inventory_hostname }}. { + algorithm {{ acme_nsupdate_keyalgo }}; + secret "{{ pdns_nsupdate_key.stdout.split(' ')[2] }}"; +}; diff --git a/simulatepb.sh b/simulatepb.sh old mode 100755 new mode 100644 index f0fbc93..e69de29 --- a/simulatepb.sh +++ b/simulatepb.sh @@ -1,4 +0,0 @@ -#!/bin/bash -export ANSIBLE_NOCOWS=1 -test -e ./ansible.log && rm ./ansible.log -ansible-playbook site.yml --check --diff diff --git a/site.yml b/site.yml index ea05559..3e8f145 100644 --- a/site.yml +++ b/site.yml @@ -27,6 +27,7 @@ - librenms - racktables - uau + - acme - name: Install Check_MK Agent hosts: [bacon.binary.kitchen,forseti.binary.kitchen] From 9f608c886d9b2bb8a41172bcdf94634f1633d6bb Mon Sep 17 00:00:00 2001 From: Kishi Date: Tue, 11 Sep 2018 13:58:24 +0200 Subject: [PATCH 2/4] Change certificate locations, update powerdns aliases --- roles/acme/defaults/main.yml | 6 ++++++ roles/acme/files/reload.sh | 5 +++++ roles/acme/tasks/main.yml | 11 +++++++++-- roles/acme/templates/acme.sh.request.j2 | 7 +++++-- 4 files changed, 25 insertions(+), 4 deletions(-) diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml index dc7ceb0..daf80dd 100644 --- a/roles/acme/defaults/main.yml +++ b/roles/acme/defaults/main.yml @@ -8,3 +8,9 @@ acme_nsupdate_server: "neon.binary-kitchen.net" acme_sh_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh" acme_dns_nsupdate_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/dnsapi/dns_nsupdate.sh" + +acme_reloadcmd: "/etc/ssl/private/reload.sh" +acme_key: "/etc/ssl/private/host.key" +acme_cert: "/etc/ssl/private/host.cert" +acme_ca: "/etc/ssl/private/host.ca" +acme_fullchain: "/etc/ssl/private/host.fullchain" diff --git a/roles/acme/files/reload.sh b/roles/acme/files/reload.sh index e69de29..dd0b836 100755 --- a/roles/acme/files/reload.sh +++ b/roles/acme/files/reload.sh @@ -0,0 +1,5 @@ +#!/bin/bash +[ -d '/etc/reload.d' ] && for x in "/etc/reload.d/"*; do + [ -e "$x" ] && "$x" +done +exit 0 diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml index 21b567f..d52a5c8 100644 --- a/roles/acme/tasks/main.yml +++ b/roles/acme/tasks/main.yml @@ -11,6 +11,13 @@ changed_when: "False" delegate_to: "{{ acme_nsupdate_server }}" +- name: Update updatepolicy.aliases + lineinfile: + path: "/etc/powerdns/updatepolicy.aliases" + regexp: '^alias\["{{ inventory_hostname}}\."\]' + line: 'alias["{{ inventory_hostname }}."] = {"{{ ''.","''.join(acme_san_domains) }}."} ' + delegate_to: "{{ acme_nsupdate_server }}" + - name: Generate nsupdate.key shell: "pdnsutil generate-tsig-key 'acme-{{ inventory_hostname }}.' '{{ acme_nsupdate_keyalgo }}'" register: "pdns_nsupdate_genkey" @@ -69,11 +76,11 @@ - name: Copy reload.sh copy: src: "reload.sh" - dest: "{{ acme_home }}/{{ inventory_hostname }}/reload.sh" + dest: "{{ acme_reloadcmd }}" mode: "0755" - name: Issue certificate shell: "{{ lookup('template','acme.sh.request.j2').replace('\n',' ') }}" args: chdir: "{{ acme_home }}" - creates: "{{ acme_home }}/{{ inventory_hostname }}/{{ inventory_hostname }}.key" + creates: "{{ acme_cert }}" diff --git a/roles/acme/templates/acme.sh.request.j2 b/roles/acme/templates/acme.sh.request.j2 index 53358e3..ff05d11 100644 --- a/roles/acme/templates/acme.sh.request.j2 +++ b/roles/acme/templates/acme.sh.request.j2 @@ -2,7 +2,6 @@ NSUPDATE_KEY="{{ acme_nsupdate_key }}" NSUPDATE_SERVER="{{ acme_nsupdate_server }}" "{{ acme_home }}/acme.sh" --home "{{ acme_home }}" ---reloadCmd "{{ acme_home }}/{{ inventory_hostname }}/reload.sh" --log --issue -k 4096 @@ -16,4 +15,8 @@ NSUPDATE_SERVER="{{ acme_nsupdate_server }}" {% if acme_staging is defined and acme_staging %} --staging {% endif %} -; +--cert-file "{{ acme_cert }}" +--key-file "{{ acme_key }}" +--ca-file "{{ acme_ca }}" +--fullchain-file "{{ acme_fullchain }}" +--reloadcmd "{{ acme_reloadcmd }}" From fda78106cb800f1c47c9935229429e8ec7f71191 Mon Sep 17 00:00:00 2001 From: Kishi Date: Tue, 11 Sep 2018 14:01:11 +0200 Subject: [PATCH 3/4] Fix deleted file --- simulatepb.sh | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/simulatepb.sh b/simulatepb.sh index e69de29..f0fbc93 100644 --- a/simulatepb.sh +++ b/simulatepb.sh @@ -0,0 +1,4 @@ +#!/bin/bash +export ANSIBLE_NOCOWS=1 +test -e ./ansible.log && rm ./ansible.log +ansible-playbook site.yml --check --diff From 773f0d0a4449f928fb380531397c7a74be978f41 Mon Sep 17 00:00:00 2001 From: Kishi Date: Tue, 11 Sep 2018 14:01:49 +0200 Subject: [PATCH 4/4] Restore original file --- simulatepb.sh | 1 + 1 file changed, 1 insertion(+) diff --git a/simulatepb.sh b/simulatepb.sh index f0fbc93..98c5582 100644 --- a/simulatepb.sh +++ b/simulatepb.sh @@ -2,3 +2,4 @@ export ANSIBLE_NOCOWS=1 test -e ./ansible.log && rm ./ansible.log ansible-playbook site.yml --check --diff +