1
0
forked from infra/ansible

doorlock: first steps towards an auweg doorlock

This commit is contained in:
Markus 2022-11-17 16:00:20 +01:00
parent b5bfc03f2f
commit 0154bded19
6 changed files with 57 additions and 0 deletions

View File

@ -5,6 +5,8 @@ dhcpd_primary: 172.23.13.3
dns_primary: 172.23.13.3 dns_primary: 172.23.13.3
doorlock_domain: lock-auweg.binary.kitchen
name_servers: name_servers:
- 172.23.13.3 - 172.23.13.3

View File

@ -0,0 +1,7 @@
---
- name: Run acertmgr
command: /usr/bin/acertmgr
- name: Restart nginx
service: name=nginx state=restarted

View File

@ -0,0 +1,5 @@
---
dependencies:
- { role: acertmgr }
- { role: nginx, nginx_ssl: True }

View File

@ -0,0 +1,20 @@
---
- name: Ensure certificates are available
command:
cmd: >
openssl req -x509 -nodes -newkey rsa:2048
-keyout /etc/nginx/ssl/{{ doorlock_domain }}.key -out /etc/nginx/ssl/{{ doorlock_domain }}.crt
-days 730 -subj "/CN={{ doorlock_domain }}"
creates: /etc/nginx/ssl/{{ doorlock_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ doorlock_domain }}"
- name: Configure certificate manager for doorlock
template: src=certs.j2 dest=/etc/acertmgr/{{ doorlock_domain }}.conf
notify: Run acertmgr

View File

@ -0,0 +1,18 @@
---
{{ doorlock_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ doorlock_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ doorlock_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -58,6 +58,11 @@
- fileserver - fileserver
- pbs - pbs
- name: Setup doorlock
hosts: lock-auweg.binary.kitchen
roles:
- doorlock
- name: Setup ldap server - name: Setup ldap server
hosts: helium.binary-kitchen.net hosts: helium.binary-kitchen.net
roles: roles: