librenms & racktables: use LE certificates

This commit is contained in:
Markus 2019-02-13 15:57:46 +01:00
parent 766ece5b10
commit b47be3287a
10 changed files with 100 additions and 5 deletions

View File

@ -1,5 +1,8 @@
---
acme_dnskey_file: /etc/acme/nsupdate.key
acme_dnskey_server: neon.binary-kitchen.net
dhcpd_failover: true
dhcpd_primary: 172.23.2.3
dhcpd_secondary: 172.23.2.4

View File

@ -1,5 +1,5 @@
---
acme_dnskey_file: "/etc/acme/nsupdate.key"
acme_dnskey_algorithm: "hmac-sha512"
acme_dnskey_server: "neon.binary-kitchen.net"
acme_dnskey_file: /etc/acme/nsupdate.key
acme_dnskey_algorithm: hmac-sha512
acme_dnskey_server: neon.binary-kitchen.net

View File

@ -1,4 +1,5 @@
---
dependencies:
- { role: nginx, nginx_ssl: False }
- { role: certmgr }
- { role: nginx, nginx_ssl: True }

View File

@ -48,6 +48,19 @@
- name: Configure librenms
template: src=config.php.j2 dest=/usr/share/librenms/config.php owner=librenms group=www-data mode=0440
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ librenms_domain }}"
- name: Configure certificate manager for librenms
template: src=certs.j2 dest=/etc/acme/domains.d/{{ librenms_domain }}.conf
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/librenms
notify: Restart nginx

View File

@ -0,0 +1,18 @@
---
{{ librenms_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ librenms_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ librenms_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -4,6 +4,20 @@ server {
server_name {{ librenms_domain }};
location / {
return 301 https://{{ librenms_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ librenms_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ librenms_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ librenms_domain }}.crt;
root /usr/share/librenms/html;
index index.php;

View File

@ -1,4 +1,5 @@
---
dependencies:
- { role: nginx, nginx_ssl: False }
- { role: certmgr }
- { role: nginx, nginx_ssl: True }

View File

@ -27,6 +27,19 @@
- name: Configure RackTables
template: src=secret.php.j2 dest=/opt/racktables/wwwroot/inc/secret.php owner=www-data group=www-data mode=0400
- name: Ensure certificates are available
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ racktables_domain }}.key -out /etc/nginx/ssl/{{ racktables_domain }}.crt -days 730 -subj "/CN={{ racktables_domain }}" creates=/etc/nginx/ssl/{{ racktables_domain }}.crt
notify: Restart nginx
- name: Request nsupdate key for certificate
include_role: name=acme-dnskey-generate
vars:
acme_dnskey_san_domains:
- "{{ racktables_domain }}"
- name: Configure certificate manager for racktables
template: src=certs.j2 dest=/etc/acme/domains.d/{{ racktables_domain }}.conf
- name: Configure vhost
template: src=vhost.j2 dest=/etc/nginx/sites-available/racktables
notify: Restart nginx

View File

@ -0,0 +1,18 @@
---
{{ racktables_domain }}:
- mode: dns.nsupdate
nsupdate_server: {{ acme_dnskey_server }}
nsupdate_keyfile: {{ acme_dnskey_file }}
- path: /etc/nginx/ssl/{{ racktables_domain }}.key
user: root
group: root
perm: '400'
format: key
action: '/usr/sbin/service nginx restart'
- path: /etc/nginx/ssl/{{ racktables_domain }}.crt
user: root
group: root
perm: '400'
format: crt,ca
action: '/usr/sbin/service nginx restart'

View File

@ -4,6 +4,20 @@ server {
server_name {{ racktables_domain }};
location / {
return 301 https://{{ racktables_domain }}$request_uri;
}
}
server {
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ racktables_domain }};
ssl_certificate_key /etc/nginx/ssl/{{ racktables_domain }}.key;
ssl_certificate /etc/nginx/ssl/{{ racktables_domain }}.crt;
root /opt/racktables/wwwroot;
index index.php;