forked from infra/ansible
librenms & racktables: use LE certificates
This commit is contained in:
parent
766ece5b10
commit
b47be3287a
@ -1,5 +1,8 @@
|
||||
---
|
||||
|
||||
acme_dnskey_file: /etc/acme/nsupdate.key
|
||||
acme_dnskey_server: neon.binary-kitchen.net
|
||||
|
||||
dhcpd_failover: true
|
||||
dhcpd_primary: 172.23.2.3
|
||||
dhcpd_secondary: 172.23.2.4
|
||||
|
@ -1,5 +1,5 @@
|
||||
---
|
||||
|
||||
acme_dnskey_file: "/etc/acme/nsupdate.key"
|
||||
acme_dnskey_algorithm: "hmac-sha512"
|
||||
acme_dnskey_server: "neon.binary-kitchen.net"
|
||||
acme_dnskey_file: /etc/acme/nsupdate.key
|
||||
acme_dnskey_algorithm: hmac-sha512
|
||||
acme_dnskey_server: neon.binary-kitchen.net
|
||||
|
@ -1,4 +1,5 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: nginx, nginx_ssl: False }
|
||||
- { role: certmgr }
|
||||
- { role: nginx, nginx_ssl: True }
|
||||
|
@ -48,6 +48,19 @@
|
||||
- name: Configure librenms
|
||||
template: src=config.php.j2 dest=/usr/share/librenms/config.php owner=librenms group=www-data mode=0440
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ librenms_domain }}.key -out /etc/nginx/ssl/{{ librenms_domain }}.crt -days 730 -subj "/CN={{ librenms_domain }}" creates=/etc/nginx/ssl/{{ librenms_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ librenms_domain }}"
|
||||
|
||||
- name: Configure certificate manager for librenms
|
||||
template: src=certs.j2 dest=/etc/acme/domains.d/{{ librenms_domain }}.conf
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/librenms
|
||||
notify: Restart nginx
|
||||
|
18
roles/librenms/templates/certs.j2
Normal file
18
roles/librenms/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
{{ librenms_domain }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/nginx/ssl/{{ librenms_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ librenms_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
@ -4,6 +4,20 @@ server {
|
||||
|
||||
server_name {{ librenms_domain }};
|
||||
|
||||
location / {
|
||||
return 301 https://{{ librenms_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ librenms_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ librenms_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ librenms_domain }}.crt;
|
||||
|
||||
root /usr/share/librenms/html;
|
||||
|
||||
index index.php;
|
||||
|
@ -1,4 +1,5 @@
|
||||
---
|
||||
|
||||
dependencies:
|
||||
- { role: nginx, nginx_ssl: False }
|
||||
- { role: certmgr }
|
||||
- { role: nginx, nginx_ssl: True }
|
||||
|
@ -27,6 +27,19 @@
|
||||
- name: Configure RackTables
|
||||
template: src=secret.php.j2 dest=/opt/racktables/wwwroot/inc/secret.php owner=www-data group=www-data mode=0400
|
||||
|
||||
- name: Ensure certificates are available
|
||||
command: openssl req -x509 -nodes -newkey rsa:2048 -keyout /etc/nginx/ssl/{{ racktables_domain }}.key -out /etc/nginx/ssl/{{ racktables_domain }}.crt -days 730 -subj "/CN={{ racktables_domain }}" creates=/etc/nginx/ssl/{{ racktables_domain }}.crt
|
||||
notify: Restart nginx
|
||||
|
||||
- name: Request nsupdate key for certificate
|
||||
include_role: name=acme-dnskey-generate
|
||||
vars:
|
||||
acme_dnskey_san_domains:
|
||||
- "{{ racktables_domain }}"
|
||||
|
||||
- name: Configure certificate manager for racktables
|
||||
template: src=certs.j2 dest=/etc/acme/domains.d/{{ racktables_domain }}.conf
|
||||
|
||||
- name: Configure vhost
|
||||
template: src=vhost.j2 dest=/etc/nginx/sites-available/racktables
|
||||
notify: Restart nginx
|
||||
|
18
roles/racktables/templates/certs.j2
Normal file
18
roles/racktables/templates/certs.j2
Normal file
@ -0,0 +1,18 @@
|
||||
---
|
||||
|
||||
{{ racktables_domain }}:
|
||||
- mode: dns.nsupdate
|
||||
nsupdate_server: {{ acme_dnskey_server }}
|
||||
nsupdate_keyfile: {{ acme_dnskey_file }}
|
||||
- path: /etc/nginx/ssl/{{ racktables_domain }}.key
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: key
|
||||
action: '/usr/sbin/service nginx restart'
|
||||
- path: /etc/nginx/ssl/{{ racktables_domain }}.crt
|
||||
user: root
|
||||
group: root
|
||||
perm: '400'
|
||||
format: crt,ca
|
||||
action: '/usr/sbin/service nginx restart'
|
@ -4,6 +4,20 @@ server {
|
||||
|
||||
server_name {{ racktables_domain }};
|
||||
|
||||
location / {
|
||||
return 301 https://{{ racktables_domain }}$request_uri;
|
||||
}
|
||||
}
|
||||
|
||||
server {
|
||||
listen 443 ssl http2;
|
||||
listen [::]:443 ssl http2;
|
||||
|
||||
server_name {{ racktables_domain }};
|
||||
|
||||
ssl_certificate_key /etc/nginx/ssl/{{ racktables_domain }}.key;
|
||||
ssl_certificate /etc/nginx/ssl/{{ racktables_domain }}.crt;
|
||||
|
||||
root /opt/racktables/wwwroot;
|
||||
|
||||
index index.php;
|
||||
|
Loading…
Reference in New Issue
Block a user