commit ad5559bcbb28b09b2a6feafe9f853a6c8b96d8ff Author: Ana Custura ana@netstat.org.uk Date: Wed Aug 14 16:21:52 2019 +0100
Adds files for letsencrypt role --- .../roles/letsencrypt/files/000-default.conf.j2 | 18 +++ .../roles/letsencrypt/files/default-ssl.conf.j2 | 22 ++++ ansible/roles/letsencrypt/handlers/main.yml | 4 + ansible/roles/letsencrypt/tasks/main.yml | 143 +++++++++++++++++++++ ansible/roles/letsencrypt/vars/main.yml | 18 +++ 5 files changed, 205 insertions(+)
diff --git a/ansible/roles/letsencrypt/files/000-default.conf.j2 b/ansible/roles/letsencrypt/files/000-default.conf.j2 new file mode 100644 index 0000000..e8a52bd --- /dev/null +++ b/ansible/roles/letsencrypt/files/000-default.conf.j2 @@ -0,0 +1,18 @@ +<VirtualHost *:80> + ServerName {{ domain }} + ServerAdmin {{ letsencrypt_account_email }} + DocumentRoot {{ onionperf_directory}} + + Alias "/.well-known" "/var/www/html/.well-known" + + <Directory {{ onionperf_directory }}> + Options Indexes + Require all granted + </Directory> + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + +</VirtualHost> + + diff --git a/ansible/roles/letsencrypt/files/default-ssl.conf.j2 b/ansible/roles/letsencrypt/files/default-ssl.conf.j2 new file mode 100644 index 0000000..b2ec0cf --- /dev/null +++ b/ansible/roles/letsencrypt/files/default-ssl.conf.j2 @@ -0,0 +1,22 @@ +<VirtualHost *:443> + ServerName {{ domain }} + + ServerAdmin {{ letsencrypt_account_email }} + DocumentRoot {{ onionperf_directory}} + + <Directory {{ onionperf_directory }}> + Options Indexes + Require all granted + </Directory> + + ErrorLog ${APACHE_LOG_DIR}/error.log + CustomLog ${APACHE_LOG_DIR}/access.log combined + + SSLEngine On + SSLCertificateFile "{{ letsencrypt_dest }}/{{ domain }}/signed.crt" + SSLCertificateKeyFile "{{ letsencrypt_dest }}/{{ domain }}/domain.key" + SSLCertificateChainFile "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem" + +</VirtualHost> + + diff --git a/ansible/roles/letsencrypt/handlers/main.yml b/ansible/roles/letsencrypt/handlers/main.yml new file mode 100644 index 0000000..ba2dfcf --- /dev/null +++ b/ansible/roles/letsencrypt/handlers/main.yml @@ -0,0 +1,4 @@ +--- +- name: reload apache2 + service: name=apache2 state=restarted daemon_reload=yes + become: true diff --git a/ansible/roles/letsencrypt/tasks/main.yml b/ansible/roles/letsencrypt/tasks/main.yml new file mode 100644 index 0000000..41e8de3 --- /dev/null +++ b/ansible/roles/letsencrypt/tasks/main.yml @@ -0,0 +1,143 @@ +--- +# in here put the domain for the certificate required +- name: Create certficate directory + file: + path: "{{ letsencrypt_dest }}/{{ domain }}" + state: directory + become: true + +- name: Copy Apache default configuration + template: + src: files/000-default.conf.j2 + dest: /etc/apache2/sites-available/000-default.conf + owner: www-data + group: www-data + mode: '0644' + become: true + +- name: Copy Apache SSL configuration + template: + src: files/default-ssl.conf.j2 + dest: /etc/apache2/sites-available/default-ssl.conf + owner: www-data + group: www-data + mode: '0644' + become: true + + +# generate account key, if necessary +- name: Find account.key + stat: + path: "{{ letsencrypt_dest }}/{{ domain }}/account.key" + register: account_key + become: true + run_once: true + +- name: Generate account.key + shell: openssl genrsa 4096 > "{{ letsencrypt_dest }}/{{ domain }}/account.key" + run_once: true + when: not account_key.stat.exists + become: true + +# generate domain key, if necessary +- name: Find domain.key + stat: + path: "{{ letsencrypt_dest }}/{{ domain }}/domain.key" + register: domain_key + become: true + run_once: true + +- name: Generate domain.key + shell: openssl genrsa 4096 > "{{ letsencrypt_dest }}/{{ domain }}/domain.key" + run_once: true + when: not domain_key.stat.exists + become: true + +# generate domain csr, if necessary +- name: Find domain.csr + stat: + path: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr" + register: domain_csr + become: true + run_once: true + +- name: Generate domain.csr + shell: openssl req -new -sha256 -key "{{ letsencrypt_dest }}/{{ domain }}/domain.key" \ + -subj "/CN={{ domain }}" > "{{ letsencrypt_dest }}/{{ domain }}/domain.csr" + run_once: true + when: not domain_csr.stat.exists + become: true + +- name: Create challenge + acme_certificate: + account_key_src: "{{ letsencrypt_dest }}/{{ domain }}/account.key" + csr: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr" + dest: "{{ letsencrypt_dest }}/{{ domain }}/signed.crt" + chain_dest: "{{ letsencrypt_dest }}/{{ domain }}/intermediate.pem" + fullchain_dest: "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem" + account_email: "{{ letsencrypt_account_email }}" + acme_directory: "{{ letsencrypt_acme_directory }}" + acme_version: "{{ letsencrypt_acme_version }}" + agreement: "{{ letsencrypt_agreement }}" + terms_agreed: "{{ letsencrypt_terms_agreed }}" + challenge: "{{ letsencrypt_challenge }}" + remaining_days: "{{ letsencrypt_remaining_days }}" + register: op_challenge + become: true + +- name: Create challenge webserver directory + file: + path: "/var/www/html/.well-known/acme-challenge" + state: directory + recurse: yes + become: true + +- name: Copy challenge files to webserver root + copy: + dest: "/var/www/html/{{ op_challenge['challenge_data'][domain]['http-01']['resource'] }}" + content: "{{ op_challenge['challenge_data'][domain]['http-01']['resource_value'] }}" + when: op_challenge is changed + become: true + +- name: Create certificate + acme_certificate: + account_key_src: "{{ letsencrypt_dest }}/{{ domain }}/account.key" + csr: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr" + dest: "{{ letsencrypt_dest }}/{{ domain }}/signed.crt" + chain_dest: "{{ letsencrypt_dest }}/{{ domain }}/intermediate.pem" + agreement: "{{ letsencrypt_agreement }}" + terms_agreed: "{{ letsencrypt_terms_agreed }}" + fullchain_dest: "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem" + data: "{{ op_challenge }}" + account_email: "{{ letsencrypt_account_email }}" + acme_directory: "{{ letsencrypt_acme_directory }}" + acme_version: "{{ letsencrypt_acme_version }}" + challenge: "{{ letsencrypt_challenge }}" + remaining_days: "{{ letsencrypt_remaining_days }}" + run_once: true + when: op_challenge is changed + register: verify_challenge + become: true + +- name: Enable SSL module + apache2_module: + state: present + name: ssl + become: true + notify: + - reload apache2 + +- name: Look for existing SSL website + stat: + path: "/etc/apache2/sites-enabled/default-ssl.conf" + register: ssl_website + become: true + run_once: true + +- name: Enable SSL website + command: a2ensite default-ssl.conf + become: true + run_once: true + when: not ssl_website.stat.exists + notify: + - reload apache2 diff --git a/ansible/roles/letsencrypt/vars/main.yml b/ansible/roles/letsencrypt/vars/main.yml new file mode 100644 index 0000000..32d83b1 --- /dev/null +++ b/ansible/roles/letsencrypt/vars/main.yml @@ -0,0 +1,18 @@ +--- + +letsencrypt_account_email: "acute@torproject.org" +domain: "test.t1.erg.abdn.ac.uk" + +# staging - use this for testing! +letsencrypt_acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory" + +# production - use this when you want an actual certificate +#letsencrypt_acme_directory: "https://acme-v01.api.letsencrypt.org/directory" +letsencrypt_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf" +letsencrypt_terms_agreed: 1 +letsencrypt_acme_version: 2 +letsencrypt_challenge: "http-01" +letsencrypt_dest: "/etc/letsencrypt" +letsencrypt_remaining_days: 90 + +onionperf_directory : "/srv/onionperf.torproject.net/onionperf-data"