[tor-commits] [metrics-cloud/master] Adds files for letsencrypt role
irl at torproject.org
irl at torproject.org
Thu Oct 3 11:10:30 UTC 2019
commit ad5559bcbb28b09b2a6feafe9f853a6c8b96d8ff
Author: Ana Custura <ana at netstat.org.uk>
Date: Wed Aug 14 16:21:52 2019 +0100
Adds files for letsencrypt role
---
.../roles/letsencrypt/files/000-default.conf.j2 | 18 +++
.../roles/letsencrypt/files/default-ssl.conf.j2 | 22 ++++
ansible/roles/letsencrypt/handlers/main.yml | 4 +
ansible/roles/letsencrypt/tasks/main.yml | 143 +++++++++++++++++++++
ansible/roles/letsencrypt/vars/main.yml | 18 +++
5 files changed, 205 insertions(+)
diff --git a/ansible/roles/letsencrypt/files/000-default.conf.j2 b/ansible/roles/letsencrypt/files/000-default.conf.j2
new file mode 100644
index 0000000..e8a52bd
--- /dev/null
+++ b/ansible/roles/letsencrypt/files/000-default.conf.j2
@@ -0,0 +1,18 @@
+<VirtualHost *:80>
+ ServerName {{ domain }}
+ ServerAdmin {{ letsencrypt_account_email }}
+ DocumentRoot {{ onionperf_directory}}
+
+ Alias "/.well-known" "/var/www/html/.well-known"
+
+ <Directory {{ onionperf_directory }}>
+ Options Indexes
+ Require all granted
+ </Directory>
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+</VirtualHost>
+
+
diff --git a/ansible/roles/letsencrypt/files/default-ssl.conf.j2 b/ansible/roles/letsencrypt/files/default-ssl.conf.j2
new file mode 100644
index 0000000..b2ec0cf
--- /dev/null
+++ b/ansible/roles/letsencrypt/files/default-ssl.conf.j2
@@ -0,0 +1,22 @@
+<VirtualHost *:443>
+ ServerName {{ domain }}
+
+ ServerAdmin {{ letsencrypt_account_email }}
+ DocumentRoot {{ onionperf_directory}}
+
+ <Directory {{ onionperf_directory }}>
+ Options Indexes
+ Require all granted
+ </Directory>
+
+ ErrorLog ${APACHE_LOG_DIR}/error.log
+ CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+ SSLEngine On
+ SSLCertificateFile "{{ letsencrypt_dest }}/{{ domain }}/signed.crt"
+ SSLCertificateKeyFile "{{ letsencrypt_dest }}/{{ domain }}/domain.key"
+ SSLCertificateChainFile "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem"
+
+</VirtualHost>
+
+
diff --git a/ansible/roles/letsencrypt/handlers/main.yml b/ansible/roles/letsencrypt/handlers/main.yml
new file mode 100644
index 0000000..ba2dfcf
--- /dev/null
+++ b/ansible/roles/letsencrypt/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: reload apache2
+ service: name=apache2 state=restarted daemon_reload=yes
+ become: true
diff --git a/ansible/roles/letsencrypt/tasks/main.yml b/ansible/roles/letsencrypt/tasks/main.yml
new file mode 100644
index 0000000..41e8de3
--- /dev/null
+++ b/ansible/roles/letsencrypt/tasks/main.yml
@@ -0,0 +1,143 @@
+---
+# in here put the domain for the certificate required
+- name: Create certficate directory
+ file:
+ path: "{{ letsencrypt_dest }}/{{ domain }}"
+ state: directory
+ become: true
+
+- name: Copy Apache default configuration
+ template:
+ src: files/000-default.conf.j2
+ dest: /etc/apache2/sites-available/000-default.conf
+ owner: www-data
+ group: www-data
+ mode: '0644'
+ become: true
+
+- name: Copy Apache SSL configuration
+ template:
+ src: files/default-ssl.conf.j2
+ dest: /etc/apache2/sites-available/default-ssl.conf
+ owner: www-data
+ group: www-data
+ mode: '0644'
+ become: true
+
+
+# generate account key, if necessary
+- name: Find account.key
+ stat:
+ path: "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+ register: account_key
+ become: true
+ run_once: true
+
+- name: Generate account.key
+ shell: openssl genrsa 4096 > "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+ run_once: true
+ when: not account_key.stat.exists
+ become: true
+
+# generate domain key, if necessary
+- name: Find domain.key
+ stat:
+ path: "{{ letsencrypt_dest }}/{{ domain }}/domain.key"
+ register: domain_key
+ become: true
+ run_once: true
+
+- name: Generate domain.key
+ shell: openssl genrsa 4096 > "{{ letsencrypt_dest }}/{{ domain }}/domain.key"
+ run_once: true
+ when: not domain_key.stat.exists
+ become: true
+
+# generate domain csr, if necessary
+- name: Find domain.csr
+ stat:
+ path: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+ register: domain_csr
+ become: true
+ run_once: true
+
+- name: Generate domain.csr
+ shell: openssl req -new -sha256 -key "{{ letsencrypt_dest }}/{{ domain }}/domain.key" \
+ -subj "/CN={{ domain }}" > "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+ run_once: true
+ when: not domain_csr.stat.exists
+ become: true
+
+- name: Create challenge
+ acme_certificate:
+ account_key_src: "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+ csr: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+ dest: "{{ letsencrypt_dest }}/{{ domain }}/signed.crt"
+ chain_dest: "{{ letsencrypt_dest }}/{{ domain }}/intermediate.pem"
+ fullchain_dest: "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem"
+ account_email: "{{ letsencrypt_account_email }}"
+ acme_directory: "{{ letsencrypt_acme_directory }}"
+ acme_version: "{{ letsencrypt_acme_version }}"
+ agreement: "{{ letsencrypt_agreement }}"
+ terms_agreed: "{{ letsencrypt_terms_agreed }}"
+ challenge: "{{ letsencrypt_challenge }}"
+ remaining_days: "{{ letsencrypt_remaining_days }}"
+ register: op_challenge
+ become: true
+
+- name: Create challenge webserver directory
+ file:
+ path: "/var/www/html/.well-known/acme-challenge"
+ state: directory
+ recurse: yes
+ become: true
+
+- name: Copy challenge files to webserver root
+ copy:
+ dest: "/var/www/html/{{ op_challenge['challenge_data'][domain]['http-01']['resource'] }}"
+ content: "{{ op_challenge['challenge_data'][domain]['http-01']['resource_value'] }}"
+ when: op_challenge is changed
+ become: true
+
+- name: Create certificate
+ acme_certificate:
+ account_key_src: "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+ csr: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+ dest: "{{ letsencrypt_dest }}/{{ domain }}/signed.crt"
+ chain_dest: "{{ letsencrypt_dest }}/{{ domain }}/intermediate.pem"
+ agreement: "{{ letsencrypt_agreement }}"
+ terms_agreed: "{{ letsencrypt_terms_agreed }}"
+ fullchain_dest: "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem"
+ data: "{{ op_challenge }}"
+ account_email: "{{ letsencrypt_account_email }}"
+ acme_directory: "{{ letsencrypt_acme_directory }}"
+ acme_version: "{{ letsencrypt_acme_version }}"
+ challenge: "{{ letsencrypt_challenge }}"
+ remaining_days: "{{ letsencrypt_remaining_days }}"
+ run_once: true
+ when: op_challenge is changed
+ register: verify_challenge
+ become: true
+
+- name: Enable SSL module
+ apache2_module:
+ state: present
+ name: ssl
+ become: true
+ notify:
+ - reload apache2
+
+- name: Look for existing SSL website
+ stat:
+ path: "/etc/apache2/sites-enabled/default-ssl.conf"
+ register: ssl_website
+ become: true
+ run_once: true
+
+- name: Enable SSL website
+ command: a2ensite default-ssl.conf
+ become: true
+ run_once: true
+ when: not ssl_website.stat.exists
+ notify:
+ - reload apache2
diff --git a/ansible/roles/letsencrypt/vars/main.yml b/ansible/roles/letsencrypt/vars/main.yml
new file mode 100644
index 0000000..32d83b1
--- /dev/null
+++ b/ansible/roles/letsencrypt/vars/main.yml
@@ -0,0 +1,18 @@
+---
+
+letsencrypt_account_email: "acute at torproject.org"
+domain: "test.t1.erg.abdn.ac.uk"
+
+# staging - use this for testing!
+letsencrypt_acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
+
+# production - use this when you want an actual certificate
+#letsencrypt_acme_directory: "https://acme-v01.api.letsencrypt.org/directory"
+letsencrypt_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf"
+letsencrypt_terms_agreed: 1
+letsencrypt_acme_version: 2
+letsencrypt_challenge: "http-01"
+letsencrypt_dest: "/etc/letsencrypt"
+letsencrypt_remaining_days: 90
+
+onionperf_directory : "/srv/onionperf.torproject.net/onionperf-data"
More information about the tor-commits
mailing list