Add role for creating new certs for the IRC service.

ansible/acme-all.yml

@@ -10,10 +10,22 @@
   hosts: storage.home.jowj.net
   remote_user: "{{ remote_user }}"
   roles:
-    - { name: acmedns_remote_host, tags: ['acmedns_remote_host'] }    
+    - { name: acmedns_remote_host, tags: ['acmedns_remote_host'] }
 
-- name: Pull LE certs and copy them to Synology
+- name: Setup awful-1 to allow for remote cert copy
+  hosts: awful-1.awful.club
+  remote_user: "{{ remote_user }}"
+  roles:
+    - { name: acmedns_remote_host, tags: ['acmedns_remote_host'] }          
+
+- name: Pull LE certs and copy them to synology
   hosts: larva.home.jowj.net
   remote_user: "{{ remote_user }}"
   roles:
     - { name: acmedns_syno_updater, tags: ['acmedns_syno_updater'] }    
+
+- name: Pull LE certs and copy them to awful-1
+  hosts: larva.home.jowj.net
+  remote_user: "{{ remote_user }}"
+  roles:
+    - { name: acmedns_bouncer_updater, tags: ['acmedns_bouncer_updater'] }        

ansible/group_vars/all/acmedns_stuff.yml

@@ -22,3 +22,18 @@ acmedns_syno_updater_syn_server: "{{ acmedns_syno_updater_domain }}"
 acmedns_syno_updater_syn_server_pubkey: storage.home.jowj.net,192.168.1.221 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNFlSCsoeS1dPFipdZYqr+WY38XRwQLsDds9BuOiRz8k1Palyief8QPxdBNAR28qyJb2QPjqEFlNQ1hHUt/+WTI=
 acmedns_syno_updater_pubkey: "{{ global_acmedns_ssh_client_pubkey }}"
 acmedns_syno_updater_privkey: "{{ acmedns_base_privkey }}"
+
+# ACME DNS bouncer updater stuff
+acmedns_bouncer_updater_cert_base: "{{ acmedns_base_certificate_dir }}"
+acmedns_bouncer_updater_user: "{{ acmedns_base_user }}"
+acmedns_bouncer_updater_group: "{{ acmedns_base_group }}"
+acmedns_bouncer_updater_job_name: bouncer
+acmedns_bouncer_updater_email: admin@awful.club
+acmedns_bouncer_updater_domain: bouncer.awful.club
+
+acmedns_bouncer_updater_bouncer_user: josiah
+acmedns_bouncer_updater_bouncer_server: "{{ acmedns_bouncer_updater_domain }}"
+acmedns_bouncer_updater_bouncer_server_pubkey: bouncer.awful.club,134.209.53.112 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMIBPq7YdH4ezm3C0ovvdA+ursckOBoG7VCaV9IiRbOryINoDNX6DRLFvwiXM9Uws3C/t5nAK6ApCnc7IBEeP8=
+acmedns_bouncer_updater_pubkey: "{{ global_acmedns_ssh_client_pubkey }}"
+acmedns_bouncer_updater_privkey: "{{ acmedns_base_privkey }}"
+

ansible/group_vars/all/vault.yml

@@ -1,94 +1,94 @@
 $ANSIBLE_VAULT;1.1;AES256
-62666263363832373133396163386664383736306334383964393732353332383663376230633738
-3937623038613464313965343735353262313131303237650a663038663864613565363964353837
-34616630346662646464636261663631383864303561376636653035323263393338316535623535
-3738343733373438660a623134333464356333353566653633376436633166366335373462613935
-36343236666332343434393764626466323537636331343163393935356132613439343232333238
-31383134343363616136376235393064643165326137633334626633316264663133386333333265
-62373765303163646364626534366531326131323131333137613437623236356530366333393631
-37613065306336656362383931303831643462306336653038366535653465386465366363636438
-37616237393336336136616663663661323739613035616538646236373338346138366639613164
-63383637643662613236613663333962386632333335636462376338616138663364346339346639
-32656262373236376530353832633439633031646535653064303932306432636430366166303234
-34333262353735383938353563623462666137323962646136623131646537373738393637633161
-62303839303763366362346236663837373637316663303836373037373934656663393134316635
-61636138316561393337383464613562653434313338633931346436613663313234303438653264
-39363035313630643361313530643834386564666136633631626434343634393833643863616633
-61613436643937303965666337653333383166663836613761633331616632313137346665633838
-64633934386338663931376636613266356566356230346337353765646431663938623032343562
-62656337613334323962656361666336646430393837303364346130326665633037623331303664
-33353530353335386531366162653763326137353131396338313738626263653136396564633763
-64613839333561333365616135333637316535636163356433626363386137363262366266343866
-35386239653339393738373964366163303230633931363465663939383237653338306237333730
-31646536633564616263623130306666323736383466313438653862663635626531353336343161
-63666264373739383237353862343238356635376539633465626162613262343633333038353161
-31643439616335396434623439613263303562663761303035316661313364343361303134366436
-35613638633235626632373264633462393839363162386562643738326664316130396362313539
-34623234313634366662663461333166383333303433383233336232643463313266656438323338
-34616239323562376438666439613936313965316463396566303032613165646334386564663561
-31356132633539653831326234323136623538663039326666633166643761353539633337353738
-32623265626132353665376635636266666664663231656461386339353438656565623135656231
-39633966386566373631626138643032636338643634663462313432373339613364666365376432
-30306365633534663331663135646131396261313832616235643335343964653434303735336263
-33366165326266373036643236346235313164346265356132383131646538316139666164633136
-35643862313264383062643965636537356238653730303866376634643938643932316439646539
-64663234646634653331316130626433313764346435613833663938343430643365643837656338
-32633561363431363164303366306166323434633734316436643663303432633564356461623562
-65313332303262363636666266383465623463376132353839306536373735376162373363643430
-39643738623933613836356363346630393264626461313036393837306537653861373639376432
-30353461383166313537346566326136626230343933353738326534396461346239633364376530
-35303737393238653266663939393531366539306665376561306530303536663965656136646534
-30366539393161613766303239663531623136366361336539336432653564363131653666646635
-61323231386661386638393433646536626264363234303036316330383636323462336565663136
-61613636316432623437313235613232303066376235313735666166373266316232353331623836
-62653536333239356330323633613537303161346337336564636566363332613333393630306435
-62396439363061663362326539373765376234373833373363353731366230663630643633393431
-32323863353765313034643331643331343532326139333637323434313765393431373364626635
-30336232393366383764366635353236626538373963396364393561326230366437353433373137
-31653363313562356532313839373464633262313363613562343864626161356461663437343361
-65383238346337353434366165613239306264393433383239653534306432353432373530303336
-34663264323761613966373639336433313761383361373563376331363030316364313039376233
-38643761353865363631386239316134633265366266386432333462656263356365303831313533
-62313136663865393864393965383566383430383064656139353630313166336536643363393361
-32316436303561663061323531613633633664376331336261333364313533663830313435653735
-66383763386437303432636332303333313238666135333633613430323935343938336432646331
-63303138616634396432316466333430666663613734383532373030336437353763356632613034
-36643936366538363061316465643065393236356566303239396566306132313634376233633839
-37643730633735306635326665386532313832303139323235393636366336363138666161643965
-31313834623461626237663934646234396236336432356332333063643238633766623561373930
-30363263343161316236656665303835633130633636303139353661303262653235313932383433
-66303639663963656364396233343632613033313233303134363064663766626238636532336461
-34653139333331643762343466303261626131636466373766383334383137356336343636656331
-63313839646634633434633233306334353661303762313333653436306663623138663862663030
-35633265333563346364366261323764383030616134666665363963656365326135346265636263
-39616230393537636363643439343634383166303838633334333865316562633133383363626339
-32386161346365666533623737613464353436653331663636653533306263643464636133626236
-66663564636661316333396263666130616434363638363438353165336633646563323064363334
-30343931656234666137366262626135356461363132383133323935373963366562346361636431
-61653334633132396363373537653531353265366564663565663866316139383564303735616134
-30373933393730393830623732613936646565656237643966386162616565313963653831356138
-63626432363833353065323037323434626130343265613839636436383166373130613431303635
-36363439336661346262343134346536653566346434376136363666326434366535326631626137
-62313134613637646664326137346132653532393536376435363265313936336534646662333937
-37633731326238316436646630313661653535306637353138343965663030636132383735303264
-63303231383634633232653961386339333633303630323162333936663433623937353132333536
-31643037653163303930656132663966383635633839303632656161393831376330343764393366
-39383038346232356338333437663665656633313264303062343263386464386138336432626132
-30366563376630663761363632376435343430323333653736383432343131303737646433336237
-34383461653230383863393466386238636666323034666233633730616364643832333437343538
-64653330346435373830323931313961626163616439633164313161316233383662323466353636
-33363534386336306633326335313361653562626135373733383666626662376264336130653862
-38626235333434376439353338643138613532636534613233636663316431626366643639393265
-33396362626564366337343731336565653636613333656236316561346438383961623363373765
-65333161356630633263646532336463386439656134316465653565626133623865393265316534
-39663930303230646639653738323763613836613135393166623366396137646333303131326337
-37653563663338643436356434633536313661316235326432363538386631646662643935363864
-61646635633538303631313935613361663961666439636533613138383262316232326131623234
-37626339343266353732303039306630316466363333313336313865336564336636363863316539
-65383933353066616333376330323931316563363331623236326663643138343335636463306536
-63306334613736623862356330363063393238346134653537656330353133393964396163326661
-62386161366137353263333033336239393730653639393231393733373339613061383363616639
-37346637346637363631613432383633356231353035636335636134613764626638646262666235
-64306439323762623133313035633962383237333231623963376636653535306536663764316337
-31636438393130663833616336356666393439336364626464303637616331306161616662323132
-3433
+37646362333463313538373433666337623238333436663038653934363462666661343436653862
+3839303733356638386166386662376535616639303966660a616137393162616163653233383637
+30626266353833323837353031303463376461386630333063346335366162386563373633626436
+3135653362666563630a633832343962613336376636646161323632376333353634393661353232
+66663134353464393137383836383961616532633638346565353165363830353664613361343038
+65613437373339323562336435653239313561616330343536356561346137346539353231633133
+61646131383462626531636233636666663030326635663431356266343734356661383637653161
+62616330343266663032303335643662373238376665303037356633323563313632383833306266
+66666364346531643732656666316534633737626262373436323462353832306561646333323135
+34306563376639353164316636626431326437623634643933363966336564353835366438343761
+66656535623636343861306638333739323437363831376638366130303930653035613237363834
+31323433646464663131366234316233383337303762326335646331303535646464633736643361
+37653133633963383539643861393265343362653863613634613634373334626136636466303263
+62663336353637393230626536616466616665313938636537383239656234373136383432626237
+32303263306636613766376466323461616634626466386130303533313434353866323166363737
+62376263636536643931316361333461363033643932343632393735323736623334376164633266
+62663137393738376237363965653932313934633365366630356264336165383238366465353237
+64386639626132393563393632393162663266383765663031363262613366616261396133363737
+35353033666533663138623861356231353762633731333966373965356633616132613837366236
+31383530356539623065623466373033623662343333313234663536656337373231636166373138
+66323933366238313437613239623761303861306132623763316537623133303538643061323735
+30353333616437343666323866643539653965663439663331303066313435613330376630613031
+31326333333831633833306130646664373930656261343033393732643536343061346634373939
+65366433653562376231646665643666363336623836646364313938653063613334353266646166
+63653732633037383033663762363133643534336231663439353938633561313061643933633761
+30663765653932636365343133346336383638333631303133313262323365643464373862653538
+37643639656131663962393839383334623439373238333036376566333334316136393934363661
+31393731366236326464313035633234643165393262633336623062323061633762386332333730
+38396435396338623662636636353437356161646634356266303961396566633336373238663765
+33666632623432623339663763333730666634623233643066376331376532313835366637313461
+36323535373330623834353634336462386235363933306565313636356639316439383566346233
+62333330393937626666366334326334633434653839323461373536346364373438386339393330
+66626132633065336366343563306431313262656437323834626136386439643133313336626463
+32306661326533353764366335653435336162336661313533323034396130633033396266386664
+64383466396132663765376530396562313864323831313731666431343937626331646463366230
+66396666313730623137346166633266326263343533346135653066646465663262613438356632
+66303233306361366635343364393137613231613635666365666634613036343764643736643435
+37373065346661363164303463346433653564316236393534613363623735643534313539643964
+62646263393130333962373764653139653664633734616535313365353065373030633137616363
+38396538323063353636633166343364613564353963616663306635393563336432366563393064
+33633762316163613833343439316434373635663032386630656637376138336366316536623565
+35386661393366333538323235313065333934643133656436356261636430323061393738646335
+38363461376362633363623135356133633836353961333164383061376665663065646161643138
+35666434316131383536386338336633363337366632393633333932383034346662326436323565
+31626138323832356634343030353762623062353261616163356433316537333663626433363631
+61663863336466383135313333636430383436323665396234303462323138633137396233346462
+31623434663363353530326337623736363939633465353838613438316365303666343161373031
+36393536643433623034323038323266343030363563376665323538643634653438636336333361
+36616537303362313237353635633962313331383938646665303238336331353039333230333635
+66333863396461353666346262663936616564663762636534373963306665656131383863666535
+65396436323565623937663861636162373039666563326531363939613130633464633133353737
+38663438633566626337323739333836353534353932303366383266336631646633623637373532
+66646230613834613733313533653062313166613039326634353562303566636439366237663031
+66356438646537643132323536386132383838376433326266353635313031313965633132663032
+34323333636132326133613833646462323534643330636534306634613964393230393930353532
+63663831653430626634316130303538303439303133616563666531633835313434663863343061
+64373233343862373934336663393433646538333338306536376639663961313735643634656239
+38666431333334653832313932396264663436633332386233663937386132383630303430613637
+37636333666563346332316138386639656631373739353131353635383639366431373563646361
+36663839363635373465346366313039383137313162323432343837353934666634343538366664
+31396235646463633361326239646539663561663838373937373763303430323634653264353731
+64306239316433333033356437316135633336356366363436303133333139383131353032376666
+37613430656564363163313835636165363636306637626532326564623736376663613636653735
+32633861306131303231376439643139336231323463663830336339376265663866616238396462
+33353530343635353662323162633665616435356633356264663037396561623566386338666163
+33616236386164346262313235643639656538313964323964633730386134323764646535633032
+62333032396562303665653866306136633061643363306531383430323339363432653166633264
+36323932616332383938346664353935373532626430373234393433366565353161313732353662
+62343462356135366433633131643062626365636331313362663634333130303631353466316664
+34333331313834363833333530613737653762633265346163363438666262336162363262613430
+38643437626565343133616437623131346566353936376265656137653461623366613862376434
+66363439353239356434306333653738343434333936613233363136303838323730396634393364
+66333462346539386434316534383735333331373935623863333336633337366439623330353335
+66356166356265313739346136653135373736326432623464366466396363346330376339316530
+31623431346639393863623439663436376634386634393263653233393161663232343061623236
+63313965663037323565353432666662353839366132666135363632653337396436313039373231
+64343063333532663837646461326530356137343036633338343836393638666461343130363332
+35333631343262663233336330313839363866626537393838626466303965396165613535306261
+63656636626432393332353534383938616234626439393037316236336564373261313131393133
+64353636633333323935623864353033393838633939383937663437383336623034656535656266
+62303633316466343163653737346633626231613435653330653266396462343538376230313132
+35653766646430396664363635616530616235376235363261613535633831646162613337323631
+37653333363234343436303235666265646337666534396335646663323633623066373861666563
+33623166353563653965393538323663313334623937663030393262646436643132633738643334
+31333337353562613432633834323439626266326333663338303039643533666362663636333837
+33323337383030353039383963346534636232323032626434633264323438663039666162343134
+61356536346563663837323031636261326665346331636136646261633438653839363563383433
+65343435343461623639313034386334316661396664376537663136373465643166653636353031
+30646231653537323837383161313234386338623237356431363833346263316530626430343766
+38353030633933306461616264313166366231326432623832383864326134343939386333326363
+62303763393665626362396132633830626434323737393364386531333263646465643234333635
+39356436326239373932383238626439396339613438373761316132633065323332633539313233
+6566

ansible/roles/acmedns_bouncer_updater/defaults/main.yml

@@ -0,0 +1,2 @@
+---
+acmedns_bouncer_updater_runonce: false

ansible/roles/acmedns_bouncer_updater/meta/main.yml

@@ -0,0 +1,2 @@
+---
+

ansible/roles/acmedns_bouncer_updater/tasks/main.yml

@@ -0,0 +1,58 @@
+---
+
+- name: Add bouncer server to known_hosts
+  known_hosts:
+    name: "{{ acmedns_bouncer_updater_bouncer_server }}"
+    key: "{{ acmedns_bouncer_updater_bouncer_server_pubkey }}"
+  become: yes
+  become_user: "{{ acmedns_bouncer_updater_user }}"
+
+- name: Install script
+  template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: root
+    group: "{{ acmedns_bouncer_updater_group }}"
+    mode: "0750"
+  with_items:
+    - src: acmedns_update.sh.j2
+      dest: "{{ acmedns_bouncer_updater_script_path }}"
+
+- name: Configure cronvar
+  cronvar:
+    name: "{{ item.name }}"
+    value: "{{ item.value }}"
+    cron_file: "{{ acmedns_bouncer_updater_cron_file }}"
+  with_items:
+    - name: MAILTO
+      value: "{{ acmedns_bouncer_updater_email }}"
+
+- name: Configure cronjob
+  cron:
+    name: "{{ acmedns_bouncer_updater_job_name }}"
+    day: "*"
+    hour: "3"
+    minute: "47"
+    job: "{{ acmedns_bouncer_updater_script_path }}"
+    user: "{{ acmedns_bouncer_updater_user }}"
+    cron_file: "{{ acmedns_bouncer_updater_cron_file }}"
+
+- name: Copy a new "httpd-ssl.conf-cipher" file into place
+  template: src=acmedns_httpd-ssl.conf-cipher dest=/etc/acmedns/certificates/storage/certificates/httpd-ssl.conf-cipher owner=root mode=0644
+
+- name: Run wrapper script once
+  # Wrapper script passes --days, so this won't contact Let's Encrypt unless necessary
+  command: "{{ acmedns_bouncer_updater_script_path }}"
+  become: yes
+  become_user: "{{ acmedns_bouncer_updater_user }}"
+  when: acmedns_bouncer_updater_runonce|bool
+
+- name: Allow all users to run wrapper script as our user
+  lineinfile:
+    path: /etc/sudoers.d/acmedns_{{ acmedns_bouncer_updater_job_name }}
+    line: "ALL ALL=({{ acmedns_bouncer_updater_user }}) NOPASSWD: {{ acmedns_bouncer_updater_script_path }}"
+    owner: root
+    group: root
+    mode: "0640"
+    create: yes
+    validate: visudo -cf %s

ansible/roles/acmedns_bouncer_updater/templates/acmedns_httpd-ssl.conf-cipher

@@ -0,0 +1,18 @@
+AddType application/x-x509-ca-cert  .crt
+AddType application/x-pkcs7-crl     .crl
+
+SSLCertificateFile      "/usr/local/etc/certificate/WebDAVServer/webdav/cert.pem"
+SSLCertificateKeyFile   "/usr/local/etc/certificate/WebDAVServer/webdav/privkey.pem"
+
+SSLCertificateChainFile /usr/local/etc/certificate/WebDAVServer/webdav/fullchain.pem
+
+#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
+#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
+
+#SSLCARevocationPath "/etc/httpd/conf/ssl.crl"
+#SSLCARevocationFile "/etc/httpd/conf/ssl.crl/ca-bundle.crl"
+
+
+SSLProtocol             all -SSLv3 -TLSv1 -TLSv1.1
+SSLCipherSuite          ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+SSLHonorCipherOrder     off

ansible/roles/acmedns_bouncer_updater/templates/acmedns_update.sh.j2

@@ -0,0 +1,40 @@
+#!/bin/sh
+set -eu
+
+export DO_AUTH_TOKEN={{ DO_AUTH_TOKEN  }}
+echoexec() { echo "Running: $*"; $*; }
+
+echoexec /usr/local/bin/wraplego.py \
+    --verbose \
+    --legodir "{{ acmedns_bouncer_updater_certificate_dir }}" \
+    --email "{{ acmedns_bouncer_updater_email }}" \
+    --domain "{{ acmedns_bouncer_updater_domain }}" \
+    --authenticator "digitalocean" \
+
+host="{{ acmedns_bouncer_updater_bouncer_user }}@{{ acmedns_bouncer_updater_bouncer_server }}"
+date=$(date +%Y%m%d)
+tmppath=/tmp/${date}-acme-update
+scp -r {{ acmedns_bouncer_updater_certificate_dir }}/certificates $host:$tmppath
+user="josiah"
+zncFolder="/mnt/volume_sfo2_znc"
+#
+# SSH to the remote server and install the certs:
+#
+
+echo "$(cat <<ENDSSH
+
+echo "$(cat <<ENDSUDO
+
+echo 'Copying files...'
+cd /mnt/volume_sfo2_znc/
+chown -R root:root "$tmppath"
+
+mv $tmppath/{{ acmedns_bouncer_updater_domain }}.crt $zncFolder/fullchain.pem
+mv $tmppath/{{ acmedns_bouncer_updater_domain }}.key $zncFolder/privkey.pem
+cat $zncFolder/{privkey,fullchain}.pem > $zncFolder/znc.pem
+chown systemd-timesync:systemd-journal znc.pem
+ENDSUDO
+)" | sudo su -
+
+ENDSSH
+)" | ssh $host

ansible/roles/acmedns_bouncer_updater/vars/main.yml

@@ -0,0 +1,6 @@
+---
+acmedns_bouncer_updater_cron_file: "acmedns_update_{{ acmedns_bouncer_updater_job_name }}"
+acmedns_bouncer_updater_certificate_dir: "{{ acmedns_bouncer_updater_cert_base }}/{{ acmedns_bouncer_updater_job_name }}"
+acmedns_bouncer_updater_renew_days: 20
+acmedns_bouncer_updater_script_path: /usr/local/bin/acmedns_update_{{ acmedns_bouncer_updater_job_name }}.sh
+

ansible/roles/acmedns_syno_updater/defaults/main.yml

@@ -1,2 +1,2 @@
 ---
-acmedns_syno_updater_runonce: true
+acmedns_syno_updater_runonce: false