jowj
/
adc
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add role for creating new certs for the IRC service.

Browse Source
master
josiah 3 years ago
parent b7d6493166
commit 2914fc16e4
10 changed files with 249 additions and 96 deletions
Show Stats Download Patch File Download Diff File

16
ansible/acme-all.yml
Unescape View File

@ -10,10 +10,22 @@
hosts: storage.home.jowj.net hosts: storage.home.jowj.net
remote_user: "{{ remote_user }}" remote_user: "{{ remote_user }}"
roles: roles:
- { name: acmedns_remote_host, tags: ['acmedns_remote_host'] } - { name: acmedns_remote_host, tags: ['acmedns_remote_host'] }
- name: Pull LE certs and copy them to Synology - name: Setup awful-1 to allow for remote cert copy
hosts: awful-1.awful.club
remote_user: "{{ remote_user }}"
roles:
- { name: acmedns_remote_host, tags: ['acmedns_remote_host'] }
- name: Pull LE certs and copy them to synology
hosts: larva.home.jowj.net hosts: larva.home.jowj.net
remote_user: "{{ remote_user }}" remote_user: "{{ remote_user }}"
roles: roles:
- { name: acmedns_syno_updater, tags: ['acmedns_syno_updater'] } - { name: acmedns_syno_updater, tags: ['acmedns_syno_updater'] }
- name: Pull LE certs and copy them to awful-1
hosts: larva.home.jowj.net
remote_user: "{{ remote_user }}"
roles:
- { name: acmedns_bouncer_updater, tags: ['acmedns_bouncer_updater'] }

15
ansible/group_vars/all/acmedns_stuff.yml
Unescape View File

@ -22,3 +22,18 @@ acmedns_syno_updater_syn_server: "{{ acmedns_syno_updater_domain }}"
acmedns_syno_updater_syn_server_pubkey: storage.home.jowj.net,192.168.1.221 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNFlSCsoeS1dPFipdZYqr+WY38XRwQLsDds9BuOiRz8k1Palyief8QPxdBNAR28qyJb2QPjqEFlNQ1hHUt/+WTI= acmedns_syno_updater_syn_server_pubkey: storage.home.jowj.net,192.168.1.221 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNFlSCsoeS1dPFipdZYqr+WY38XRwQLsDds9BuOiRz8k1Palyief8QPxdBNAR28qyJb2QPjqEFlNQ1hHUt/+WTI=
acmedns_syno_updater_pubkey: "{{ global_acmedns_ssh_client_pubkey }}" acmedns_syno_updater_pubkey: "{{ global_acmedns_ssh_client_pubkey }}"
acmedns_syno_updater_privkey: "{{ acmedns_base_privkey }}" acmedns_syno_updater_privkey: "{{ acmedns_base_privkey }}"
# ACME DNS bouncer updater stuff
acmedns_bouncer_updater_cert_base: "{{ acmedns_base_certificate_dir }}"
acmedns_bouncer_updater_user: "{{ acmedns_base_user }}"
acmedns_bouncer_updater_group: "{{ acmedns_base_group }}"
acmedns_bouncer_updater_job_name: bouncer
acmedns_bouncer_updater_email: admin@awful.club
acmedns_bouncer_updater_domain: bouncer.awful.club
acmedns_bouncer_updater_bouncer_user: josiah
acmedns_bouncer_updater_bouncer_server: "{{ acmedns_bouncer_updater_domain }}"
acmedns_bouncer_updater_bouncer_server_pubkey: bouncer.awful.club,134.209.53.112 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMMIBPq7YdH4ezm3C0ovvdA+ursckOBoG7VCaV9IiRbOryINoDNX6DRLFvwiXM9Uws3C/t5nAK6ApCnc7IBEeP8=
acmedns_bouncer_updater_pubkey: "{{ global_acmedns_ssh_client_pubkey }}"
acmedns_bouncer_updater_privkey: "{{ acmedns_base_privkey }}"

186
ansible/group_vars/all/vault.yml
Unescape View File

@ -1,94 +1,94 @@
$ANSIBLE_VAULT;1.1;AES256 $ANSIBLE_VAULT;1.1;AES256
62666263363832373133396163386664383736306334383964393732353332383663376230633738 37646362333463313538373433666337623238333436663038653934363462666661343436653862
3937623038613464313965343735353262313131303237650a663038663864613565363964353837 3839303733356638386166386662376535616639303966660a616137393162616163653233383637
34616630346662646464636261663631383864303561376636653035323263393338316535623535 30626266353833323837353031303463376461386630333063346335366162386563373633626436
3738343733373438660a623134333464356333353566653633376436633166366335373462613935 3135653362666563630a633832343962613336376636646161323632376333353634393661353232
36343236666332343434393764626466323537636331343163393935356132613439343232333238 66663134353464393137383836383961616532633638346565353165363830353664613361343038
31383134343363616136376235393064643165326137633334626633316264663133386333333265 65613437373339323562336435653239313561616330343536356561346137346539353231633133
62373765303163646364626534366531326131323131333137613437623236356530366333393631 61646131383462626531636233636666663030326635663431356266343734356661383637653161
37613065306336656362383931303831643462306336653038366535653465386465366363636438 62616330343266663032303335643662373238376665303037356633323563313632383833306266
37616237393336336136616663663661323739613035616538646236373338346138366639613164 66666364346531643732656666316534633737626262373436323462353832306561646333323135
63383637643662613236613663333962386632333335636462376338616138663364346339346639 34306563376639353164316636626431326437623634643933363966336564353835366438343761
32656262373236376530353832633439633031646535653064303932306432636430366166303234 66656535623636343861306638333739323437363831376638366130303930653035613237363834
34333262353735383938353563623462666137323962646136623131646537373738393637633161 31323433646464663131366234316233383337303762326335646331303535646464633736643361
62303839303763366362346236663837373637316663303836373037373934656663393134316635 37653133633963383539643861393265343362653863613634613634373334626136636466303263
61636138316561393337383464613562653434313338633931346436613663313234303438653264 62663336353637393230626536616466616665313938636537383239656234373136383432626237
39363035313630643361313530643834386564666136633631626434343634393833643863616633 32303263306636613766376466323461616634626466386130303533313434353866323166363737
61613436643937303965666337653333383166663836613761633331616632313137346665633838 62376263636536643931316361333461363033643932343632393735323736623334376164633266
64633934386338663931376636613266356566356230346337353765646431663938623032343562 62663137393738376237363965653932313934633365366630356264336165383238366465353237
62656337613334323962656361666336646430393837303364346130326665633037623331303664 64386639626132393563393632393162663266383765663031363262613366616261396133363737
33353530353335386531366162653763326137353131396338313738626263653136396564633763 35353033666533663138623861356231353762633731333966373965356633616132613837366236
64613839333561333365616135333637316535636163356433626363386137363262366266343866 31383530356539623065623466373033623662343333313234663536656337373231636166373138
35386239653339393738373964366163303230633931363465663939383237653338306237333730 66323933366238313437613239623761303861306132623763316537623133303538643061323735
31646536633564616263623130306666323736383466313438653862663635626531353336343161 30353333616437343666323866643539653965663439663331303066313435613330376630613031
63666264373739383237353862343238356635376539633465626162613262343633333038353161 31326333333831633833306130646664373930656261343033393732643536343061346634373939
31643439616335396434623439613263303562663761303035316661313364343361303134366436 65366433653562376231646665643666363336623836646364313938653063613334353266646166
35613638633235626632373264633462393839363162386562643738326664316130396362313539 63653732633037383033663762363133643534336231663439353938633561313061643933633761
34623234313634366662663461333166383333303433383233336232643463313266656438323338 30663765653932636365343133346336383638333631303133313262323365643464373862653538
34616239323562376438666439613936313965316463396566303032613165646334386564663561 37643639656131663962393839383334623439373238333036376566333334316136393934363661
31356132633539653831326234323136623538663039326666633166643761353539633337353738 31393731366236326464313035633234643165393262633336623062323061633762386332333730
32623265626132353665376635636266666664663231656461386339353438656565623135656231 38396435396338623662636636353437356161646634356266303961396566633336373238663765
39633966386566373631626138643032636338643634663462313432373339613364666365376432 33666632623432623339663763333730666634623233643066376331376532313835366637313461
30306365633534663331663135646131396261313832616235643335343964653434303735336263 36323535373330623834353634336462386235363933306565313636356639316439383566346233
33366165326266373036643236346235313164346265356132383131646538316139666164633136 62333330393937626666366334326334633434653839323461373536346364373438386339393330
35643862313264383062643965636537356238653730303866376634643938643932316439646539 66626132633065336366343563306431313262656437323834626136386439643133313336626463
64663234646634653331316130626433313764346435613833663938343430643365643837656338 32306661326533353764366335653435336162336661313533323034396130633033396266386664
32633561363431363164303366306166323434633734316436643663303432633564356461623562 64383466396132663765376530396562313864323831313731666431343937626331646463366230
65313332303262363636666266383465623463376132353839306536373735376162373363643430 66396666313730623137346166633266326263343533346135653066646465663262613438356632
39643738623933613836356363346630393264626461313036393837306537653861373639376432 66303233306361366635343364393137613231613635666365666634613036343764643736643435
30353461383166313537346566326136626230343933353738326534396461346239633364376530 37373065346661363164303463346433653564316236393534613363623735643534313539643964
35303737393238653266663939393531366539306665376561306530303536663965656136646534 62646263393130333962373764653139653664633734616535313365353065373030633137616363
30366539393161613766303239663531623136366361336539336432653564363131653666646635 38396538323063353636633166343364613564353963616663306635393563336432366563393064
61323231386661386638393433646536626264363234303036316330383636323462336565663136 33633762316163613833343439316434373635663032386630656637376138336366316536623565
61613636316432623437313235613232303066376235313735666166373266316232353331623836 35386661393366333538323235313065333934643133656436356261636430323061393738646335
62653536333239356330323633613537303161346337336564636566363332613333393630306435 38363461376362633363623135356133633836353961333164383061376665663065646161643138
62396439363061663362326539373765376234373833373363353731366230663630643633393431 35666434316131383536386338336633363337366632393633333932383034346662326436323565
32323863353765313034643331643331343532326139333637323434313765393431373364626635 31626138323832356634343030353762623062353261616163356433316537333663626433363631
30336232393366383764366635353236626538373963396364393561326230366437353433373137 61663863336466383135313333636430383436323665396234303462323138633137396233346462
31653363313562356532313839373464633262313363613562343864626161356461663437343361 31623434663363353530326337623736363939633465353838613438316365303666343161373031
65383238346337353434366165613239306264393433383239653534306432353432373530303336 36393536643433623034323038323266343030363563376665323538643634653438636336333361
34663264323761613966373639336433313761383361373563376331363030316364313039376233 36616537303362313237353635633962313331383938646665303238336331353039333230333635
38643761353865363631386239316134633265366266386432333462656263356365303831313533 66333863396461353666346262663936616564663762636534373963306665656131383863666535
62313136663865393864393965383566383430383064656139353630313166336536643363393361 65396436323565623937663861636162373039666563326531363939613130633464633133353737
32316436303561663061323531613633633664376331336261333364313533663830313435653735 38663438633566626337323739333836353534353932303366383266336631646633623637373532
66383763386437303432636332303333313238666135333633613430323935343938336432646331 66646230613834613733313533653062313166613039326634353562303566636439366237663031
63303138616634396432316466333430666663613734383532373030336437353763356632613034 66356438646537643132323536386132383838376433326266353635313031313965633132663032
36643936366538363061316465643065393236356566303239396566306132313634376233633839 34323333636132326133613833646462323534643330636534306634613964393230393930353532
37643730633735306635326665386532313832303139323235393636366336363138666161643965 63663831653430626634316130303538303439303133616563666531633835313434663863343061
31313834623461626237663934646234396236336432356332333063643238633766623561373930 64373233343862373934336663393433646538333338306536376639663961313735643634656239
30363263343161316236656665303835633130633636303139353661303262653235313932383433 38666431333334653832313932396264663436633332386233663937386132383630303430613637
66303639663963656364396233343632613033313233303134363064663766626238636532336461 37636333666563346332316138386639656631373739353131353635383639366431373563646361
34653139333331643762343466303261626131636466373766383334383137356336343636656331 36663839363635373465346366313039383137313162323432343837353934666634343538366664
63313839646634633434633233306334353661303762313333653436306663623138663862663030 31396235646463633361326239646539663561663838373937373763303430323634653264353731
35633265333563346364366261323764383030616134666665363963656365326135346265636263 64306239316433333033356437316135633336356366363436303133333139383131353032376666
39616230393537636363643439343634383166303838633334333865316562633133383363626339 37613430656564363163313835636165363636306637626532326564623736376663613636653735
32386161346365666533623737613464353436653331663636653533306263643464636133626236 32633861306131303231376439643139336231323463663830336339376265663866616238396462
66663564636661316333396263666130616434363638363438353165336633646563323064363334 33353530343635353662323162633665616435356633356264663037396561623566386338666163
30343931656234666137366262626135356461363132383133323935373963366562346361636431 33616236386164346262313235643639656538313964323964633730386134323764646535633032
61653334633132396363373537653531353265366564663565663866316139383564303735616134 62333032396562303665653866306136633061643363306531383430323339363432653166633264
30373933393730393830623732613936646565656237643966386162616565313963653831356138 36323932616332383938346664353935373532626430373234393433366565353161313732353662
63626432363833353065323037323434626130343265613839636436383166373130613431303635 62343462356135366433633131643062626365636331313362663634333130303631353466316664
36363439336661346262343134346536653566346434376136363666326434366535326631626137 34333331313834363833333530613737653762633265346163363438666262336162363262613430
62313134613637646664326137346132653532393536376435363265313936336534646662333937 38643437626565343133616437623131346566353936376265656137653461623366613862376434
37633731326238316436646630313661653535306637353138343965663030636132383735303264 66363439353239356434306333653738343434333936613233363136303838323730396634393364
63303231383634633232653961386339333633303630323162333936663433623937353132333536 66333462346539386434316534383735333331373935623863333336633337366439623330353335
31643037653163303930656132663966383635633839303632656161393831376330343764393366 66356166356265313739346136653135373736326432623464366466396363346330376339316530
39383038346232356338333437663665656633313264303062343263386464386138336432626132 31623431346639393863623439663436376634386634393263653233393161663232343061623236
30366563376630663761363632376435343430323333653736383432343131303737646433336237 63313965663037323565353432666662353839366132666135363632653337396436313039373231
34383461653230383863393466386238636666323034666233633730616364643832333437343538 64343063333532663837646461326530356137343036633338343836393638666461343130363332
64653330346435373830323931313961626163616439633164313161316233383662323466353636 35333631343262663233336330313839363866626537393838626466303965396165613535306261
33363534386336306633326335313361653562626135373733383666626662376264336130653862 63656636626432393332353534383938616234626439393037316236336564373261313131393133
38626235333434376439353338643138613532636534613233636663316431626366643639393265 64353636633333323935623864353033393838633939383937663437383336623034656535656266
33396362626564366337343731336565653636613333656236316561346438383961623363373765 62303633316466343163653737346633626231613435653330653266396462343538376230313132
65333161356630633263646532336463386439656134316465653565626133623865393265316534 35653766646430396664363635616530616235376235363261613535633831646162613337323631
39663930303230646639653738323763613836613135393166623366396137646333303131326337 37653333363234343436303235666265646337666534396335646663323633623066373861666563
37653563663338643436356434633536313661316235326432363538386631646662643935363864 33623166353563653965393538323663313334623937663030393262646436643132633738643334
61646635633538303631313935613361663961666439636533613138383262316232326131623234 31333337353562613432633834323439626266326333663338303039643533666362663636333837
37626339343266353732303039306630316466363333313336313865336564336636363863316539 33323337383030353039383963346534636232323032626434633264323438663039666162343134
65383933353066616333376330323931316563363331623236326663643138343335636463306536 61356536346563663837323031636261326665346331636136646261633438653839363563383433
63306334613736623862356330363063393238346134653537656330353133393964396163326661 65343435343461623639313034386334316661396664376537663136373465643166653636353031
62386161366137353263333033336239393730653639393231393733373339613061383363616639 30646231653537323837383161313234386338623237356431363833346263316530626430343766
37346637346637363631613432383633356231353035636335636134613764626638646262666235 38353030633933306461616264313166366231326432623832383864326134343939386333326363
64306439323762623133313035633962383237333231623963376636653535306536663764316337 62303763393665626362396132633830626434323737393364386531333263646465643234333635
31636438393130663833616336356666393439336364626464303637616331306161616662323132 39356436326239373932383238626439396339613438373761316132633065323332633539313233
3433 6566

2
ansible/roles/acmedns_bouncer_updater/defaults/main.yml
Unescape View File

@ -0,0 +1,2 @@
---
acmedns_bouncer_updater_runonce: false

2
ansible/roles/acmedns_bouncer_updater/meta/main.yml
Unescape View File

@ -0,0 +1,2 @@
---

58
ansible/roles/acmedns_bouncer_updater/tasks/main.yml
Unescape View File

@ -0,0 +1,58 @@
---
- name: Add bouncer server to known_hosts
known_hosts:
name: "{{ acmedns_bouncer_updater_bouncer_server }}"
key: "{{ acmedns_bouncer_updater_bouncer_server_pubkey }}"
become: yes
become_user: "{{ acmedns_bouncer_updater_user }}"
- name: Install script
template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: root
group: "{{ acmedns_bouncer_updater_group }}"
mode: "0750"
with_items:
- src: acmedns_update.sh.j2
dest: "{{ acmedns_bouncer_updater_script_path }}"
- name: Configure cronvar
cronvar:
name: "{{ item.name }}"
value: "{{ item.value }}"
cron_file: "{{ acmedns_bouncer_updater_cron_file }}"
with_items:
- name: MAILTO
value: "{{ acmedns_bouncer_updater_email }}"
- name: Configure cronjob
cron:
name: "{{ acmedns_bouncer_updater_job_name }}"
day: "*"
hour: "3"
minute: "47"
job: "{{ acmedns_bouncer_updater_script_path }}"
user: "{{ acmedns_bouncer_updater_user }}"
cron_file: "{{ acmedns_bouncer_updater_cron_file }}"
- name: Copy a new "httpd-ssl.conf-cipher" file into place
template: src=acmedns_httpd-ssl.conf-cipher dest=/etc/acmedns/certificates/storage/certificates/httpd-ssl.conf-cipher owner=root mode=0644
- name: Run wrapper script once
# Wrapper script passes --days, so this won't contact Let's Encrypt unless necessary
command: "{{ acmedns_bouncer_updater_script_path }}"
become: yes
become_user: "{{ acmedns_bouncer_updater_user }}"
when: acmedns_bouncer_updater_runonce|bool
- name: Allow all users to run wrapper script as our user
lineinfile:
path: /etc/sudoers.d/acmedns_{{ acmedns_bouncer_updater_job_name }}
line: "ALL ALL=({{ acmedns_bouncer_updater_user }}) NOPASSWD: {{ acmedns_bouncer_updater_script_path }}"
owner: root
group: root
mode: "0640"
create: yes
validate: visudo -cf %s

18
ansible/roles/acmedns_bouncer_updater/templates/acmedns_httpd-ssl.conf-cipher
Unescape View File

@ -0,0 +1,18 @@
AddType application/x-x509-ca-cert .crt
AddType application/x-pkcs7-crl .crl
SSLCertificateFile "/usr/local/etc/certificate/WebDAVServer/webdav/cert.pem"
SSLCertificateKeyFile "/usr/local/etc/certificate/WebDAVServer/webdav/privkey.pem"
SSLCertificateChainFile /usr/local/etc/certificate/WebDAVServer/webdav/fullchain.pem
#SSLCACertificatePath "/etc/httpd/conf/ssl.crt"
#SSLCACertificateFile "/etc/httpd/conf/ssl.crt/ca-bundle.crt"
#SSLCARevocationPath "/etc/httpd/conf/ssl.crl"
#SSLCARevocationFile "/etc/httpd/conf/ssl.crl/ca-bundle.crl"
SSLProtocol all -SSLv3 -TLSv1 -TLSv1.1
SSLCipherSuite ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
SSLHonorCipherOrder off

40
ansible/roles/acmedns_bouncer_updater/templates/acmedns_update.sh.j2
Unescape View File

@ -0,0 +1,40 @@
#!/bin/sh
set -eu
export DO_AUTH_TOKEN={{ DO_AUTH_TOKEN }}
echoexec() { echo "Running: $*"; $*; }
echoexec /usr/local/bin/wraplego.py \
--verbose \
--legodir "{{ acmedns_bouncer_updater_certificate_dir }}" \
--email "{{ acmedns_bouncer_updater_email }}" \
--domain "{{ acmedns_bouncer_updater_domain }}" \
--authenticator "digitalocean" \
host="{{ acmedns_bouncer_updater_bouncer_user }}@{{ acmedns_bouncer_updater_bouncer_server }}"
date=$(date +%Y%m%d)
tmppath=/tmp/${date}-acme-update
scp -r {{ acmedns_bouncer_updater_certificate_dir }}/certificates $host:$tmppath
user="josiah"
zncFolder="/mnt/volume_sfo2_znc"
#
# SSH to the remote server and install the certs:
#
echo "$(cat <<ENDSSH
echo "$(cat <<ENDSUDO
echo 'Copying files...'
cd /mnt/volume_sfo2_znc/
chown -R root:root "$tmppath"
mv $tmppath/{{ acmedns_bouncer_updater_domain }}.crt $zncFolder/fullchain.pem
mv $tmppath/{{ acmedns_bouncer_updater_domain }}.key $zncFolder/privkey.pem
cat $zncFolder/{privkey,fullchain}.pem > $zncFolder/znc.pem
chown systemd-timesync:systemd-journal znc.pem
ENDSUDO
)" | sudo su -
ENDSSH
)" | ssh $host

6
ansible/roles/acmedns_bouncer_updater/vars/main.yml
Unescape View File

@ -0,0 +1,6 @@
---
acmedns_bouncer_updater_cron_file: "acmedns_update_{{ acmedns_bouncer_updater_job_name }}"
acmedns_bouncer_updater_certificate_dir: "{{ acmedns_bouncer_updater_cert_base }}/{{ acmedns_bouncer_updater_job_name }}"
acmedns_bouncer_updater_renew_days: 20
acmedns_bouncer_updater_script_path: /usr/local/bin/acmedns_update_{{ acmedns_bouncer_updater_job_name }}.sh

2
ansible/roles/acmedns_syno_updater/defaults/main.yml
Unescape View File

@ -1,2 +1,2 @@
--- ---
acmedns_syno_updater_runonce: true acmedns_syno_updater_runonce: false

Write Preview
Loading…
Cancel
Save