summaryrefslogtreecommitdiffstats
path: root/roles/lacme
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2016-06-15 18:00:57 +0200
committerGuilhem Moulin <guilhem@fripost.org>2016-06-15 18:00:57 +0200
commit97e78349145156ca6565ee5b2af54983a6fdd3a6 (patch)
treeb5eb26c93c323425d8a8a008ef1f7750f61e1ded /roles/lacme
parentbf6d69d38578245302525395f5f53ac40f441f0c (diff)
Rename letsencrypt-tiny to lacme.
Diffstat (limited to 'roles/lacme')
-rw-r--r--roles/lacme/files/etc/lacme/lacme.conf86
-rw-r--r--roles/lacme/handlers/main.yml2
-rw-r--r--roles/lacme/tasks/main.yml37
-rw-r--r--roles/lacme/templates/etc/lacme/lacme-certs.conf.j263
4 files changed, 188 insertions, 0 deletions
diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf
new file mode 100644
index 0000000..2956f1a
--- /dev/null
+++ b/roles/lacme/files/etc/lacme/lacme.conf
@@ -0,0 +1,86 @@
+# For certificate issuance (new-cert command), specify the certificate
+# configuration file to use
+#
+#config-certs = config/lacme-certs.conf
+
+[client]
+# The value of "socket" specifies the lacme-accountd(1) UNIX-domain
+# socket to connect to for signature requests from the ACME client.
+# lacme(1) aborts if the socket is readable or writable by other users,
+# or if its parent directory is writable by other users.
+# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment
+# variable is set.
+#
+#socket = /run/user/1000/S.lacme
+
+# username to drop privileges to (setting both effective and real uid).
+# Preserve root privileges if the value is empty (not recommended).
+# Default: "nobody".
+#
+user = lacme
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Preserve root privileges if the value is empty (not recommended).
+#
+group = nogroup
+
+# Path to the ACME client executable.
+#command = /usr/lib/lacme/client
+
+# Root URI of the ACME server. NOTE: Use the staging server for testing
+# as it has relaxed ratelimit.
+#
+#server = https://acme-v01.api.letsencrypt.org/
+#server = https://acme-staging.api.letsencrypt.org/
+
+# Timeout in seconds after which the client stops polling the ACME
+# server and considers the request failed.
+#
+#timeout = 10
+
+# Whether to verify the server certificate chain.
+SSL_verify = yes
+
+# Specify the version of the SSL protocol used to transmit data.
+SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
+
+# Specify the cipher list for the connection.
+SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+
+
+[webserver]
+
+# Specify the local address to listen on, in the form ADDRESS[:PORT].
+#
+#listen = 0.0.0.0:80
+#listen = [::]:80
+
+# If a webserver is already running, specify a non-existent directory
+# under which the webserver is configured to serve GET requests for
+# challenge files under "/.well-known/acme-challenge/" (for each virtual
+# hosts requiring authorization) as static files.
+#
+challenge-directory = /var/www/acme-challenge
+
+# username to drop privileges to (setting both effective and real uid).
+# Preserve root privileges if the value is empty (not recommended).
+#
+user = www-data
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Preserve root privileges if the value is empty (not recommended).
+#
+user = www-data
+
+# Path to the ACME webserver executable.
+#command = /usr/lib/lacme/webserver
+
+# Whether to automatically install iptables(8) rules to open the
+# ADDRESS[:PORT] specified with listen. Theses rules are automatically
+# removed once lacme(1) exits.
+#
+#iptables = Yes
+
+; vim:ft=dosini
diff --git a/roles/lacme/handlers/main.yml b/roles/lacme/handlers/main.yml
new file mode 100644
index 0000000..d97bf2d
--- /dev/null
+++ b/roles/lacme/handlers/main.yml
@@ -0,0 +1,2 @@
+- name: Install lacme
+ apt: deb=/tmp/lacme_0.1-1_all.deb
diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml
new file mode 100644
index 0000000..4b95d4c
--- /dev/null
+++ b/roles/lacme/tasks/main.yml
@@ -0,0 +1,37 @@
+- name: Install dependencies for lacme
+ apt: pkg={{ item }}
+ with_items:
+ - libjson-perl
+ - libjson-xs-perl
+ - libconfig-tiny-perl
+ - libwww-perl
+ - liblwp-protocol-https-perl
+ - libnet-ssleay-perl
+
+- name: Copy lacme
+ copy: src=deb/lacme_0.1-1_all.deb
+ dest=/tmp
+ notify: Install lacme
+
+- meta: flush_handlers
+
+- name: Create a user 'lacme'
+ user: name=lacme system=yes
+ group=nogroup
+ createhome=no
+ home=/nonexistent
+ shell=/usr/sbin/nologin
+ password=!
+ state=present
+
+- name: Copy lacme/lacme-certs.conf
+ copy: src=etc/lacme/lacme.conf
+ dest=/etc/lacme/lacme.conf
+ owner=root group=root
+ mode=0644
+
+- name: Copy lacme/lacme-certs.conf
+ template: src=etc/lacme/lacme-certs.conf.j2
+ dest=/etc/lacme/lacme-certs.conf
+ owner=root group=root
+ mode=0644
diff --git a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
new file mode 100644
index 0000000..ca3415a
--- /dev/null
+++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
@@ -0,0 +1,63 @@
+hash = sha512
+keyusage = digitalSignature, keyEncipherment
+
+{% if 'IMAP' in group_names %}
+[imap]
+certificate-key = /etc/dovecot/ssl/imap.fripost.org.key
+certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem
+subject = /O=Fripost/CN=imap.fripost.org
+subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org
+notify = /bin/systemctl restart dovecot
+{% endif %}
+
+{% if 'MSA' in group_names %}
+[smtp]
+certificate-key = /etc/postfix/ssl/smtp.fripost.org.key
+certificate-chain = /etc/postfix/ssl/smtp.fripost.org.pem
+subject = /O=Fripost/CN=smtp.fripost.org
+notify = /bin/systemctl reload postfix
+{% endif %}
+
+{% if 'MX' in group_names %}
+[mx]
+certificate-key = /etc/postfix/ssl/mx.fripost.org.key
+certificate-chain = /etc/postfix/ssl/mx.fripost.org.pem
+subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org
+notify = /bin/systemctl reload postfix
+{% endif %}
+
+{% if 'lists' in group_names %}
+[lists]
+certificate-key = /etc/nginx/ssl/lists.fripost.org.key
+certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem
+subject = /O=Fripost/CN=lists.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+{% if 'wiki' in group_names %}
+[www]
+certificate-key = /etc/nginx/ssl/www.fripost.org.key
+certificate-chain = /etc/nginx/ssl/www.fripost.org.pem
+subject = /O=Fripost/CN=fripost.org
+subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+{% if 'webmail' in group_names %}
+[webmail]
+certificate-key = /etc/nginx/ssl/mail.fripost.org.key
+certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem
+subject = /O=Fripost/CN=mail.fripost.org
+subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+{% if 'git' in group_names %}
+[git]
+certificate-key = /etc/nginx/ssl/git.fripost.org.key
+certificate-chain = /etc/nginx/ssl/git.fripost.org.pem
+subject = /O=Fripost/CN=git.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+; vim:ft=dosini