summaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorGuilhem Moulin <guilhem@fripost.org>2015-12-20 14:13:08 +0100
committerGuilhem Moulin <guilhem@fripost.org>2015-12-20 14:13:13 +0100
commitda2572ddb144086034eba1989ae909763e95c680 (patch)
treed3374338793592412ca1b10fb4fc20068a392c4e /roles
parent01e59771866559cc13a58800282617d04cb286a6 (diff)
Use the Let's Encrypt CA for our public certs.
Diffstat (limited to 'roles')
-rw-r--r--roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf2
-rw-r--r--roles/IMAP/tasks/imap.yml19
-rw-r--r--roles/MSA/templates/etc/postfix/main.cf.j24
-rw-r--r--roles/MX/tasks/main.yml2
-rw-r--r--roles/MX/templates/etc/postfix/main.cf.j24
-rw-r--r--roles/common-web/files/etc/nginx/sites-available/default11
-rw-r--r--roles/common-web/files/etc/nginx/snippets/acme-challenge.conf4
-rw-r--r--roles/common-web/tasks/main.yml3
-rw-r--r--roles/common/handlers/main.yml3
-rw-r--r--roles/common/tasks/main.yml3
-rw-r--r--roles/git/files/etc/nginx/sites-available/git37
-rw-r--r--roles/git/tasks/cgit.yml20
-rw-r--r--roles/lists/files/etc/nginx/sites-available/sympa8
-rw-r--r--roles/lists/tasks/nginx.yml20
-rw-r--r--roles/webmail/files/etc/nginx/sites-available/roundcube13
-rw-r--r--roles/webmail/tasks/roundcube.yml20
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/website17
-rw-r--r--roles/wiki/files/etc/nginx/sites-available/wiki10
-rw-r--r--roles/wiki/tasks/main.yml24
19 files changed, 80 insertions, 144 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
index dc0b5bf..114388e 100644
--- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
+++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf
@@ -9,7 +9,7 @@ ssl = required
# dropping root privileges, so keep the key file unreadable by anyone but
# root. Included doc/mkcert.sh can be used to easily generate self-signed
# certificate, just make sure to update the domains in dovecot-openssl.cnf
-ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem
+ssl_cert = </etc/dovecot/ssl/imap.fripost.org.chained.pem
ssl_key = </etc/dovecot/ssl/imap.fripost.org.key
# If key file is password protected, give the password here. Alternatively
diff --git a/roles/IMAP/tasks/imap.yml b/roles/IMAP/tasks/imap.yml
index ec1aaac..c9686c9 100644
--- a/roles/IMAP/tasks/imap.yml
+++ b/roles/IMAP/tasks/imap.yml
@@ -76,19 +76,6 @@
owner=root group=root
mode=0755
-- name: Generate a private key and a X.509 certificate for Dovecot
- command: genkeypair.sh x509
- --pubkey=/etc/dovecot/ssl/imap.fripost.org.pem
- --privkey=/etc/dovecot/ssl/imap.fripost.org.key
- --ou=IMAP --cn=imap.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Dovecot
- tags:
- - genkey
- name: Fetch Dovecot's X.509 certificate
# Ensure we don't fetch private data
@@ -105,7 +92,7 @@
dest=/etc/dovecot/{{ item }}
owner=root group=root
mode=0644
- register: r2
+ register: r1
with_items:
- conf.d/10-auth.conf
- conf.d/10-logging.conf
@@ -132,14 +119,14 @@
create=yes
owner=root group=root
mode=0644
- register: r3
+ register: r2
when: "'IMAP' in group_names and 'webmail' not in group_names"
notify:
- Restart Dovecot
- name: Start Dovecot
service: name=dovecot state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2
index efcebef..caba881 100644
--- a/roles/MSA/templates/etc/postfix/main.cf.j2
+++ b/roles/MSA/templates/etc/postfix/main.cf.j2
@@ -75,8 +75,8 @@ smtp_tls_fingerprint_digest = sha256
{% endif %}
smtpd_tls_security_level = encrypt
-smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem
-smtpd_tls_key_file = /etc/postfix/ssl/private/smtp.fripost.org.key
+smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.chained.pem
+smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
smtpd_tls_received_header = yes
diff --git a/roles/MX/tasks/main.yml b/roles/MX/tasks/main.yml
index da6923b..1b820e3 100644
--- a/roles/MX/tasks/main.yml
+++ b/roles/MX/tasks/main.yml
@@ -82,7 +82,7 @@
# Ensure we don't fetch private data
sudo: False
# `/usr/sbin/postmulti -i mx -x /usr/sbin/postconf -xh smtpd_tls_cert_file`
- fetch: src=/etc/ssl/certs/ssl-cert-snakeoil.pem
+ fetch: src=/etc/postfix/ssl/mx.fripost.org.pem
dest=certs/public/mx{{ mxno | default('') }}.fripost.org.pem
fail_on_missing=yes
flat=yes
diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2
index b9f7c09..0259538 100644
--- a/roles/MX/templates/etc/postfix/main.cf.j2
+++ b/roles/MX/templates/etc/postfix/main.cf.j2
@@ -93,8 +93,8 @@ smtp_tls_fingerprint_digest = sha256
smtpd_tls_security_level = may
smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5
-smtpd_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
-smtpd_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
+smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.chained.pem
+smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key
smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem
smtpd_tls_CApath = /etc/ssl/certs/
smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache
diff --git a/roles/common-web/files/etc/nginx/sites-available/default b/roles/common-web/files/etc/nginx/sites-available/default
new file mode 100644
index 0000000..6df1615
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/sites-available/default
@@ -0,0 +1,11 @@
+server {
+ listen 80 default_server;
+ listen [::]:80 default_server;
+
+ access_log /var/log/nginx/access.log;
+ error_log /var/log/nginx/error.log info;
+
+ # serve ACME challenges on all virtual hosts
+ # /!\ need to be served individually for each explicit virtual host as well!
+ include snippets/acme-challenge.conf;
+}
diff --git a/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf
new file mode 100644
index 0000000..b2a856a
--- /dev/null
+++ b/roles/common-web/files/etc/nginx/snippets/acme-challenge.conf
@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge/ {
+ alias /var/www/acme-challenge/;
+ default_type application/jose+json;
+}
diff --git a/roles/common-web/tasks/main.yml b/roles/common-web/tasks/main.yml
index c44e3a5..fb6bb2d 100644
--- a/roles/common-web/tasks/main.yml
+++ b/roles/common-web/tasks/main.yml
@@ -8,7 +8,7 @@
tags:
- logrotate
-- name: Copy fastcgi parameters and SSL configuration snippets
+- name: Copy fastcgi parameters, acme-challenge and SSL configuration snippets
copy: src=etc/nginx/snippets/{{ item }}
dest=/etc/nginx/snippets/{{ item }}
owner=root group=root
@@ -19,6 +19,7 @@
- fastcgi-php.conf
- fastcgi-php-ssl.conf
- ssl.conf
+ - acme-challenge.conf
notify:
- Restart Nginx
diff --git a/roles/common/handlers/main.yml b/roles/common/handlers/main.yml
index a852c4d..07047c7 100644
--- a/roles/common/handlers/main.yml
+++ b/roles/common/handlers/main.yml
@@ -52,3 +52,6 @@
- name: Restart freshclam
service: name=clamav-freshclam state=restarted
+
+- name: Install LetsEncrypt's ACME client
+ apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb
diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml
index 470a6b2..955493a 100644
--- a/roles/common/tasks/main.yml
+++ b/roles/common/tasks/main.yml
@@ -45,6 +45,9 @@
- rsync
- screen
- telnet-ssl
+ # for letencrypt
+ - liblwp-protocol-https-perl
+ - socat
# XXX: this is a workaround the CAcert root CAs not being present in
# Jessie. In stretch, we would merely install the 'ca-cacert' package.
diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git
index 67776de..afb5fca 100644
--- a/roles/git/files/etc/nginx/sites-available/git
+++ b/roles/git/files/etc/nginx/sites-available/git
@@ -4,42 +4,13 @@ server {
server_name git.fripost.org;
+ include snippets/acme-challenge.conf;
+
access_log /var/log/nginx/git.access.log;
error_log /var/log/nginx/git.error.log info;
- location ^~ /static/ {
- alias /usr/share/cgit/;
- expires 30d;
- }
-
- # Bypass the CGI to return static files stored on disk. Try first repo with
- # a trailing '.git', then without.
- location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" {
- root /var/lib/gitolite/repositories;
- try_files /$1.git/objects/$2 /$1/objects/$2 =404;
- expires 30d;
- gzip off;
- # TODO honor git-daemon-export-ok
- }
-
- # disallow push over HTTP/HTTPS
- location ~* "^/[^/]+/git-receive-pack$" { return 403; }
-
- location ~* "^/[^/]+/(?:HEAD|info/refs|objects/info/[^/]+|git-upload-pack)$" {
- gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_param GIT_PROJECT_ROOT /var/lib/gitolite/repositories;
- uwsgi_pass unix:/run/uwsgi/app/git-http-backend/socket;
- }
-
-
- # send all other URLs to cgit
location / {
- gzip off;
- include uwsgi_params;
- uwsgi_modifier1 9;
- uwsgi_pass unix:/run/uwsgi/app/cgit/socket;
+ return 301 https://$host$request_uri;
}
}
@@ -51,7 +22,7 @@ server {
server_name git.fripost.org;
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/git.fripost.org.pem;
+ ssl_certificate /etc/nginx/ssl/git.fripost.org.chained.pem;
ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key;
access_log /var/log/nginx/git.access.log;
diff --git a/roles/git/tasks/cgit.yml b/roles/git/tasks/cgit.yml
index 27e0554..7237aa9 100644
--- a/roles/git/tasks/cgit.yml
+++ b/roles/git/tasks/cgit.yml
@@ -72,26 +72,12 @@
- www-data
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/git.fripost.org.pem
- --privkey=/etc/nginx/ssl/git.fripost.org.key
- --ou=WWW --cn=git.fripost.org --dns=git.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/git
copy: src=etc/nginx/sites-available/git
dest=/etc/nginx/sites-available/git
owner=root group=root
mode=0644
- register: r2
+ register: r1
notify:
- Restart Nginx
@@ -100,13 +86,13 @@
dest=/etc/nginx/sites-enabled/git
owner=root group=root
state=link force=yes
- register: r3
+ register: r2
notify:
- Restart Nginx
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa
index ea0424f..5e469fa 100644
--- a/roles/lists/files/etc/nginx/sites-available/sympa
+++ b/roles/lists/files/etc/nginx/sites-available/sympa
@@ -4,10 +4,14 @@ server {
server_name lists.fripost.org;
+ include snippets/acme-challenge.conf;
+
access_log /var/log/nginx/lists.access.log;
error_log /var/log/nginx/lists.error.log info;
- return 302 https://$host$request_uri;
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
@@ -21,7 +25,7 @@ server {
error_log /var/log/nginx/lists.error.log info;
include snippets/ssl.conf;
- ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem;
+ ssl_certificate /etc/nginx/ssl/lists.fripost.org.chained.pem;
ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key;
location = / {
diff --git a/roles/lists/tasks/nginx.yml b/roles/lists/tasks/nginx.yml
index 4501d39..21e769a 100644
--- a/roles/lists/tasks/nginx.yml
+++ b/roles/lists/tasks/nginx.yml
@@ -1,26 +1,12 @@
- name: Install Nginx
apt: pkg=nginx
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/lists.fripost.org.pem
- --privkey=/etc/nginx/ssl/lists.fripost.org.key
- --ou=WWW --cn=lists.fripost.org --dns=lists.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/sympa
copy: src=etc/nginx/sites-available/sympa
dest=/etc/nginx/sites-available/sympa
owner=root group=root
mode=0644
- register: r2
+ register: r1
notify:
- Restart Nginx
@@ -29,13 +15,13 @@
dest=/etc/nginx/sites-enabled/sympa
owner=root group=root
state=link
- register: r3
+ register: r2
notify:
- Restart Nginx
- name: Start nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube
index 1297834..df10be9 100644
--- a/roles/webmail/files/etc/nginx/sites-available/roundcube
+++ b/roles/webmail/files/etc/nginx/sites-available/roundcube
@@ -3,12 +3,17 @@ server {
listen 80;
listen [::]:80;
- server_name mail.fripost.org;
+ server_name mail.fripost.org;
+ server_name webmail.fripost.org;
+
+ include snippets/acme-challenge.conf;
access_log /var/log/nginx/roundcube.access.log;
error_log /var/log/nginx/roundcube.error.log info;
- return 301 https://$host$request_uri;
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
@@ -16,7 +21,9 @@ server {
listen 443;
listen [::]:443;
- server_name mail.fripost.org;
+ server_name mail.fripost.org;
+ server_name webmail.fripost.org;
+
root /var/lib/roundcube;
include snippets/ssl.conf;
diff --git a/roles/webmail/tasks/roundcube.yml b/roles/webmail/tasks/roundcube.yml
index ed6a3b4..3eaf766 100644
--- a/roles/webmail/tasks/roundcube.yml
+++ b/roles/webmail/tasks/roundcube.yml
@@ -103,26 +103,12 @@
- name: Start php5-fpm
service: name=php5-fpm state=started
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/mail.fripost.org.pem
- --privkey=/etc/nginx/ssl/mail.fripost.org.key
- --ou=WWW --cn=mail.fripost.org --dns=mail.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/roundcube
copy: src=etc/nginx/sites-available/roundcube
dest=/etc/nginx/sites-available/roundcube
owner=root group=root
mode=0644
- register: r2
+ register: r1
notify:
- Restart Nginx
@@ -131,13 +117,13 @@
dest=/etc/nginx/sites-enabled/roundcube
owner=root group=root
state=link force=yes
- register: r3
+ register: r2
notify:
- Restart Nginx
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website
index 3e32158..2519286 100644
--- a/roles/wiki/files/etc/nginx/sites-available/website
+++ b/roles/wiki/files/etc/nginx/sites-available/website
@@ -5,10 +5,14 @@ server {
server_name fripost.org;
server_name www.fripost.org;
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log info;
+ include snippets/acme-challenge.conf;
- return 301 https://fripost.org$request_uri;
+ access_log /var/log/nginx/www.access.log;
+ error_log /var/log/nginx/www.error.log info;
+
+ location / {
+ return 301 https://$host$request_uri;
+ }
}
@@ -16,14 +20,15 @@ server {
listen 443;
listen [::]:443;
- server_name fripost.org;
+ server_name fripost.org;
+ server_name www.fripost.org;
include snippets/ssl.conf;
ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem;
ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key;
- access_log /var/log/nginx/access.log;
- error_log /var/log/nginx/error.log info;
+ access_log /var/log/nginx/www.access.log;
+ error_log /var/log/nginx/www.error.log info;
location / {
try_files $uri $uri/ =404;
diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki
index 3777b87..2855e07 100644
--- a/roles/wiki/files/etc/nginx/sites-available/wiki
+++ b/roles/wiki/files/etc/nginx/sites-available/wiki
@@ -4,18 +4,14 @@ server {
server_name wiki.fripost.org;
+ include snippets/acme-challenge.conf;
+
access_log /var/log/nginx/wiki.access.log;
error_log /var/log/nginx/wiki.error.log info;
location / {
location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; }
- try_files $uri $uri/ =404;
- index index.html;
- root /var/lib/ikiwiki/public_html/fripost-wiki;
- }
-
- location = /ikiwiki.cgi {
- return 302 https://$host$request_uri;
+ return 301 https://$host$request_uri;
}
}
diff --git a/roles/wiki/tasks/main.yml b/roles/wiki/tasks/main.yml
index 22a5831..763f99a 100644
--- a/roles/wiki/tasks/main.yml
+++ b/roles/wiki/tasks/main.yml
@@ -65,26 +65,12 @@
- meta: flush_handlers
-- name: Generate a private key and a X.509 certificate for Nginx
- command: genkeypair.sh x509
- --pubkey=/etc/nginx/ssl/fripost.org.pem
- --privkey=/etc/nginx/ssl/fripost.org.key
- --ou=WWW --cn=fripost.org --dns=fripost.org --dns=wiki.fripost.org
- -t rsa -b 4096 -h sha512
- register: r1
- changed_when: r1.rc == 0
- failed_when: r1.rc > 1
- notify:
- - Restart Nginx
- tags:
- - genkey
-
- name: Copy /etc/nginx/sites-available/{wiki,website}
copy: src=etc/nginx/sites-available/{{ item }}
dest=/etc/nginx/sites-available/{{ item }}
owner=root group=root
mode=0644
- register: r2
+ register: r1
with_items:
- website
- wiki
@@ -96,7 +82,7 @@
dest=/etc/nginx/sites-enabled/{{ item }}
owner=root group=root
state=link force=yes
- register: r3
+ register: r2
with_items:
- website
- wiki
@@ -105,15 +91,15 @@
- name: Start Nginx
service: name=nginx state=started
- when: not (r1.changed or r2.changed or r3.changed)
+ when: not (r1.changed or r2.changed)
- meta: flush_handlers
- name: Fetch Nginx's X.509 certificate
# Ensure we don't fetch private data
sudo: False
- fetch: src=/etc/nginx/ssl/fripost.org.pem
- dest=certs/public/
+ fetch: src=/etc/nginx/ssl/www.fripost.org.pem
+ dest=certs/public/fripost.org.pem
fail_on_missing=yes
flat=yes
tags: