diff options
| -rw-r--r-- | common.yml | 4 | ||||
| -rw-r--r-- | roles/common-web/files/etc/nginx/snippets/ssl.conf | 4 | ||||
| -rw-r--r-- | roles/lacme/files/etc/lacme/lacme.conf (renamed from roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf) | 26 | ||||
| -rw-r--r-- | roles/lacme/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/lacme/tasks/main.yml | 37 | ||||
| -rw-r--r-- | roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 (renamed from roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2) | 0 | ||||
| -rw-r--r-- | roles/letsencrypt/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/letsencrypt/tasks/main.yml | 37 |
8 files changed, 57 insertions, 55 deletions
@@ -1,41 +1,43 @@ --- # XXX: This organization is unfortunate. As of Ansible 1.4, roles are # applied playbook by playbook and not globally for the whole inventory; # therefore if two playbooks are given the role 'common', the tasks # defined in 'common' would be run twice. # The quickfix to ensure that plays are role-disjoint is to create a # separate play for each role. Of course the downside is that we loose # (most of) the advantage of roles... - name: Common tasks hosts: all roles: - common - name: Let's Encrypt hosts: IMAP:MX:MSA:webmail:lists:wiki:git gather_facts: False roles: - - letsencrypt + - lacme tags: - letsencrypt + - lacme + - ACME - name: Common SQL tasks hosts: MDA:webmail:lists:bacula-dir gather_facts: False tags: mysql,sql roles: - common-SQL - name: Common LDAP tasks hosts: MDA:MSA:LDAP-provider:MX gather_facts: True tags: slapd,ldap roles: - common-LDAP - name: Configure the LDAP provider hosts: LDAP-provider gather_facts: False tags: slapd,ldap roles: diff --git a/roles/common-web/files/etc/nginx/snippets/ssl.conf b/roles/common-web/files/etc/nginx/snippets/ssl.conf index 4af4d53..4e2da6e 100644 --- a/roles/common-web/files/etc/nginx/snippets/ssl.conf +++ b/roles/common-web/files/etc/nginx/snippets/ssl.conf @@ -1,30 +1,30 @@ # https://wiki.mozilla.org/Security/Server_Side_TLS # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=nginx-1.6.2&openssl=1.0.1k&hsts=yes&profile=intermediate # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate -# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem +# ~$ cat /etc/nginx/ssl/srvcert.pem /usr/share/lacme/lets-encrypt-x3-cross-signed.pem | sudo tee /etc/nginx/ssl/srvcert.chained.pem ssl on; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits ssl_dhparam /etc/ssl/dhparams.pem; # intermediate configuration. tweak to your needs. ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security 'max-age=15768000; includeSubdomains'; # OCSP Stapling: fetch OCSP records from URL in ssl_certificate and cache them # https://github.com/jsha/ocsp-stapling-examples/blob/master/nginx.conf ssl_stapling on; ssl_stapling_verify on; # verify chain of trust of OCSP response using Root CA and Intermediate certs -ssl_trusted_certificate /usr/share/letsencrypt-tiny/lets-encrypt-x3-cross-signed.pem; +ssl_trusted_certificate /usr/share/lacme/lets-encrypt-x3-cross-signed.pem; diff --git a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf b/roles/lacme/files/etc/lacme/lacme.conf index fb19d2a..2956f1a 100644 --- a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf +++ b/roles/lacme/files/etc/lacme/lacme.conf @@ -1,49 +1,49 @@ # For certificate issuance (new-cert command), specify the certificate # configuration file to use # -#config-certs = config/letsencrypt-certs.conf +#config-certs = config/lacme-certs.conf [client] -# The value of "socket" specifies the letsencrypt-accountd(1) -# UNIX-domain socket to connect to for signature requests from the ACME -# client. letsencrypt aborts if the socket is readable or writable by -# other users, or if its parent directory is writable by other users. -# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR -# environment variable is set. +# The value of "socket" specifies the lacme-accountd(1) UNIX-domain +# socket to connect to for signature requests from the ACME client. +# lacme(1) aborts if the socket is readable or writable by other users, +# or if its parent directory is writable by other users. +# Default: "$XDG_RUNTIME_DIR/S.lacme" if the XDG_RUNTIME_DIR environment +# variable is set. # -#socket = /run/user/1000/S.letsencrypt +#socket = /run/user/1000/S.lacme # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). # Default: "nobody". # -user = letsencrypt +user = lacme # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty (not recommended). # group = nogroup # Path to the ACME client executable. -#command = /usr/lib/letsencrypt-tiny/client +#command = /usr/lib/lacme/client # Root URI of the ACME server. NOTE: Use the staging server for testing # as it has relaxed ratelimit. # #server = https://acme-v01.api.letsencrypt.org/ #server = https://acme-staging.api.letsencrypt.org/ # Timeout in seconds after which the client stops polling the ACME # server and considers the request failed. # #timeout = 10 # Whether to verify the server certificate chain. SSL_verify = yes # Specify the version of the SSL protocol used to transmit data. SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 # Specify the cipher list for the connection. SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL @@ -58,29 +58,29 @@ SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL # If a webserver is already running, specify a non-existent directory # under which the webserver is configured to serve GET requests for # challenge files under "/.well-known/acme-challenge/" (for each virtual # hosts requiring authorization) as static files. # challenge-directory = /var/www/acme-challenge # username to drop privileges to (setting both effective and real uid). # Preserve root privileges if the value is empty (not recommended). # user = www-data # groupname to drop privileges to (setting both effective and real gid, # and also setting the list of supplementary gids to that single group). # Preserve root privileges if the value is empty (not recommended). # user = www-data # Path to the ACME webserver executable. -#command = /usr/lib/letsencrypt-tiny/webserver +#command = /usr/lib/lacme/webserver -# Whether to automatically install iptables(1) rules to open the +# Whether to automatically install iptables(8) rules to open the # ADDRESS[:PORT] specified with listen. Theses rules are automatically -# removed once letsencrypt exits. +# removed once lacme(1) exits. # #iptables = Yes ; vim:ft=dosini diff --git a/roles/lacme/handlers/main.yml b/roles/lacme/handlers/main.yml new file mode 100644 index 0000000..d97bf2d --- /dev/null +++ b/roles/lacme/handlers/main.yml @@ -0,0 +1,2 @@ +- name: Install lacme + apt: deb=/tmp/lacme_0.1-1_all.deb diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml new file mode 100644 index 0000000..4b95d4c --- /dev/null +++ b/roles/lacme/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Install dependencies for lacme + apt: pkg={{ item }} + with_items: + - libjson-perl + - libjson-xs-perl + - libconfig-tiny-perl + - libwww-perl + - liblwp-protocol-https-perl + - libnet-ssleay-perl + +- name: Copy lacme + copy: src=deb/lacme_0.1-1_all.deb + dest=/tmp + notify: Install lacme + +- meta: flush_handlers + +- name: Create a user 'lacme' + user: name=lacme system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Copy lacme/lacme-certs.conf + copy: src=etc/lacme/lacme.conf + dest=/etc/lacme/lacme.conf + owner=root group=root + mode=0644 + +- name: Copy lacme/lacme-certs.conf + template: src=etc/lacme/lacme-certs.conf.j2 + dest=/etc/lacme/lacme-certs.conf + owner=root group=root + mode=0644 diff --git a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 index ca3415a..ca3415a 100644 --- a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 +++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml deleted file mode 100644 index d9eed44..0000000 --- a/roles/letsencrypt/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ -- name: Install LetsEncrypt's ACME client - apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml deleted file mode 100644 index c7ef7ef..0000000 --- a/roles/letsencrypt/tasks/main.yml +++ /dev/null @@ -1,37 +0,0 @@ -- name: Install dependencies for letsencrypt-tiny - apt: pkg={{ item }} - with_items: - - libjson-perl - - libjson-xs-perl - - libconfig-tiny-perl - - libwww-perl - - liblwp-protocol-https-perl - - libnet-ssleay-perl - -- name: Copy LetsEncrypt's ACME client - copy: src=deb/letsencrypt-tiny_0.1-1_all.deb - dest=/tmp - notify: Install LetsEncrypt's ACME client - -- meta: flush_handlers - -- name: Create a user 'letsencrypt' - user: name=letsencrypt system=yes - group=nogroup - createhome=no - home=/nonexistent - shell=/usr/sbin/nologin - password=! - state=present - -- name: Copy letsencrypt-tiny/letsencrypt-certs.conf - copy: src=etc/letsencrypt-tiny/letsencrypt.conf - dest=/etc/letsencrypt-tiny/letsencrypt.conf - owner=root group=root - mode=0644 - -- name: Copy letsencrypt-tiny/letsencrypt-certs.conf - template: src=etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 - dest=/etc/letsencrypt-tiny/letsencrypt-certs.conf - owner=root group=root - mode=0644 |