diff options
Diffstat (limited to 'roles/common')
| -rwxr-xr-x | roles/common/files/usr/local/bin/gendhparam.sh | 13 | ||||
| -rwxr-xr-x | roles/common/files/usr/local/bin/genkeypair.sh | 4 | ||||
| -rw-r--r-- | roles/common/tasks/main.yml | 12 |
3 files changed, 24 insertions, 5 deletions
diff --git a/roles/common/files/usr/local/bin/gendhparam.sh b/roles/common/files/usr/local/bin/gendhparam.sh new file mode 100755 index 0000000..074986b --- /dev/null +++ b/roles/common/files/usr/local/bin/gendhparam.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +set -ue +PATH=/usr/bin:/bin + +privkey="$1" +bits="${2:-2048}" +rand= + +mv -f "$(mktemp)" "$privkey" +chmod og-rwx "$privkey" + +openssl dhparam -rand "${rand:-/dev/urandom}" "$bits" >"$privkey" diff --git a/roles/common/files/usr/local/bin/genkeypair.sh b/roles/common/files/usr/local/bin/genkeypair.sh index d6539e2..982c1d9 100755 --- a/roles/common/files/usr/local/bin/genkeypair.sh +++ b/roles/common/files/usr/local/bin/genkeypair.sh @@ -20,40 +20,41 @@ # along with this program. If not, see <http://www.gnu.org/licenses/>. set -ue PATH=/usr/bin:/bin # Default values type=rsa bits= hash= force=0 config= pubkey=pubkey.pem privkey=privkey.pem dns= ou= cn= usage= chmod= chown= +rand= usage() { cat >&2 <<- EOF Usage: $0 command [OPTIONS] Command: x509: generate a self-signed X.509 server certificate csr: generate a Certificate Signing Request dkim: generate a private key (to use for DKIM signing) Options: -t type: key type (default: rsa) -b bits: key length or EC curve (default: 2048 for RSA, 1024 for DSA, secp224r1 for ECDSA) -h digest: digest algorithm --ou: organizational Unit Name; can be repeated --cn: common Name (default: \$(hostname --fqdn) --dns: hostname for AltName; can be repeated -f: force; can be repeated (0: don't overwrite, default; 1: reuse private key if it exists; 2: overwrite both keys if they exist) @@ -106,41 +107,40 @@ while [ $# -gt 0 ]; do --cn=?*) cn="${1#--cn=}";; --ou=?*) ou="${ou:+$ou\n}$nou.organizationalUnitName = ${1#--ou=}" nou=$(( 1 + $nou ));; -f) force=$(( 1 + $force ));; --pubkey=?*) pubkey="${1#--pubkey=}";; --privkey=?*) privkey="${1#--privkey=}";; --usage=?*) usage="${usage:+$usage,}${1#--usage=}";; --config=?*) dns="${1#--config=}";; --chmod=?*) chmod="${1#--chmod=}";; --chown=?*) chown="${1#--chown=}";; --help) usage; exit;; *) echo "Unrecognized argument: $1" >&2; exit 2 esac shift; done -rand=/dev/urandom case "$type" in # XXX: genrsa and dsaparam have been deprecated in favor of genpkey. # genpkey can also create explicit EC parameters, but not named. rsa) genkey=genrsa; genkeyargs="-f4 ${bits:-2048}";; dsa) genkey=dsaparam; genkeyargs="-noout -genkey ${bits:-1024}";; # See 'openssl ecparam -list_curves' for the list of supported # curves. StrongSwan doesn't support explicit curve parameters # (however explicit parameters might be required to make exotic # curves work with some clients.) ecdsa) genkey=ecparam genkeyargs="-noout -name ${bits:-secp224r1} -param_enc named_curve -genkey";; *) echo "Unrecognized key type: $type" >&2; exit 2 esac if [ "$cmd" = x509 -o "$cmd" = csr ]; then case "$hash" in md5|rmd160|sha1|sha224|sha256|sha384|sha512|'') ;; *) echo "Invalid digest algorithm: $hash" >&2; exit 2; esac @@ -167,33 +167,33 @@ if [ -z "$config" -a \( "$cmd" = x509 -o "$cmd" = csr \) ]; then $(echo "$ou") commonName = $cn [ v3_req ] subjectAltName = email:admin@fripost.org${dns:+, $dns} basicConstraints = critical, CA:FALSE # https://security.stackexchange.com/questions/24106/which-key-usages-are-required-by-each-key-exchange-method keyUsage = critical, ${usage:-digitalSignature, keyEncipherment, keyCertSign} EOF fi if [ -s "$privkey" -a $force -eq 0 ]; then echo "Error: private key exists: $privkey" >&2 [ "$cmd" = dkim ] && dkiminfo exit 1 elif [ ! -s "$privkey" -o $force -ge 2 ]; then # Ensure "$privkey" is created with umask 0077 mv -f "$(mktemp)" "$privkey" || exit 2 chmod "${chmod:-og-rwx}" "$privkey" || exit 2 [ -z "$chown" ] || chown "$chown" "$privkey" || exit 2 - openssl $genkey -rand /dev/urandom $genkeyargs >"$privkey" || exit 2 + openssl $genkey -rand "${rand:-/dev/urandom}" $genkeyargs >"$privkey" || exit 2 [ "$cmd" = dkim ] && { dkiminfo; exit; } fi if [ "$cmd" = x509 -o "$cmd" = csr ]; then if [ -s "$pubkey" -a $force -eq 0 ]; then echo "Error: public key exists: $pubkey" >&2 exit 1 else [ "$cmd" = x509 ] && x509=-x509 || x509= openssl req -config "$config" -new $x509 ${hash:+-$hash} -days 3650 -key "$privkey" >"$pubkey" || exit 2 fi fi diff --git a/roles/common/tasks/main.yml b/roles/common/tasks/main.yml index 3b3c0a5..4e85d0a 100644 --- a/roles/common/tasks/main.yml +++ b/roles/common/tasks/main.yml @@ -1,39 +1,45 @@ --- - include: sysctl.yml tags=sysctl - include: hosts.yml - include: apt.yml tags=apt - name: Install intel-microcode apt: pkg=intel-microcode when: "ansible_processor[0] | search('^Intel.*') and not (ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen')" tags: intel - include: firewall.yml tags=firewall,iptables - include: samhain.yml tags=samhain - include: auditd.yml tags=auditd - include: rkhunter.yml tags=rkhunter - include: clamav.yml tags=clamav - include: fail2ban.yml tags=fail2ban - include: smart.yml tags=smartmontools,smart when: "not ((ansible_virtualization_role == 'guest' and ansible_virtualization_type == 'xen') or ansible_system_vendor == 'QEMU')" - include: haveged.yml tags=haveged,entropy -- name: Copy genkeypair.sh - copy: src=usr/local/bin/genkeypair.sh - dest=/usr/local/bin/genkeypair.sh +- name: Copy genkeypair.sh and gendhparam.sh + copy: src=usr/local/bin/{{ item }} + dest=/usr/local/bin/{{ item }} owner=root group=root mode=0755 tags: genkey + with_items: + - genkeypair.sh + - gendhparam.sh +- name: Generate DH parameters + command: gendhparam.sh /etc/ssl/private/dhparams.pem creates=/etc/ssl/private/dhparams.pem + tags: genkey - include: logging.yml tags=logging - include: ntp.yml tags=ntp - include: mail.yml tags=mail,postfix - name: Install common packages apt: pkg={{ item }} with_items: - ca-certificates - etckeeper - ethtool - git - htop - molly-guard - rsync - screen - telnet-ssl |