diff options
Diffstat (limited to 'roles')
| -rw-r--r-- | roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf | 2 | ||||
| -rw-r--r-- | roles/MSA/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/MX/templates/etc/postfix/main.cf.j2 | 2 | ||||
| -rw-r--r-- | roles/git/files/etc/nginx/sites-available/git | 2 | ||||
| -rw-r--r-- | roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf | 86 | ||||
| -rw-r--r-- | roles/letsencrypt/handlers/main.yml | 2 | ||||
| -rw-r--r-- | roles/letsencrypt/tasks/main.yml | 37 | ||||
| -rw-r--r-- | roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 | 63 | ||||
| -rw-r--r-- | roles/lists/files/etc/nginx/sites-available/sympa | 2 | ||||
| -rw-r--r-- | roles/webmail/files/etc/nginx/sites-available/roundcube | 2 | ||||
| -rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/website | 2 | ||||
| -rw-r--r-- | roles/wiki/files/etc/nginx/sites-available/wiki | 2 |
12 files changed, 196 insertions, 8 deletions
diff --git a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf index 114388e..dc0b5bf 100644 --- a/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf +++ b/roles/IMAP/files/etc/dovecot/conf.d/10-ssl.conf @@ -1,32 +1,32 @@ ## ## SSL settings ## # SSL/TLS support: yes, no, required. <doc/wiki/SSL.txt> ssl = required # PEM encoded X.509 SSL/TLS certificate and private key. They're opened before # dropping root privileges, so keep the key file unreadable by anyone but # root. Included doc/mkcert.sh can be used to easily generate self-signed # certificate, just make sure to update the domains in dovecot-openssl.cnf -ssl_cert = </etc/dovecot/ssl/imap.fripost.org.chained.pem +ssl_cert = </etc/dovecot/ssl/imap.fripost.org.pem ssl_key = </etc/dovecot/ssl/imap.fripost.org.key # If key file is password protected, give the password here. Alternatively # give it when starting dovecot with -p parameter. Since this file is often # world-readable, you may want to place this setting instead to a different # root owned 0600 file by using ssl_key_password = <path. #ssl_key_password = # PEM encoded trusted certificate authority. Set this only if you intend to use # ssl_verify_client_cert=yes. The file should contain the CA certificate(s) # followed by the matching CRL(s). (e.g. ssl_ca = </etc/ssl/certs/ca.pem) #ssl_ca = # Require that CRL check succeeds for client certificates. #ssl_require_crl = yes # Directory and/or file for trusted SSL CA certificates. These are used only # when Dovecot needs to act as an SSL client (e.g. imapc backend). The # directory is usually /etc/ssl/certs in Debian-based systems and the file is # /etc/pki/tls/cert.pem in RedHat-based systems. diff --git a/roles/MSA/templates/etc/postfix/main.cf.j2 b/roles/MSA/templates/etc/postfix/main.cf.j2 index caba881..24b83c6 100644 --- a/roles/MSA/templates/etc/postfix/main.cf.j2 +++ b/roles/MSA/templates/etc/postfix/main.cf.j2 @@ -58,41 +58,41 @@ smtp_data_done_timeout = 1200s # Anonymize the (authenticated) sender; pass the mail to the antivirus header_checks = pcre:$config_directory/anonymize_sender.pcre #content_filter = amavisfeed:unix:public/amavisfeed-antivirus # TLS {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = encrypt -smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.chained.pem +smtpd_tls_cert_file = /etc/postfix/ssl/smtp.fripost.org.pem smtpd_tls_key_file = /etc/postfix/ssl/smtp.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # SASL smtpd_sasl_auth_enable = yes smtpd_sasl_authenticated_header = no smtpd_sasl_local_domain = smtpd_sasl_exceptions_networks = $mynetworks smtpd_sasl_security_options = noanonymous, noplaintext smtpd_sasl_tls_security_options = noanonymous broken_sasl_auth_clients = yes smtpd_sasl_type = dovecot smtpd_sasl_path = unix:private/dovecot-auth strict_rfc821_envelopes = yes smtpd_delay_reject = yes diff --git a/roles/MX/templates/etc/postfix/main.cf.j2 b/roles/MX/templates/etc/postfix/main.cf.j2 index 0259538..a9e7ee4 100644 --- a/roles/MX/templates/etc/postfix/main.cf.j2 +++ b/roles/MX/templates/etc/postfix/main.cf.j2 @@ -76,41 +76,41 @@ smtp_send_xforward_command = yes smtp_destination_recipient_limit = 1000 reserved-alias_destination_recipient_limit = 1 # Tolerate occasional high latency smtp_data_done_timeout = 1200s {% if 'out' in group_names %} smtp_tls_security_level = none smtp_bind_address = 127.0.0.1 {% else %} smtp_tls_security_level = encrypt smtp_tls_cert_file = /etc/postfix/ssl/{{ ansible_fqdn }}.pem smtp_tls_key_file = /etc/postfix/ssl/{{ ansible_fqdn }}.key smtp_tls_session_cache_database = btree:$data_directory/smtp_tls_session_cache smtp_tls_policy_maps = cdb:/etc/postfix/tls_policy smtp_tls_fingerprint_digest = sha256 {% endif %} smtpd_tls_security_level = may smtpd_tls_exclude_ciphers = EXPORT, LOW, MEDIUM, aNULL, eNULL, DES, RC4, MD5 -smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.chained.pem +smtpd_tls_cert_file = /etc/postfix/ssl/mx.fripost.org.pem smtpd_tls_key_file = /etc/postfix/ssl/mx.fripost.org.key smtpd_tls_dh1024_param_file = /etc/ssl/private/dhparams.pem smtpd_tls_CApath = /etc/ssl/certs/ smtpd_tls_session_cache_database= btree:$data_directory/smtpd_tls_session_cache smtpd_tls_received_header = yes smtpd_tls_ask_ccert = yes # http://en.linuxreviews.org/HOWTO_Stop_spam_using_Postfix # http://www.howtoforge.com/block_spam_at_mta_level_postfix strict_rfc821_envelopes = yes smtpd_delay_reject = yes disable_vrfy_command = yes # UCE control invalid_hostname_reject_code = 554 multi_recipient_bounce_reject_code = 554 non_fqdn_reject_code = 554 relay_domains_reject_code = 554 diff --git a/roles/git/files/etc/nginx/sites-available/git b/roles/git/files/etc/nginx/sites-available/git index afb5fca..a78ef3f 100644 --- a/roles/git/files/etc/nginx/sites-available/git +++ b/roles/git/files/etc/nginx/sites-available/git @@ -5,41 +5,41 @@ server { server_name git.fripost.org; include snippets/acme-challenge.conf; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name git.fripost.org; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/git.fripost.org.chained.pem; + ssl_certificate /etc/nginx/ssl/git.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/git.fripost.org.key; access_log /var/log/nginx/git.access.log; error_log /var/log/nginx/git.error.log info; location ^~ /static/ { alias /usr/share/cgit/; expires 30d; } # Bypass the CGI to return static files stored on disk. Try first repo with # a trailing '.git', then without. location ~* "^/((?U)[^/]+)(?:\.git)?/objects/(?:[0-9a-f]{2}/[0-9a-f]{38}|pack/pack-[0-9a-f]{40}\.(?:pack|idx))$" { root /var/lib/gitolite/repositories; try_files /$1.git/objects/$2 /$1/objects/$2 =404; expires 30d; gzip off; # TODO honor git-daemon-export-ok } diff --git a/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf b/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf new file mode 100644 index 0000000..fb19d2a --- /dev/null +++ b/roles/letsencrypt/files/etc/letsencrypt-tiny/letsencrypt.conf @@ -0,0 +1,86 @@ +# For certificate issuance (new-cert command), specify the certificate +# configuration file to use +# +#config-certs = config/letsencrypt-certs.conf + +[client] +# The value of "socket" specifies the letsencrypt-accountd(1) +# UNIX-domain socket to connect to for signature requests from the ACME +# client. letsencrypt aborts if the socket is readable or writable by +# other users, or if its parent directory is writable by other users. +# Default: "$XDG_RUNTIME_DIR/S.letsencrypt" if the XDG_RUNTIME_DIR +# environment variable is set. +# +#socket = /run/user/1000/S.letsencrypt + +# username to drop privileges to (setting both effective and real uid). +# Preserve root privileges if the value is empty (not recommended). +# Default: "nobody". +# +user = letsencrypt + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Preserve root privileges if the value is empty (not recommended). +# +group = nogroup + +# Path to the ACME client executable. +#command = /usr/lib/letsencrypt-tiny/client + +# Root URI of the ACME server. NOTE: Use the staging server for testing +# as it has relaxed ratelimit. +# +#server = https://acme-v01.api.letsencrypt.org/ +#server = https://acme-staging.api.letsencrypt.org/ + +# Timeout in seconds after which the client stops polling the ACME +# server and considers the request failed. +# +#timeout = 10 + +# Whether to verify the server certificate chain. +SSL_verify = yes + +# Specify the version of the SSL protocol used to transmit data. +SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2 + +# Specify the cipher list for the connection. +SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL + + +[webserver] + +# Specify the local address to listen on, in the form ADDRESS[:PORT]. +# +#listen = 0.0.0.0:80 +#listen = [::]:80 + +# If a webserver is already running, specify a non-existent directory +# under which the webserver is configured to serve GET requests for +# challenge files under "/.well-known/acme-challenge/" (for each virtual +# hosts requiring authorization) as static files. +# +challenge-directory = /var/www/acme-challenge + +# username to drop privileges to (setting both effective and real uid). +# Preserve root privileges if the value is empty (not recommended). +# +user = www-data + +# groupname to drop privileges to (setting both effective and real gid, +# and also setting the list of supplementary gids to that single group). +# Preserve root privileges if the value is empty (not recommended). +# +user = www-data + +# Path to the ACME webserver executable. +#command = /usr/lib/letsencrypt-tiny/webserver + +# Whether to automatically install iptables(1) rules to open the +# ADDRESS[:PORT] specified with listen. Theses rules are automatically +# removed once letsencrypt exits. +# +#iptables = Yes + +; vim:ft=dosini diff --git a/roles/letsencrypt/handlers/main.yml b/roles/letsencrypt/handlers/main.yml new file mode 100644 index 0000000..d9eed44 --- /dev/null +++ b/roles/letsencrypt/handlers/main.yml @@ -0,0 +1,2 @@ +- name: Install LetsEncrypt's ACME client + apt: deb=/tmp/letsencrypt-tiny_0.1-1_all.deb diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml new file mode 100644 index 0000000..c7ef7ef --- /dev/null +++ b/roles/letsencrypt/tasks/main.yml @@ -0,0 +1,37 @@ +- name: Install dependencies for letsencrypt-tiny + apt: pkg={{ item }} + with_items: + - libjson-perl + - libjson-xs-perl + - libconfig-tiny-perl + - libwww-perl + - liblwp-protocol-https-perl + - libnet-ssleay-perl + +- name: Copy LetsEncrypt's ACME client + copy: src=deb/letsencrypt-tiny_0.1-1_all.deb + dest=/tmp + notify: Install LetsEncrypt's ACME client + +- meta: flush_handlers + +- name: Create a user 'letsencrypt' + user: name=letsencrypt system=yes + group=nogroup + createhome=no + home=/nonexistent + shell=/usr/sbin/nologin + password=! + state=present + +- name: Copy letsencrypt-tiny/letsencrypt-certs.conf + copy: src=etc/letsencrypt-tiny/letsencrypt.conf + dest=/etc/letsencrypt-tiny/letsencrypt.conf + owner=root group=root + mode=0644 + +- name: Copy letsencrypt-tiny/letsencrypt-certs.conf + template: src=etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 + dest=/etc/letsencrypt-tiny/letsencrypt-certs.conf + owner=root group=root + mode=0644 diff --git a/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 b/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 new file mode 100644 index 0000000..fef5c62 --- /dev/null +++ b/roles/letsencrypt/templates/etc/letsencrypt-tiny/letsencrypt-certs.conf.j2 @@ -0,0 +1,63 @@ +hash = sha512 +keyusage = digitalSignature, keyEncipherment + +{% if 'IMAP' in group_names %} +[imap] +certificate-key = /etc/dovecot/ssl/imap.fripost.org.key +certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem +subject = /O=Fripost/CN=imap.fripost.org +subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org +notify = /bin/systemctl restart dovecot +{% endif %} + +{% if 'MSA' in group_names %} +[smtp] +certificate-key = /etc/postfix/ssl/smtp.fripost.org.key +certificate-chain = /etc/postfix/ssl/smtp.fripost.org.pem +subject = /O=Fripost/CN=smtp.fripost.org +notify = /bin/systemctl restart postfix +{% endif %} + +{% if 'MX' in group_names %} +[mx] +certificate-key = /etc/postfix/ssl/mx.fripost.org.key +certificate-chain = /etc/postfix/ssl/mx.fripost.org.pem +subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org +notify = /bin/systemctl restart postfix +{% endif %} + +{% if 'lists' in group_names %} +[lists] +certificate-key = /etc/nginx/ssl/lists.fripost.org.key +certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem +subject = /O=Fripost/CN=lists.fripost.org +notify = /bin/systemctl restart nginx +{% endif %} + +{% if 'wiki' in group_names %} +[www] +certificate-key = /etc/nginx/ssl/www.fripost.org.key +certificate-chain = /etc/nginx/ssl/www.fripost.org.pem +subject = /O=Fripost/CN=fripost.org +subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org +notify = /bin/systemctl restart nginx +{% endif %} + +{% if 'webmail' in group_names %} +[webmail] +certificate-key = /etc/nginx/ssl/mail.fripost.org.key +certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem +subject = /O=Fripost/CN=mail.fripost.org +subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org +notify = /bin/systemctl restart nginx +{% endif %} + +{% if 'git' in group_names %} +[git] +certificate-key = /etc/nginx/ssl/git.fripost.org.key +certificate-chain = /etc/nginx/ssl/git.fripost.org.pem +subject = /O=Fripost/CN=git.fripost.org +notify = /bin/systemctl restart nginx +{% endif %} + +; vim:ft=dosini diff --git a/roles/lists/files/etc/nginx/sites-available/sympa b/roles/lists/files/etc/nginx/sites-available/sympa index 5e469fa..bcf1d22 100644 --- a/roles/lists/files/etc/nginx/sites-available/sympa +++ b/roles/lists/files/etc/nginx/sites-available/sympa @@ -8,41 +8,41 @@ server { access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name lists.fripost.org; access_log /var/log/nginx/lists.access.log; error_log /var/log/nginx/lists.error.log info; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/lists.fripost.org.chained.pem; + ssl_certificate /etc/nginx/ssl/lists.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/lists.fripost.org.key; location = / { return 302 /sympa$args; } location ^~ /static-sympa/ { alias /var/lib/sympa/static_content/; expires 30d; } location ^~ /sympa { fastcgi_split_path_info ^(/sympa)(.*)$; include snippets/fastcgi.conf; fastcgi_pass unix:/run/wwsympa.socket; gzip off; } location ~* ^/([^/]+)/?$ { diff --git a/roles/webmail/files/etc/nginx/sites-available/roundcube b/roles/webmail/files/etc/nginx/sites-available/roundcube index df10be9..304b05d 100644 --- a/roles/webmail/files/etc/nginx/sites-available/roundcube +++ b/roles/webmail/files/etc/nginx/sites-available/roundcube @@ -10,41 +10,41 @@ server { access_log /var/log/nginx/roundcube.access.log; error_log /var/log/nginx/roundcube.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name mail.fripost.org; server_name webmail.fripost.org; root /var/lib/roundcube; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/mail.fripost.org.chained.pem; + ssl_certificate /etc/nginx/ssl/mail.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/mail.fripost.org.key; location = /favicon.ico { root /usr/share/roundcube/skins/default/images; log_not_found off; access_log off; expires max; } location = /robots.txt { allow all; log_not_found off; access_log off; } # Deny all attempts to access hidden files, or files under hidden # directories. location ~ /\. { return 404; } access_log /var/log/nginx/roundcube.access.log; diff --git a/roles/wiki/files/etc/nginx/sites-available/website b/roles/wiki/files/etc/nginx/sites-available/website index 2519286..5d382ec 100644 --- a/roles/wiki/files/etc/nginx/sites-available/website +++ b/roles/wiki/files/etc/nginx/sites-available/website @@ -7,41 +7,41 @@ server { include snippets/acme-challenge.conf; access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; location / { return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name fripost.org; server_name www.fripost.org; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; + ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/www.access.log; error_log /var/log/nginx/www.error.log info; location / { try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki/website; } location /static/ { alias /var/lib/ikiwiki/public_html/fripost-wiki/static/; expires 30d; } location /material/ { alias /var/www/fripost.org/material/; expires 30d; } location /minutes/ { alias /var/www/fripost.org/minutes/; diff --git a/roles/wiki/files/etc/nginx/sites-available/wiki b/roles/wiki/files/etc/nginx/sites-available/wiki index 2855e07..d61ff28 100644 --- a/roles/wiki/files/etc/nginx/sites-available/wiki +++ b/roles/wiki/files/etc/nginx/sites-available/wiki @@ -6,41 +6,41 @@ server { include snippets/acme-challenge.conf; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } return 301 https://$host$request_uri; } } server { listen 443; listen [::]:443; server_name wiki.fripost.org; include snippets/ssl.conf; - ssl_certificate /etc/nginx/ssl/www.fripost.org.chained.pem; + ssl_certificate /etc/nginx/ssl/www.fripost.org.pem; ssl_certificate_key /etc/nginx/ssl/www.fripost.org.key; access_log /var/log/nginx/wiki.access.log; error_log /var/log/nginx/wiki.error.log info; location / { location ~ ^/website(/.*)?$ { return 302 $scheme://fripost.org$1; } try_files $uri $uri/ =404; index index.html; root /var/lib/ikiwiki/public_html/fripost-wiki; } location = /ikiwiki.cgi { fastcgi_param DOCUMENT_ROOT /var/lib/ikiwiki/public_html/fripost-wiki; fastcgi_param SCRIPT_FILENAME /var/lib/ikiwiki/public_html/ikiwiki.cgi; fastcgi_index ikiwiki.cgi; include snippets/fastcgi.conf; fastcgi_pass unix:/var/run/fcgiwrap.socket; gzip off; } |