[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

[tor-commits] [metrics-cloud/master] Adds files for letsencrypt role



commit ad5559bcbb28b09b2a6feafe9f853a6c8b96d8ff
Author: Ana Custura <ana@xxxxxxxxxxxxxx>
Date:   Wed Aug 14 16:21:52 2019 +0100

    Adds files for letsencrypt role
---
 .../roles/letsencrypt/files/000-default.conf.j2    |  18 +++
 .../roles/letsencrypt/files/default-ssl.conf.j2    |  22 ++++
 ansible/roles/letsencrypt/handlers/main.yml        |   4 +
 ansible/roles/letsencrypt/tasks/main.yml           | 143 +++++++++++++++++++++
 ansible/roles/letsencrypt/vars/main.yml            |  18 +++
 5 files changed, 205 insertions(+)

diff --git a/ansible/roles/letsencrypt/files/000-default.conf.j2 b/ansible/roles/letsencrypt/files/000-default.conf.j2
new file mode 100644
index 0000000..e8a52bd
--- /dev/null
+++ b/ansible/roles/letsencrypt/files/000-default.conf.j2
@@ -0,0 +1,18 @@
+<VirtualHost *:80>
+        ServerName {{ domain }}
+        ServerAdmin {{ letsencrypt_account_email }} 
+        DocumentRoot {{ onionperf_directory}}
+
+	Alias "/.well-known" "/var/www/html/.well-known"
+
+       <Directory {{ onionperf_directory }}>
+        Options Indexes
+        Require all granted
+       </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+ 
+</VirtualHost>
+
+
diff --git a/ansible/roles/letsencrypt/files/default-ssl.conf.j2 b/ansible/roles/letsencrypt/files/default-ssl.conf.j2
new file mode 100644
index 0000000..b2ec0cf
--- /dev/null
+++ b/ansible/roles/letsencrypt/files/default-ssl.conf.j2
@@ -0,0 +1,22 @@
+<VirtualHost *:443>
+        ServerName {{ domain }}
+
+        ServerAdmin {{ letsencrypt_account_email }} 
+        DocumentRoot {{ onionperf_directory}}
+
+       <Directory {{ onionperf_directory }}>
+        Options Indexes
+        Require all granted
+       </Directory>
+
+        ErrorLog ${APACHE_LOG_DIR}/error.log
+        CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+        SSLEngine On
+        SSLCertificateFile "{{ letsencrypt_dest }}/{{ domain }}/signed.crt"
+        SSLCertificateKeyFile "{{ letsencrypt_dest }}/{{ domain }}/domain.key"
+        SSLCertificateChainFile "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem"
+ 
+</VirtualHost>
+
+
diff --git a/ansible/roles/letsencrypt/handlers/main.yml b/ansible/roles/letsencrypt/handlers/main.yml
new file mode 100644
index 0000000..ba2dfcf
--- /dev/null
+++ b/ansible/roles/letsencrypt/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+- name: reload apache2
+  service: name=apache2 state=restarted daemon_reload=yes
+  become: true
diff --git a/ansible/roles/letsencrypt/tasks/main.yml b/ansible/roles/letsencrypt/tasks/main.yml
new file mode 100644
index 0000000..41e8de3
--- /dev/null
+++ b/ansible/roles/letsencrypt/tasks/main.yml
@@ -0,0 +1,143 @@
+---
+# in here put the domain for the certificate required
+- name: Create certficate directory
+  file:
+    path: "{{ letsencrypt_dest }}/{{ domain }}"
+    state: directory
+  become: true
+
+- name: Copy Apache default configuration
+  template:
+    src: files/000-default.conf.j2
+    dest: /etc/apache2/sites-available/000-default.conf
+    owner: www-data
+    group: www-data
+    mode: '0644'
+  become: true
+
+- name: Copy Apache SSL configuration
+  template:
+    src: files/default-ssl.conf.j2
+    dest: /etc/apache2/sites-available/default-ssl.conf
+    owner: www-data
+    group: www-data
+    mode: '0644'
+  become: true
+
+
+# generate account key, if necessary
+- name: Find account.key
+  stat:
+    path: "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+  register: account_key
+  become: true
+  run_once: true
+
+- name: Generate account.key
+  shell: openssl genrsa 4096 > "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+  run_once: true
+  when: not account_key.stat.exists
+  become: true
+
+# generate domain key, if necessary
+- name: Find domain.key
+  stat:
+    path: "{{ letsencrypt_dest }}/{{ domain }}/domain.key"
+  register: domain_key
+  become: true
+  run_once: true
+
+- name: Generate domain.key
+  shell: openssl genrsa 4096 > "{{ letsencrypt_dest }}/{{ domain }}/domain.key"
+  run_once: true
+  when: not domain_key.stat.exists
+  become: true
+
+# generate domain csr, if necessary
+- name: Find domain.csr
+  stat:
+    path: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+  register: domain_csr
+  become: true
+  run_once: true
+
+- name: Generate domain.csr
+  shell: openssl req -new -sha256 -key "{{ letsencrypt_dest }}/{{ domain }}/domain.key" \
+   -subj "/CN={{ domain }}" > "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+  run_once: true
+  when: not domain_csr.stat.exists
+  become: true
+
+- name: Create challenge
+  acme_certificate:
+    account_key_src: "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+    csr: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+    dest: "{{ letsencrypt_dest }}/{{ domain }}/signed.crt"
+    chain_dest: "{{ letsencrypt_dest }}/{{ domain }}/intermediate.pem"
+    fullchain_dest: "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem"
+    account_email: "{{ letsencrypt_account_email }}"
+    acme_directory: "{{ letsencrypt_acme_directory }}"
+    acme_version: "{{ letsencrypt_acme_version }}"
+    agreement: "{{ letsencrypt_agreement }}"
+    terms_agreed: "{{ letsencrypt_terms_agreed }}"
+    challenge: "{{ letsencrypt_challenge }}"
+    remaining_days: "{{ letsencrypt_remaining_days }}"
+  register: op_challenge
+  become: true
+
+- name: Create challenge webserver directory
+  file:
+    path: "/var/www/html/.well-known/acme-challenge"
+    state: directory
+    recurse: yes
+  become: true
+
+- name: Copy challenge files to webserver root
+  copy:
+   dest: "/var/www/html/{{ op_challenge['challenge_data'][domain]['http-01']['resource'] }}"
+   content: "{{ op_challenge['challenge_data'][domain]['http-01']['resource_value'] }}"
+  when: op_challenge is changed
+  become: true
+
+- name: Create certificate
+  acme_certificate:
+    account_key_src: "{{ letsencrypt_dest }}/{{ domain }}/account.key"
+    csr: "{{ letsencrypt_dest }}/{{ domain }}/domain.csr"
+    dest: "{{ letsencrypt_dest }}/{{ domain }}/signed.crt"
+    chain_dest: "{{ letsencrypt_dest }}/{{ domain }}/intermediate.pem"
+    agreement: "{{ letsencrypt_agreement }}"
+    terms_agreed: "{{ letsencrypt_terms_agreed }}"
+    fullchain_dest: "{{ letsencrypt_dest }}/{{ domain }}/fullchain.pem"
+    data: "{{ op_challenge }}"
+    account_email: "{{ letsencrypt_account_email }}"
+    acme_directory: "{{ letsencrypt_acme_directory }}"
+    acme_version: "{{ letsencrypt_acme_version }}"
+    challenge: "{{ letsencrypt_challenge }}"
+    remaining_days: "{{ letsencrypt_remaining_days }}"
+  run_once: true
+  when: op_challenge is changed
+  register: verify_challenge
+  become: true
+
+- name: Enable SSL module
+  apache2_module:
+    state: present
+    name: ssl
+  become: true
+  notify:
+    - reload apache2
+
+- name: Look for existing SSL website
+  stat:
+    path: "/etc/apache2/sites-enabled/default-ssl.conf"
+  register: ssl_website
+  become: true
+  run_once: true
+
+- name: Enable SSL website
+  command: a2ensite default-ssl.conf
+  become: true
+  run_once: true
+  when: not ssl_website.stat.exists
+  notify:
+    - reload apache2
diff --git a/ansible/roles/letsencrypt/vars/main.yml b/ansible/roles/letsencrypt/vars/main.yml
new file mode 100644
index 0000000..32d83b1
--- /dev/null
+++ b/ansible/roles/letsencrypt/vars/main.yml
@@ -0,0 +1,18 @@
+---
+
+letsencrypt_account_email: "acute@xxxxxxxxxxxxxx"
+domain: "test.t1.erg.abdn.ac.uk"
+
+# staging - use this for testing!
+letsencrypt_acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory";
+
+# production - use this when you want an actual certificate
+#letsencrypt_acme_directory: "https://acme-v01.api.letsencrypt.org/directory";
+letsencrypt_agreement: "https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf";
+letsencrypt_terms_agreed: 1
+letsencrypt_acme_version: 2
+letsencrypt_challenge: "http-01"
+letsencrypt_dest: "/etc/letsencrypt"
+letsencrypt_remaining_days: 90
+
+onionperf_directory : "/srv/onionperf.torproject.net/onionperf-data"



_______________________________________________
tor-commits mailing list
tor-commits@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-commits