forked from evolix/ansible-roles
Add an SSL role for certificates deployment
This commit is contained in:
parent
4a411685ff
commit
c6a504c6c5
|
@ -18,6 +18,7 @@ fail2ban: separate task to update IP whitelist
|
||||||
nginx: add tag for ips management
|
nginx: add tag for ips management
|
||||||
nginx: separate task to update IP whitelist
|
nginx: separate task to update IP whitelist
|
||||||
postfix: enable SSL/TLS client
|
postfix: enable SSL/TLS client
|
||||||
|
ssl: add an SSL role for certificates deployment
|
||||||
|
|
||||||
### Changed
|
### Changed
|
||||||
evomaintenance: update script from upstream
|
evomaintenance: update script from upstream
|
||||||
|
|
9
ssl/README.md
Normal file
9
ssl/README.md
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
# ssl
|
||||||
|
|
||||||
|
Deploy SSL certificate, key, dhparams and concatenate them when needed (eg. with Haproxy).
|
||||||
|
|
||||||
|
## Available variables
|
||||||
|
|
||||||
|
* `ssl_cert`: name of SSL certificate which is going to be deployed
|
||||||
|
|
||||||
|
eg. `ssl_cert: "example.com"` deploy files/ssl/example.com.{pem|key|dhp}
|
20
ssl/meta/main.yml
Normal file
20
ssl/meta/main.yml
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
galaxy_info:
|
||||||
|
author: Evolix
|
||||||
|
description: Deployment of SSL certificate, key and dhparams
|
||||||
|
|
||||||
|
issue_tracker_url: https://forge.evolix.org/projects/ansible-roles/issues
|
||||||
|
|
||||||
|
license: GPLv2
|
||||||
|
|
||||||
|
min_ansible_version: 2.2
|
||||||
|
|
||||||
|
platforms:
|
||||||
|
- name: Debian
|
||||||
|
versions:
|
||||||
|
- jessie
|
||||||
|
- stretch
|
||||||
|
|
||||||
|
dependencies: []
|
||||||
|
# List your role dependencies here, one per line.
|
||||||
|
# Be sure to remove the '[]' above if you add dependencies
|
||||||
|
# to this list.
|
32
ssl/tasks/haproxy.yml
Normal file
32
ssl/tasks/haproxy.yml
Normal file
|
@ -0,0 +1,32 @@
|
||||||
|
---
|
||||||
|
- name: Concatenate SSL certificate, key and dhparam
|
||||||
|
set_fact:
|
||||||
|
ssl_cat: "{{ ssl_cat | default() }}{{ lookup('file', item) }}\n"
|
||||||
|
with_fileglob:
|
||||||
|
- "ssl/{{ ssl_cert }}.pem"
|
||||||
|
- "ssl/{{ ssl_cert }}.key"
|
||||||
|
- "ssl/{{ ssl_cert }}.dhp"
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Create haproxy ssl directory
|
||||||
|
file:
|
||||||
|
dest: /etc/haproxy/ssl
|
||||||
|
mode: "0700"
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Copy concatenated certificate and key
|
||||||
|
copy:
|
||||||
|
content: "{{ ssl_cat }}"
|
||||||
|
dest: "/etc/haproxy/ssl/{{ ssl_cert }}.pem"
|
||||||
|
mode: "0600"
|
||||||
|
notify: reload haproxy
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Reset ssl_cat variable
|
||||||
|
set_fact:
|
||||||
|
ssl_cat: ""
|
||||||
|
tags:
|
||||||
|
- ssl
|
38
ssl/tasks/main.yml
Normal file
38
ssl/tasks/main.yml
Normal file
|
@ -0,0 +1,38 @@
|
||||||
|
---
|
||||||
|
- name: Copy SSL certificate
|
||||||
|
copy:
|
||||||
|
src: "ssl/{{ ssl_cert }}.pem"
|
||||||
|
dest: "/etc/ssl/certs/{{ ssl_cert }}.pem"
|
||||||
|
mode: "0644"
|
||||||
|
register: ssl_copy_cert
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Copy SSL key
|
||||||
|
copy:
|
||||||
|
src: "ssl/{{ ssl_cert }}.key"
|
||||||
|
dest: "/etc/ssl/private/{{ ssl_cert }}.key"
|
||||||
|
mode: "0600"
|
||||||
|
register: ssl_copy_key
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Copy SSL dhparam
|
||||||
|
copy:
|
||||||
|
src: "ssl/{{ ssl_cert }}.dhp"
|
||||||
|
dest: "/etc/ssl/certs/{{ ssl_cert }}.dhp"
|
||||||
|
mode: "0644"
|
||||||
|
register: ssl_copy_dhp
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- name: Check if Haproxy is installed
|
||||||
|
command: dpkg -l haproxy
|
||||||
|
register: haproxy_check
|
||||||
|
check_mode: False
|
||||||
|
changed_when: False
|
||||||
|
tags:
|
||||||
|
- ssl
|
||||||
|
|
||||||
|
- include: haproxy.yml
|
||||||
|
when: haproxy_check.rc == 0
|
Loading…
Reference in a new issue