Merge branch 'unstable' into stable
This commit is contained in:
commit
5bc0c597c7
|
@ -24,12 +24,13 @@
|
|||
register: git_config_user_email
|
||||
ignore_errors: yes
|
||||
|
||||
- name: set commit author
|
||||
- name: "set commit author"
|
||||
set_fact:
|
||||
etc_git_commit_options: "{ --author \"{{ ansible_env.SUDO_USER |default(\"root\")}} <{{ git_config_user_email.config_value |default(\"root@localhost\")}}>\""
|
||||
commit_author: '{% if ansible_env.SUDO_USER == "" %}root{% else %}{{ ansible_env.SUDO_USER }}{% endif %}'
|
||||
commit_email: '{% if git_config_user_email.config_value == "" %}root@localhost{% else %}{{ git_config_user_email.config_value }}{% endif %}'
|
||||
|
||||
- name: /etc modifications are committed
|
||||
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\"{{ etc_git_commit_options }}"
|
||||
- name: "/etc modifications are committed"
|
||||
shell: "git add -A . && git commit -m \"{{ commit_message | mandatory }}\" --author \"{{ commit_author | mandatory }} <{{ commit_email | mandatory }}>\""
|
||||
args:
|
||||
chdir: /etc
|
||||
register: etc_commit_end_run
|
||||
|
|
|
@ -6,7 +6,7 @@ evoacme_acme_dir: /var/lib/letsencrypt
|
|||
evoacme_csr_dir: /etc/ssl/requests
|
||||
evoacme_crt_dir: /etc/letsencrypt
|
||||
evoacme_log_dir: /var/log/evoacme
|
||||
evoacme_ssl_minday: 15
|
||||
evoacme_ssl_minday: 30
|
||||
evoacme_ssl_ct: 'FR'
|
||||
evoacme_ssl_state: 'France'
|
||||
evoacme_ssl_loc: 'Marseille'
|
||||
|
|
|
@ -1,17 +1,14 @@
|
|||
#!/bin/sh
|
||||
#
|
||||
# Run evoacme script on every configured cert
|
||||
#
|
||||
# Author: Victor Laborie <vlaborie@evolix.fr>
|
||||
# Licence: AGPLv3
|
||||
#
|
||||
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
|
||||
find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
||||
evoacme $vhost
|
||||
done
|
||||
|
||||
# Compatibility with older version of evoacme
|
||||
find ${CRT_DIR} -maxdepth 1 -mindepth 1 -type f -name "*.crt" -exec basename {} .crt \; | while read vhost; do
|
||||
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" /etc/apache2/ssl/${vhost}.conf
|
||||
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" /etc/nginx/ssl/${vhost}.conf
|
||||
rm ${CRT_DIR}/${vhost}.crt ${CRT_DIR}/${vhost}-chain.pem ${CRT_DIR}/${vhost}-fullchain.pem
|
||||
evoacme $vhost
|
||||
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
|
||||
evoacme "$vhost"
|
||||
done
|
||||
|
|
|
@ -1,62 +1,84 @@
|
|||
#!/bin/bash
|
||||
#!/bin/sh
|
||||
#
|
||||
# evoacme is a shell script to manage Let's Encrypt certificate with
|
||||
# certbot tool but with a dedicated user (no-root) and from a csr
|
||||
#
|
||||
# Author: Victor Laborie <vlaborie@evolix.fr>
|
||||
# Licence: AGPLv3
|
||||
#
|
||||
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
|
||||
usage() {
|
||||
echo "Usage: $0 NAME"
|
||||
echo ""
|
||||
echo "NAME must be correspond to :"
|
||||
echo "- a CSR in ${CSR_DIR}/NAME.csr"
|
||||
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
|
||||
echo ""
|
||||
}
|
||||
|
||||
vhost=$(basename $1 .conf)
|
||||
DATE=$(date "+%Y%m%d")
|
||||
mkconf_apache() {
|
||||
[ -f "/etc/apache2/ssl/${vhost}.conf" ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||
apache2ctl -t 2>/dev/null && service apache2 reload
|
||||
}
|
||||
|
||||
SSL_EMAIL=$(grep emailAddress ${CRT_DIR}/openssl.cnf|cut -d'=' -f2|xargs)
|
||||
if [ -n "$SSL_EMAIL" ]; then
|
||||
emailopt="--email $SSL_EMAIL"
|
||||
else
|
||||
emailopt="--register-unsafely-without-email"
|
||||
fi
|
||||
mkconf_nginx() {
|
||||
[ -f "/etc/nginx/ssl/${vhost}.conf" ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||
nginx -t 2>/dev/null && service nginx reload
|
||||
}
|
||||
|
||||
# Check master status for evoadmin-cluster
|
||||
if [ -f /home/${vhost}/state ]; then
|
||||
grep -q "STATE=master" /home/${vhost}/state
|
||||
[ $? -ne 0 ] && exit 0
|
||||
fi
|
||||
mkconf_haproxy() {
|
||||
mkdir -p /etc/ssl/haproxy -m 700
|
||||
cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
|
||||
[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
|
||||
haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
|
||||
}
|
||||
|
||||
if [ -h $CRT_DIR/${vhost}/live ]; then
|
||||
crt_end_date=`openssl x509 -noout -enddate -in $CRT_DIR/${vhost}/live/cert.crt|sed -e "s/.*=//"`
|
||||
date_crt=`date -ud "$crt_end_date" +"%s"`
|
||||
date_today=`date +'%s'`
|
||||
date_diff=$(( ( $date_crt - $date_today ) / (60*60*24) ))
|
||||
[ $date_diff -ge $SSL_MINDAY ] && exit 0
|
||||
fi
|
||||
|
||||
mkdir -pm 755 $CRT_DIR/${vhost} $CRT_DIR/${vhost}/${DATE}
|
||||
chown -R acme: $CRT_DIR/${vhost}
|
||||
sudo -u acme certbot certonly --quiet --webroot --csr $CSR_DIR/${vhost}.csr --webroot-path $ACME_DIR -n --agree-tos --cert-path=$CRT_DIR/${vhost}/${DATE}/cert.crt --fullchain-path=$CRT_DIR/${vhost}/${DATE}/fullchain.pem --chain-path=$CRT_DIR/${vhost}/${DATE}/chain.pem $emailopt --logs-dir $LOG_DIR 2> >(grep -v certbot.crypto_util)
|
||||
|
||||
if [ $? -eq 0 ]; then
|
||||
ln -sf $CRT_DIR/${vhost}/${DATE} $CRT_DIR/${vhost}/live
|
||||
which apache2ctl>/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
[ -f /etc/apache2/ssl/${vhost}.conf ] && sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $CRT_DIR/${vhost}/live/fullchain.pem~" /etc/apache2/ssl/${vhost}.conf
|
||||
apache2ctl -t 2>/dev/null
|
||||
[ $? -eq 0 ] && service apache2 reload
|
||||
fi
|
||||
which nginx>/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
[ -f /etc/nginx/ssl/${vhost}.conf ] && sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $CRT_DIR/${vhost}/live/fullchain.pem;~" /etc/nginx/ssl/${vhost}.conf
|
||||
nginx -t 2>/dev/null
|
||||
[ $? -eq 0 ] && service nginx reload
|
||||
fi
|
||||
main() {
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
|
||||
[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
|
||||
|
||||
which haproxy>/dev/null
|
||||
if [ $? -eq 0 ]; then
|
||||
mkdir -p /etc/ssl/haproxy -m 700
|
||||
cat $CRT_DIR/${vhost}/live/fullchain.pem $SSL_KEY_DIR/${vhost}.key > /etc/ssl/haproxy/${vhost}.pem
|
||||
[ -f $DH_DIR/${vhost} ] && cat $DH_DIR/${vhost} >> /etc/ssl/haproxy/${vhost}.pem
|
||||
haproxy -c -f /etc/haproxy/haproxy.cfg 1>/dev/null
|
||||
[ $? -eq 0 ] && service haproxy reload
|
||||
[ "$#" -ne 1 ] && usage && exit 1
|
||||
|
||||
vhost=$(basename "$1" .conf)
|
||||
|
||||
# Check master status for evoadmin-cluster
|
||||
if [ -f "/home/${vhost}/state" ]; then
|
||||
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
|
||||
fi
|
||||
exit 0
|
||||
fi
|
||||
|
||||
SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
|
||||
if [ -n "$SSL_EMAIL" ]; then
|
||||
emailopt="-m $SSL_EMAIL"
|
||||
else
|
||||
emailopt="--register-unsafely-without-email"
|
||||
fi
|
||||
DATE=$(date "+%Y%m%d")
|
||||
|
||||
if [ -h "$CRT_DIR/${vhost}/live" ]; then
|
||||
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
|
||||
date_crt=$(date -ud "$crt_end_date" +"%s")
|
||||
date_today=$(date +'%s')
|
||||
date_diff=$(((date_crt - date_today) / (60*60*24)))
|
||||
[ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
|
||||
fi
|
||||
rm -rf "$CRT_DIR/${vhost}/${DATE}"
|
||||
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
|
||||
chown -R acme: "$CRT_DIR/${vhost}"
|
||||
sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
|
||||
if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
|
||||
rm -f "$CRT_DIR/${vhost}/live"
|
||||
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
|
||||
which apache2ctl >/dev/null && mkconf_apache
|
||||
which nginx >/dev/null && mkconf_nginx
|
||||
which haproxy >/dev/null && mkconf_haproxy
|
||||
else
|
||||
rmdir "$CRT_DIR/${vhost}/${DATE}"
|
||||
fi
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
|
|
@ -1,114 +1,151 @@
|
|||
#!/bin/bash
|
||||
#!/bin/sh
|
||||
#
|
||||
# make-csr is a shell script designed to automatically generate a
|
||||
# certificate signing request (CSR) from an Apache or a Nginx vhost
|
||||
#
|
||||
# Author: Victor Laborie <vlaborie@evolix.fr>
|
||||
# Licence: AGPLv3
|
||||
#
|
||||
|
||||
[ -f /etc/default/evoacme ] && source /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
|
||||
shopt -s extglob
|
||||
|
||||
vhost=$(basename $1 .conf)
|
||||
vhostfiles=$(ls -1 /etc/{nginx,apache2}/sites-enabled/${vhost}?(.conf) 2>/dev/null)
|
||||
|
||||
if [ $(echo "${vhostfiles}"|wc -l) -lt 1 ]; then
|
||||
echo "$vhost doesn't exist !"
|
||||
exit 1
|
||||
fi
|
||||
|
||||
for vhostfile in "${vhostfiles}"; do
|
||||
break;
|
||||
done
|
||||
|
||||
if [ -f $SSL_KEY_DIR/${vhost}.key ]; then
|
||||
read -p "$vhost key already exist, overwrite it ? (y)" -n 1 -r
|
||||
echo ""
|
||||
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
|
||||
exit 1
|
||||
get_domains() {
|
||||
echo "$vhostfile"|grep -q nginx
|
||||
if [ "$?" -eq 0 ]; then
|
||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
|
||||
fi
|
||||
rm -f /etc/apache2/ssl/${vhost}.conf
|
||||
rm -f /etc/nginx/ssl/${vhost}.conf
|
||||
fi
|
||||
|
||||
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
||||
openssl genrsa -out $SSL_KEY_DIR/${vhost}.key $SSL_KEY_SIZE
|
||||
chown root: $SSL_KEY_DIR/${vhost}.key
|
||||
chmod 600 $SSL_KEY_DIR/${vhost}.key
|
||||
|
||||
nb=0
|
||||
|
||||
echo $vhostfile |grep -q nginx
|
||||
if [ $? -eq 0 ]; then
|
||||
domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq`
|
||||
fi
|
||||
|
||||
echo $vhostfile |grep -q apache2
|
||||
if [ $? -eq 0 ]; then
|
||||
domains=`grep -oE "^( )*[^#]+" $vhostfile |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq`
|
||||
fi
|
||||
|
||||
valid_domains=''
|
||||
srv_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
|
||||
echo "Valid Domain(s) for $vhost :"
|
||||
for domain in $domains
|
||||
do
|
||||
real_ip=$(dig +short $domain|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
for ip in $(echo $srv_ip|xargs -n1); do
|
||||
if [ "${ip}" == "${real_ip}" ]; then
|
||||
valid_domains="$valid_domains $domain"
|
||||
nb=$(( nb + 1 ))
|
||||
echo "- $domain"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ $nb -eq 0 ]; then
|
||||
nb=`echo $domains|wc -l`
|
||||
echo "No valid domains : $domains" >&2
|
||||
else
|
||||
domains=$valid_domains
|
||||
fi
|
||||
|
||||
mkdir -p $CSR_DIR -m 0755
|
||||
|
||||
if [ $nb -eq 1 ]; then
|
||||
openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -config <(cat /etc/letsencrypt/openssl.cnf <(printf "CN=$domains")) -out $CSR_DIR/${vhost}.csr
|
||||
elif [ $nb -gt 1 ]; then
|
||||
san=''
|
||||
for domain in $domains
|
||||
do
|
||||
san="$san,DNS:$domain"
|
||||
done
|
||||
san=`echo $san|sed 's/,//'`
|
||||
openssl req -new -sha256 -key $SSL_KEY_DIR/${vhost}.key -reqexts SAN -config <(cat /etc/letsencrypt/openssl.cnf <(printf "[SAN]\nsubjectAltName=$san")) > $CSR_DIR/${vhost}.csr
|
||||
fi
|
||||
|
||||
if [ -f $CSR_DIR/${vhost}.csr ]; then
|
||||
chmod 644 $CSR_DIR/${vhost}.csr
|
||||
mkdir -p $SELF_SIGNED_DIR -m 0755
|
||||
openssl x509 -req -sha256 -days 365 -in $CSR_DIR/${vhost}.csr -signkey $SSL_KEY_DIR/${vhost}.key -out $SELF_SIGNED_DIR/${vhost}.pem
|
||||
if [ -f $SELF_SIGNED_DIR/${vhost}.pem ]; then
|
||||
chmod 644 $SELF_SIGNED_DIR/${vhost}.pem
|
||||
|
||||
echo "$vhostfile" |grep -q apache2
|
||||
if [ "$?" -eq 0 ]; then
|
||||
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
|
||||
fi
|
||||
fi
|
||||
valid_domains=""
|
||||
nb=0
|
||||
|
||||
echo "Valid(s) domain(s) in $vhost :"
|
||||
for domain in $domains; do
|
||||
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
for ip in $(echo "$SRV_IP"|xargs -n1); do
|
||||
if [ "${ip}" = "${real_ip}" ]; then
|
||||
valid_domains="$valid_domains $domain"
|
||||
nb=$(( nb + 1 ))
|
||||
echo "* $domain -> $real_ip"
|
||||
fi
|
||||
done
|
||||
done
|
||||
|
||||
if [ "$nb" -eq 0 ]; then
|
||||
nb=$(echo "$domains"|wc -l)
|
||||
echo "* No valid domain found"
|
||||
echo "All following(s) domain(s) will be used for CSR creation :"
|
||||
for domain in $domains; do
|
||||
echo "* $domain"
|
||||
done
|
||||
else
|
||||
domains="$valid_domains"
|
||||
fi
|
||||
domains=$(echo "$domains"|xargs -n1)
|
||||
}
|
||||
|
||||
if [ -d /etc/apache2 ]; then
|
||||
make_key() {
|
||||
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
|
||||
chown root: "$SSL_KEY_DIR/${vhost}.key"
|
||||
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
|
||||
}
|
||||
|
||||
make_csr() {
|
||||
domains="$1"
|
||||
nb=$(echo "$domains"|wc -l)
|
||||
config_file="/tmp/make-csr-${vhost}.conf"
|
||||
|
||||
mkdir -p "$CSR_DIR" -m 0755
|
||||
|
||||
if [ "$nb" -eq 1 ]; then
|
||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||
CN=$domains
|
||||
EOF
|
||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
|
||||
elif [ "$nb" -gt 1 ]; then
|
||||
san=''
|
||||
for domain in $domains
|
||||
do
|
||||
san="$san,DNS:$domain"
|
||||
done
|
||||
san=$(echo "$san"|sed 's/,//')
|
||||
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
|
||||
[SAN]
|
||||
subjectAltName=$san
|
||||
EOF
|
||||
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
|
||||
fi
|
||||
|
||||
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
|
||||
chmod 644 "$CSR_DIR/${vhost}.csr"
|
||||
mkdir -p "$SELF_SIGNED_DIR" -m 0755
|
||||
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
|
||||
fi
|
||||
}
|
||||
|
||||
mkconf_apache() {
|
||||
mkdir -p /etc/apache2/ssl
|
||||
if [ ! -f /etc/apache2/ssl/${vhost}.conf ]; then
|
||||
cat > /etc/apache2/ssl/${vhost}.conf <<EOF
|
||||
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
|
||||
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
|
||||
SSLEngine On
|
||||
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
|
||||
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
|
||||
EOF
|
||||
else
|
||||
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ -d /etc/nginx ]; then
|
||||
mkconf_nginx() {
|
||||
mkdir -p /etc/nginx/ssl
|
||||
if [ ! -f /etc/nginx/ssl/${vhost}.conf ]; then
|
||||
cat > /etc/nginx/ssl/${vhost}.conf <<EOF
|
||||
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
|
||||
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
|
||||
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
|
||||
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
|
||||
EOF
|
||||
else
|
||||
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
main() {
|
||||
if [ "$#" -ne 1 ]; then
|
||||
echo "You need to provide one argument !" >&2
|
||||
exit 1
|
||||
fi
|
||||
vhost=$(basename "$1" .conf)
|
||||
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
|
||||
|
||||
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
|
||||
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
|
||||
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
|
||||
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
|
||||
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
|
||||
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
|
||||
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
|
||||
|
||||
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
|
||||
|
||||
if [ ! -h "$vhostfile" ]; then
|
||||
echo "$vhost is not a valid virtualhost !" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
|
||||
echo "$vhost key already exist, overwrite it ? (y)"
|
||||
read REPLY
|
||||
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
|
||||
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
|
||||
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
|
||||
fi
|
||||
|
||||
get_domains
|
||||
make_key
|
||||
make_csr "$domains"
|
||||
which apache2ctl >/dev/null && mkconf_apache
|
||||
which nginx >/dev/null && mkconf_nginx
|
||||
}
|
||||
|
||||
main "$@"
|
||||
|
|
|
@ -1 +0,0 @@
|
|||
acme ALL=(ALL:ALL) NOPASSWD: /opt/certbot/certbot-auto
|
|
@ -10,7 +10,7 @@
|
|||
- name: Copy make-csr.sh script
|
||||
copy:
|
||||
src: files/make-csr.sh
|
||||
dest: /usr/local/bin/make-csr
|
||||
dest: /usr/local/sbin/make-csr
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
@ -18,7 +18,15 @@
|
|||
- name: Copy evoacme script
|
||||
copy:
|
||||
src: files/evoacme.sh
|
||||
dest: /usr/local/bin/evoacme
|
||||
dest: /usr/local/sbin/evoacme
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0755"
|
||||
|
||||
- name: Delete scripts in old location
|
||||
file:
|
||||
path: "/usr/local/bin/{{ item }}"
|
||||
state: absent
|
||||
with_items:
|
||||
- 'make-csr'
|
||||
- 'evoacme'
|
||||
|
|
|
@ -1,7 +1,6 @@
|
|||
---
|
||||
|
||||
- fail:
|
||||
msg: You must provide at least 1 ssh trusted IP
|
||||
- debug:
|
||||
msg: "Warning: empty 'evolinux_ssh_password_auth_addresses' variable, tasks will be skipped!"
|
||||
when: evolinux_ssh_password_auth_addresses == []
|
||||
|
||||
- name: Security directives for Evolinux
|
||||
|
@ -16,6 +15,7 @@
|
|||
insertafter: EOF
|
||||
validate: '/usr/sbin/sshd -T -f %s'
|
||||
notify: reload sshd
|
||||
when: not evolinux_ssh_password_auth_addresses == []
|
||||
|
||||
# - name: verify Match Address directive
|
||||
# command: "grep 'Match Address' /etc/ssh/sshd_config"
|
||||
|
|
|
@ -6,7 +6,7 @@ minifirewall_checkout_path: "/tmp/minifirewall"
|
|||
minifirewall_int: "{{ ansible_default_ipv4.interface }}"
|
||||
minifirewall_ipv6: "on"
|
||||
minifirewall_intlan: "{{ ansible_default_ipv4.address }}/32"
|
||||
minifirewall_trusted_ips: []
|
||||
minifirewall_trusted_ips: ["0.0.0.0/0"]
|
||||
minifirewall_privilegied_ips: []
|
||||
|
||||
minifirewall_protected_ports_tcp: [22]
|
||||
|
|
|
@ -28,6 +28,9 @@
|
|||
- fail:
|
||||
msg: You must provide at least 1 trusted IP
|
||||
when: minifirewall_trusted_ips == []
|
||||
- debug:
|
||||
msg: "Warning: minifirewall_trusted_ips='0.0.0.0/0', the firewall is useless!"
|
||||
when: minifirewall_trusted_ips == ["0.0.0.0/0"]
|
||||
|
||||
- name: Configure IP addresses
|
||||
blockinfile:
|
||||
|
|
|
@ -8,7 +8,8 @@ back_log = 100
|
|||
# Maximum d'erreurs avant de blacklister un hote
|
||||
max_connect_errors = 10
|
||||
# Loguer les requetes trop longues
|
||||
slow_query_log = /var/log/mysql/mysql-slow.log
|
||||
slow_query_log = 1
|
||||
slow_query_log_file = /var/log/mysql/mysql-slow.log
|
||||
long_query_time = 10
|
||||
|
||||
###### Tailles
|
||||
|
@ -57,3 +58,5 @@ innodb_thread_concurrency = 16
|
|||
# charset utf8 par defaut
|
||||
character-set-server=utf8
|
||||
collation-server=utf8_general_ci
|
||||
# Patch MySQL 5.5.53
|
||||
secure-file-priv = ""
|
||||
|
|
|
@ -13,3 +13,7 @@
|
|||
service:
|
||||
name: mysql
|
||||
state: restarted
|
||||
|
||||
- name: reload systemd
|
||||
command: systemctl daemon-reload
|
||||
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: Copy MySQL defaults config file
|
||||
- name: "Copy MySQL defaults config file (jessie)"
|
||||
copy:
|
||||
src: evolinux-defaults.cnf
|
||||
dest: /etc/mysql/conf.d/z-evolinux-defaults.cnf
|
||||
|
@ -10,13 +10,13 @@
|
|||
tags:
|
||||
- mysql
|
||||
|
||||
- name: Copy MySQL custom config file
|
||||
- name: "Copy MySQL custom config file (jessie)"
|
||||
template:
|
||||
src: evolinux-custom.cnf.j2
|
||||
dest: /etc/mysql/conf.d/zzz-evolinux-custom.cnf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
mode: "0644"
|
||||
force: no
|
||||
tags:
|
||||
- mysql
|
||||
|
|
|
@ -1,5 +1,5 @@
|
|||
---
|
||||
- name: Copy MySQL defaults config file
|
||||
- name: "Copy MySQL defaults config file (Debian 9 or later)"
|
||||
copy:
|
||||
src: evolinux-defaults.cnf
|
||||
dest: /etc/mysql/mariadb.conf.d/z-evolinux-defaults.cnf
|
||||
|
@ -10,13 +10,25 @@
|
|||
tags:
|
||||
- mysql
|
||||
|
||||
- name: Copy MySQL custom config file
|
||||
- name: "Copy MySQL custom config file (Debian 9 or later)"
|
||||
template:
|
||||
src: evolinux-custom.cnf.j2
|
||||
dest: /etc/mysql/mariadb.conf.d/zzz-evolinux-custom.cnf
|
||||
owner: root
|
||||
group: root
|
||||
mode: "0640"
|
||||
mode: "0644"
|
||||
force: no
|
||||
tags:
|
||||
- mysql
|
||||
|
||||
- name: "Create a system config directory for systemd overrides (Debian 9 or later)"
|
||||
file:
|
||||
path: /etc/systemd/system/mariadb.service.d
|
||||
state: directory
|
||||
|
||||
- name: "Override MariaDB systemd unit (Debian 9 or later)"
|
||||
template:
|
||||
src: mariadb.systemd.j2
|
||||
dest: /etc/systemd/system/mariadb.service.d/evolinux.conf
|
||||
force: yes
|
||||
notify: reload systemd
|
||||
|
|
4
mysql/templates/mariadb.systemd.j2
Normal file
4
mysql/templates/mariadb.systemd.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Service]
|
||||
ProtectHome=false
|
|
@ -1,3 +1,3 @@
|
|||
Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libssl1.0.0
|
||||
Package: nginx nginx-common nginx-doc nginx-extras nginx-extras-dbg nginx-full nginx-full-dbg nginx-light nginx-light-dbg libnginx-mod-* libssl1.0.0
|
||||
Pin: release a=jessie-backports
|
||||
Pin-Priority: 999
|
||||
|
|
|
@ -24,7 +24,7 @@
|
|||
- name: Enable default vhost
|
||||
file:
|
||||
src: /etc/nginx/sites-available/evolinux-default.minimal.conf
|
||||
dest: /etc/nginx/sites-enabled/default.conf
|
||||
dest: /etc/nginx/sites-enabled/default
|
||||
state: link
|
||||
notify: reload nginx
|
||||
tags:
|
||||
|
|
|
@ -1,5 +1,4 @@
|
|||
---
|
||||
ntpd_only_local: True
|
||||
ntpd_servers:
|
||||
- 'ntp.evolix.net'
|
||||
ntpd_acls:
|
||||
|
|
|
@ -2,11 +2,6 @@
|
|||
|
||||
driftfile /var/lib/ntp/ntp.drift
|
||||
|
||||
{% if ntpd_only_local is defined and ntpd_only_local %}
|
||||
# Only listen on 127.0.0.1 and ::1
|
||||
interface ignore wildcard
|
||||
|
||||
{% endif %}
|
||||
# Enable this if you want statistics to be logged.
|
||||
#statsdir /var/log/ntpstats/
|
||||
|
||||
|
@ -23,7 +18,6 @@ filegen clockstats file clockstats type day enable
|
|||
# pool: <http://www.pool.ntp.org/join.html>
|
||||
|
||||
#server pool.ntp.org
|
||||
|
||||
{% for server in ntpd_servers %}
|
||||
server {{ server }}
|
||||
{% endfor %}
|
||||
|
|
|
@ -55,7 +55,8 @@
|
|||
copy:
|
||||
dest: "{{ php_apache_custom_file }}"
|
||||
content: |
|
||||
# Put customized values here.
|
||||
; Put customized values here.
|
||||
; default_charset = "ISO-8859-1"
|
||||
force: no
|
||||
|
||||
- name: "Set custom values for PHP to enable Symfony"
|
||||
|
|
|
@ -59,7 +59,7 @@
|
|||
copy:
|
||||
dest: "{{ phpini_fpm_custom_file }}"
|
||||
content: |
|
||||
# Put customized values here.
|
||||
; Put customized values here.
|
||||
force: no
|
||||
|
||||
- name: Set default PHP FPM values
|
||||
|
@ -85,7 +85,8 @@
|
|||
copy:
|
||||
dest: "{{ php_fpm_custom_file }}"
|
||||
content: |
|
||||
# Put customized values here.
|
||||
; Put customized values here.
|
||||
; default_charset = "ISO-8859-1"
|
||||
force: no
|
||||
|
||||
- name: "Set custom values for PHP to enable Symfony"
|
||||
|
|
|
@ -50,7 +50,7 @@
|
|||
copy:
|
||||
dest: "{{ phpini_cli_custom_file }}"
|
||||
content: |
|
||||
# Put customized values here.
|
||||
; Put customized values here.
|
||||
force: no
|
||||
|
||||
- name: "Set custom values for PHP to enable Symfony (jessie)"
|
||||
|
|
|
@ -51,7 +51,8 @@
|
|||
copy:
|
||||
dest: "{{ phpini_cli_custom_file }}"
|
||||
content: |
|
||||
# Put customized values here.
|
||||
; Put customized values here.
|
||||
; default_charset = "ISO-8859-1"
|
||||
force: no
|
||||
|
||||
- name: "Set custom values for PHP to enable Symfony (Debian 9 or later)"
|
||||
|
|
|
@ -2,5 +2,5 @@
|
|||
- name: logrotate configuration
|
||||
template:
|
||||
src: logrotate.j2
|
||||
dest: /etc/logrotate.d/{{ squid_daemoname }}
|
||||
dest: /etc/logrotate.d/{{ squid_daemon_name }}
|
||||
force: no
|
||||
|
|
|
@ -7,12 +7,12 @@
|
|||
|
||||
- name: "Set squid name (jessie)"
|
||||
set_fact:
|
||||
squid_daemoname: squid3
|
||||
squid_daemon_name: squid3
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Set squid name (Debian 9 or later)"
|
||||
set_fact:
|
||||
squid_daemoname: squid
|
||||
squid_daemon_name: squid
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: "Install Squid packages"
|
||||
|
@ -20,7 +20,7 @@
|
|||
name: '{{ item }}'
|
||||
state: present
|
||||
with_items:
|
||||
- "{{ squid_daemoname }}"
|
||||
- "{{ squid_daemon_name }}"
|
||||
- squidclient
|
||||
|
||||
- name: "Set alternative config file (Debian 9 or later)"
|
||||
|
@ -40,6 +40,7 @@
|
|||
copy:
|
||||
src: whitelist-evolinux.conf
|
||||
dest: /etc/squid3/whitelist.conf
|
||||
force: no
|
||||
notify: "reload squid3"
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
|
@ -113,7 +114,17 @@
|
|||
force: no
|
||||
when: squid_localproxy_enable == False and ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: add some URL in whitelist
|
||||
- name: add some URL in whitelist (Debian 8)
|
||||
lineinfile:
|
||||
insertafter: EOF
|
||||
dest: /etc/squid3/whitelist.conf
|
||||
line: "{{ item }}"
|
||||
state: present
|
||||
with_items: '{{ squid_whitelist_items }}'
|
||||
notify: "reload squid3"
|
||||
when: ansible_distribution_major_version == '8'
|
||||
|
||||
- name: add some URL in whitelist (Debian 9 or later)
|
||||
lineinfile:
|
||||
insertafter: EOF
|
||||
dest: /etc/squid/evolinux-whitelist-custom.conf
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
file = /var/log/{{ squid_daemoname }}/access.log
|
||||
file = /var/log/{{ squid_daemon_name }}/access.log
|
||||
pattern = "TCP_DENIED"
|
||||
mailto = {{ log2mail_alert_email or general_alert_email | mandatory }}
|
||||
template = /etc/log2mail/mail
|
||||
|
|
|
@ -1,4 +1,4 @@
|
|||
/var/log/{{ squid_daemoname }}/*.log {
|
||||
/var/log/{{ squid_daemon_name }}/*.log {
|
||||
monthly
|
||||
compress
|
||||
rotate 12
|
||||
|
@ -6,6 +6,6 @@
|
|||
create 640 proxy adm
|
||||
sharedscripts
|
||||
postrotate
|
||||
test ! -e /var/run/{{ squid_daemoname }}.pid || /usr/sbin/{{ squid_daemoname }} -k rotate
|
||||
test ! -e /var/run/{{ squid_daemon_name }}.pid || /usr/sbin/{{ squid_daemon_name }} -k rotate
|
||||
endscript
|
||||
}
|
||||
|
|
|
@ -34,10 +34,10 @@
|
|||
tags:
|
||||
- varnish
|
||||
|
||||
- name: Modify Varnish configuration files
|
||||
- name: Override Varnish systemd unit
|
||||
template:
|
||||
src: varnish.conf.j2
|
||||
dest: /etc/systemd/system/varnish.service.d/varnish.conf
|
||||
dest: /etc/systemd/system/varnish.service.d/evolinux.conf
|
||||
force: yes
|
||||
notify: reload systemd
|
||||
tags:
|
||||
|
|
|
@ -1,7 +1,5 @@
|
|||
# {{ ansible_managed }}
|
||||
|
||||
[Service]
|
||||
ExecStart=
|
||||
ExecStart=/usr/sbin/varnishd -a {{ varnish_addresses | join(',') }} -T {{ varnish_management_address }} -f {{ varnish_config_file }} -S {{ varnish_secret_file }} -s {{ varnish_storage }} -p thread_pools={{ varnish_thread_pools }} -p thread_pool_add_delay={{ varnish_thread_pool_add_delay }} -p thread_pool_min={{ varnish_thread_pool_min }} -p thread_pool_max={{ varnish_thread_pool_max }}
|
||||
ExecReload=
|
||||
ExecReload=/etc/varnish/reload-vcl.sh
|
||||
|
|
|
@ -12,12 +12,24 @@
|
|||
name: www-evoadmin
|
||||
state: present
|
||||
|
||||
- name: "Create www-evoadmin and add to group shadow (jessie)"
|
||||
user:
|
||||
name: www-evoadmin
|
||||
groups: shadow
|
||||
append: yes
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: "Create www-evoadmin (Debian 9 or later)"
|
||||
user:
|
||||
name: www-evoadmin
|
||||
when: ansible_distribution_major_version | version_compare('9', '>=')
|
||||
|
||||
- name: Install Git
|
||||
apt:
|
||||
name: git
|
||||
state: present
|
||||
|
||||
- name: Clone evoadmin repository
|
||||
- name: "Clone evoadmin repository (jessie)"
|
||||
git:
|
||||
repo: https://forge.evolix.org/evoadmin-web.git
|
||||
dest: "{{ evoadmin_document_root}}"
|
||||
|
@ -27,7 +39,7 @@
|
|||
become_user: "{{ evoadmin_username }}"
|
||||
when: ansible_distribution_release == "jessie"
|
||||
|
||||
- name: Clone evoadmin repository
|
||||
- name: "Clone evoadmin repository (Debian 9 or later)"
|
||||
git:
|
||||
repo: https://forge.evolix.org/evoadmin-web.git
|
||||
dest: "{{ evoadmin_document_root}}"
|
||||
|
@ -61,12 +73,6 @@
|
|||
with_items:
|
||||
- "{{ evoadmin_home_dir}}/www"
|
||||
|
||||
- name: Add www-evoadmin to group shadow
|
||||
user:
|
||||
name: www-evoadmin
|
||||
groups: shadow
|
||||
append: yes
|
||||
|
||||
- name: Add evoadmin sudoers file
|
||||
template:
|
||||
src: sudoers.j2
|
||||
|
|
|
@ -46,9 +46,3 @@
|
|||
owner: evoadmin
|
||||
group: evoadmin
|
||||
force: no
|
||||
|
||||
- name: add www-evoadmin to shadow group
|
||||
user:
|
||||
name: www-evoadmin
|
||||
groups: shadow
|
||||
append: yes
|
||||
|
|
Loading…
Reference in a new issue