evolix/ansible-roles
22
2
Fork 2
Code Issues 61 Pull requests 18 Releases 32 Wiki Activity

empty commit, only :retab

Browse source
This commit is contained in:
Gregory Colpart 2017-09-21 00:39:06 +02:00
parent 81698d03de
commit 7ea5982611
3 changed files with 159 additions and 159 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
evoacme/files/certbot.cron
View file

@ -10,5 +10,5 @@
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
find "${CRT_DIR}" -maxdepth 1 -mindepth 1 -type d ! -path "*accounts" -exec basename {} \; | while read vhost; do
evoacme "$vhost"
evoacme "$vhost"
done

104
evoacme/files/evoacme.sh
View file

@ -8,12 +8,12 @@
#
usage() {
echo "Usage: $0 NAME"
echo ""
echo "NAME must be correspond to :"
echo "- a CSR in ${CSR_DIR}/NAME.csr"
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
echo ""
echo "Usage: $0 NAME"
echo ""
echo "NAME must be correspond to :"
echo "- a CSR in ${CSR_DIR}/NAME.csr"
echo "- a KEY in ${SSL_KEY_DIR}/NAME.key"
echo ""
}
mkconf_apache() {
@ -27,58 +27,58 @@ mkconf_nginx() {
}
mkconf_haproxy() {
mkdir -p /etc/ssl/haproxy -m 700
cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
mkdir -p /etc/ssl/haproxy -m 700
cat "$CRT_DIR/${vhost}/live/fullchain.pem" "$SSL_KEY_DIR/${vhost}.key" > "/etc/ssl/haproxy/${vhost}.pem"
[ -f "$DH_DIR/${vhost}.pem" ] && cat "$DH_DIR/${vhost}.pem" >> "/etc/ssl/haproxy/${vhost}.pem"
haproxy -c -f /etc/haproxy/haproxy.cfg >/dev/null && service haproxy reload
}
main() {
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
[ "$#" -ne 1 ] && usage && exit 1
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
[ -z "${DH_DIR}" ] && DH_DIR='/etc/ssl/dhparam'
[ -z "${LOG_DIR}" ] && LOG_DIR='/var/log/evoacme'
[ "$#" -ne 1 ] && usage && exit 1
vhost=$(basename "$1" .conf)
vhost=$(basename "$1" .conf)
# Check master status for evoadmin-cluster
if [ -f "/home/${vhost}/state" ]; then
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
fi
# Check master status for evoadmin-cluster
if [ -f "/home/${vhost}/state" ]; then
grep -q "STATE=master" "/home/${vhost}/state" || exit 0
fi
SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
if [ -n "$SSL_EMAIL" ]; then
emailopt="-m $SSL_EMAIL"
else
emailopt="--register-unsafely-without-email"
fi
DATE=$(date "+%Y%m%d")
if [ -h "$CRT_DIR/${vhost}/live" ]; then
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
date_crt=$(date -ud "$crt_end_date" +"%s")
date_today=$(date +'%s')
date_diff=$(((date_crt - date_today) / (60*60*24)))
[ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
fi
rm -rf "$CRT_DIR/${vhost}/${DATE}"
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
chown -R acme: "$CRT_DIR/${vhost}"
sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
rm -f "$CRT_DIR/${vhost}/live"
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
which apache2ctl >/dev/null && mkconf_apache
which nginx >/dev/null && mkconf_nginx
which haproxy >/dev/null && mkconf_haproxy
else
rmdir "$CRT_DIR/${vhost}/${DATE}"
fi
SSL_EMAIL=$(grep emailAddress "${CRT_DIR}/openssl.cnf"|cut -d'=' -f2|xargs)
if [ -n "$SSL_EMAIL" ]; then
emailopt="-m $SSL_EMAIL"
else
emailopt="--register-unsafely-without-email"
fi
DATE=$(date "+%Y%m%d")
if [ -h "$CRT_DIR/${vhost}/live" ]; then
crt_end_date=$(openssl x509 -noout -enddate -in "$CRT_DIR/${vhost}/live/cert.crt"|sed -e "s/.*=//")
date_crt=$(date -ud "$crt_end_date" +"%s")
date_today=$(date +'%s')
date_diff=$(((date_crt - date_today) / (60*60*24)))
[ "$date_diff" -ge "$SSL_MINDAY" ] && exit 0
fi
rm -rf "$CRT_DIR/${vhost}/${DATE}"
mkdir -pm 755 "$CRT_DIR/${vhost}/${DATE}"
chown -R acme: "$CRT_DIR/${vhost}"
sudo -u acme certbot certonly --quiet --webroot --csr "$CSR_DIR/${vhost}.csr" --webroot-path "$ACME_DIR" -n --agree-tos --cert-path="$CRT_DIR/${vhost}/${DATE}/cert.crt" --fullchain-path="$CRT_DIR/${vhost}/${DATE}/fullchain.pem" --chain-path="$CRT_DIR/${vhost}/${DATE}/chain.pem" "$emailopt" --logs-dir "$LOG_DIR" 2>&1 | grep -v "certbot.crypto_util"
if [ -f "$CRT_DIR/${vhost}/${DATE}/fullchain.pem" ]; then
rm -f "$CRT_DIR/${vhost}/live"
ln -s "$CRT_DIR/${vhost}/${DATE}" "$CRT_DIR/${vhost}/live"
which apache2ctl >/dev/null && mkconf_apache
which nginx >/dev/null && mkconf_nginx
which haproxy >/dev/null && mkconf_haproxy
else
rmdir "$CRT_DIR/${vhost}/${DATE}"
fi
}
main "$@"

212
evoacme/files/make-csr.sh
View file

@ -8,143 +8,143 @@
#
get_domains() {
echo "$vhostfile"|grep -q nginx
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
fi
echo "$vhostfile" |grep -q apache2
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
fi
valid_domains=""
nb=0
echo "Valid(s) domain(s) in $vhost :"
for domain in $domains; do
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
for ip in $(echo "$SRV_IP"|xargs -n1); do
if [ "${ip}" = "${real_ip}" ]; then
valid_domains="$valid_domains $domain"
nb=$(( nb + 1 ))
echo "* $domain -> $real_ip"
fi
done
done
if [ "$nb" -eq 0 ]; then
nb=$(echo "$domains"|wc -l)
echo "* No valid domain found"
echo "All following(s) domain(s) will be used for CSR creation :"
for domain in $domains; do
echo "* $domain"
done
else
domains="$valid_domains"
fi
domains=$(echo "$domains"|xargs -n1)
echo "$vhostfile"|grep -q nginx
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "[^\$]server_name.*;$"|sed 's/server_name//'|tr -d ';'|sed 's/\s\{1,\}//'|sed 's/\s\{1,\}/\n/g'|sort|uniq)
fi
echo "$vhostfile" |grep -q apache2
if [ "$?" -eq 0 ]; then
domains=$(grep -oE "^( )*[^#]+" "$vhostfile" |grep -oE "(ServerName|ServerAlias).*"|sed 's/ServerName//'|sed 's/ServerAlias//'|sed 's/\s\{1,\}//'|sort|uniq)
fi
valid_domains=""
nb=0
echo "Valid(s) domain(s) in $vhost :"
for domain in $domains; do
real_ip=$(dig +short "$domain"|grep -oE "([0-9]+\.){3}[0-9]+")
for ip in $(echo "$SRV_IP"|xargs -n1); do
if [ "${ip}" = "${real_ip}" ]; then
valid_domains="$valid_domains $domain"
nb=$(( nb + 1 ))
echo "* $domain -> $real_ip"
fi
done
done
if [ "$nb" -eq 0 ]; then
nb=$(echo "$domains"|wc -l)
echo "* No valid domain found"
echo "All following(s) domain(s) will be used for CSR creation :"
for domain in $domains; do
echo "* $domain"
done
else
domains="$valid_domains"
fi
domains=$(echo "$domains"|xargs -n1)
}
make_key() {
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
chown root: "$SSL_KEY_DIR/${vhost}.key"
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
openssl genrsa -out "$SSL_KEY_DIR/${vhost}.key" "$SSL_KEY_SIZE" 2>/dev/null
chown root: "$SSL_KEY_DIR/${vhost}.key"
chmod 600 "$SSL_KEY_DIR/${vhost}.key"
}
make_csr() {
domains="$1"
nb=$(echo "$domains"|wc -l)
config_file="/tmp/make-csr-${vhost}.conf"
domains="$1"
nb=$(echo "$domains"|wc -l)
config_file="/tmp/make-csr-${vhost}.conf"
mkdir -p "$CSR_DIR" -m 0755
if [ "$nb" -eq 1 ]; then
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
mkdir -p "$CSR_DIR" -m 0755
if [ "$nb" -eq 1 ]; then
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
CN=$domains
EOF
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
elif [ "$nb" -gt 1 ]; then
san=''
for domain in $domains
do
san="$san,DNS:$domain"
done
san=$(echo "$san"|sed 's/,//')
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -config "$config_file" -out "$CSR_DIR/${vhost}.csr"
elif [ "$nb" -gt 1 ]; then
san=''
for domain in $domains
do
san="$san,DNS:$domain"
done
san=$(echo "$san"|sed 's/,//')
cat /etc/letsencrypt/openssl.cnf - > "$config_file" <<EOF
[SAN]
subjectAltName=$san
EOF
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
fi
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
chmod 644 "$CSR_DIR/${vhost}.csr"
mkdir -p "$SELF_SIGNED_DIR" -m 0755
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
fi
openssl req -new -sha256 -key "$SSL_KEY_DIR/${vhost}.key" -reqexts SAN -config "$config_file" > "$CSR_DIR/${vhost}.csr"
fi
if [ -f "$CSR_DIR/${vhost}.csr" ]; then
chmod 644 "$CSR_DIR/${vhost}.csr"
mkdir -p "$SELF_SIGNED_DIR" -m 0755
openssl x509 -req -sha256 -days 365 -in "$CSR_DIR/${vhost}.csr" -signkey "$SSL_KEY_DIR/${vhost}.key" -out "$SELF_SIGNED_DIR/${vhost}.pem"
[ -f "$SELF_SIGNED_DIR/${vhost}.pem" ] && chmod 644 "$SELF_SIGNED_DIR/${vhost}.pem"
fi
}
mkconf_apache() {
mkdir -p /etc/apache2/ssl
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
mkdir -p /etc/apache2/ssl
if [ ! -f "/etc/apache2/ssl/${vhost}.conf" ]; then
cat > "/etc/apache2/ssl/${vhost}.conf" <<EOF
SSLEngine On
SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem
SSLCertificateKeyFile $SSL_KEY_DIR/${vhost}.key
EOF
else
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
fi
else
sed -i "s~^SSLCertificateFile.*$~SSLCertificateFile $SELF_SIGNED_DIR/${vhost}.pem~" "/etc/apache2/ssl/${vhost}.conf"
fi
}
mkconf_nginx() {
mkdir -p /etc/nginx/ssl
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
mkdir -p /etc/nginx/ssl
if [ ! -f "/etc/nginx/ssl/${vhost}.conf" ]; then
cat > "/etc/nginx/ssl/${vhost}.conf" <<EOF
ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;
ssl_certificate_key $SSL_KEY_DIR/${vhost}.key;
EOF
else
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
fi
else
sed -i "s~^ssl_certificate[^_].*$~ssl_certificate $SELF_SIGNED_DIR/${vhost}.pem;~" "/etc/nginx/ssl/${vhost}.conf"
fi
}
main() {
if [ "$#" -ne 1 ]; then
echo "You need to provide one argument !" >&2
exit 1
fi
vhost=$(basename "$1" .conf)
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
if [ "$#" -ne 1 ]; then
echo "You need to provide one argument !" >&2
exit 1
fi
vhost=$(basename "$1" .conf)
local_ip=$(ip a|grep brd|cut -d'/' -f1|grep -oE "([0-9]+\.){3}[0-9]+")
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
if [ ! -h "$vhostfile" ]; then
echo "$vhost is not a valid virtualhost !" >&2
exit 1
fi
[ -f /etc/default/evoacme ] && . /etc/default/evoacme
[ -z "${SSL_KEY_DIR}" ] && SSL_KEY_DIR='/etc/ssl/private'
[ -z "${CSR_DIR}" ] && CSR_DIR='/etc/ssl/requests'
[ -z "${CRT_DIR}" ] && CRT_DIR='/etc/letsencrypt'
[ -z "${SELF_SIGNED_DIR}" ] && SELF_SIGNED_DIR='/etc/ssl/self-signed'
SSL_KEY_SIZE=$(grep default_bits /etc/letsencrypt/openssl.cnf|cut -d'=' -f2|xargs)
[ -n "${SRV_IP}" ] && SRV_IP="${SRV_IP} $local_ip" || SRV_IP="$local_ip"
vhostfile=$(ls "/etc/nginx/sites-enabled/${vhost}" "/etc/nginx/sites-enabled/${vhost}.conf" "/etc/apache2/sites-enabled/${vhost}" "/etc/apache2/sites-enabled/${vhost}.conf" 2>/dev/null|head -n1)
if [ ! -h "$vhostfile" ]; then
echo "$vhost is not a valid virtualhost !" >&2
exit 1
fi
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
echo "$vhost key already exist, overwrite it ? (y)"
read REPLY
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
fi
if [ -f "$SSL_KEY_DIR/${vhost}.key" ]; then
echo "$vhost key already exist, overwrite it ? (y)"
read REPLY
[ "$REPLY" = "Y" ] || [ "$REPLY" = "y" ] || exit 0
rm -f "/etc/apache2/ssl/${vhost}.conf /etc/nginx/ssl/${vhost}.conf"
[ -h "${CRT_DIR}/${vhost}/live" ] && rm "${CRT_DIR}/${vhost}/live"
fi
get_domains
make_key
make_csr "$domains"
which apache2ctl >/dev/null && mkconf_apache
get_domains
make_key
make_csr "$domains"
which apache2ctl >/dev/null && mkconf_apache
which nginx >/dev/null && mkconf_nginx
}