blob: e83a6407959825ea1d25bc41b83bd15c19ba2946 (
plain) (
tree)
|
|
---
- name: remove default ubuntu key
file:
path: /etc/ssl/private/ssl-cert-snakeoil.key
state: absent
- name: create cert maint group
group:
name: certmaint
gid: 1070
state: present
- name: create cert maint user
user:
name: certmaint
uid: 1070
group: ssl-cert
groups:
- certmaint
shell: /bin/sh
create_home: yes
state: present
#- name: allow certmaint to maint certs and keys (default)
# acl:
# path: /etc/ssl/
# etype: user
# entity: certmaint
# permissions: rw
# default: yes
# recursive: yes
# state: present
# no_log: true
#- name: allow certmaint to maint certs and keys (actual certs)
# acl:
# path: /etc/ssl/
# etype: user
# entity: certmaint
# permissions: rwx
# state: present
# no_log: true
#- name: allow certmaint to maint certs and keys (actual keys)
# acl:
# path: /etc/ssl/private/
# etype: user
# entity: certmaint
# permissions: rwx
# state: present
# no_log: true
# Keys are private: only owner can read/write, and only group can read
- name: populate required keys (common types)
copy:
src: "tls/private/{{ item[0] }}-key.{{ item[1] }}.pem"
dest: /etc/ssl/private/
mode: 0640
owner: certmaint
group: ssl-cert
loop: "{{ certs.required |product(certs.keyTypes) |list }}"
when: certs.required[0] is string
# Certs are owned by 'certmaint' so user 'certmaint' can update them over scp
# Certs are public (obviously)
- name: populate required certs (common types)
copy:
src: "tls/{{ item[0] }}-cert-combined.{{ item[1] }}.pem"
dest: /etc/ssl/
mode: 0644
owner: certmaint
loop: "{{ certs.required |product(certs.keyTypes) |list }}"
when: certs.required[0] is string
# Keys are private: only owner can read/write, and only group can read
- name: populate required keys (specific types)
copy:
src: "tls/private/{{ item.host }}-key.{{ item.type }}.pem"
dest: /etc/ssl/private/
mode: 0640
owner: certmaint
group: ssl-cert
loop: "{{ certs.required }}"
when: certs.required[0] is mapping
# Certs are owned by 'certmaint' so user 'certmaint' can update them over scp
# Certs are public (obviously)
- name: populate required certs (specific types)
copy:
src: "tls/{{ item.host }}-cert-combined.{{ item.type }}.pem"
dest: /etc/ssl/
mode: 0644
owner: certmaint
loop: "{{ certs.required }}"
when: certs.required[0] is mapping
- name: plop LE cert chain
copy:
src: "tls/lets-encrypt-x3-cross-signed.pem"
dest: /etc/ssl/
mode: 0644
owner: certmaint
- name: plop remote LE challenge redirector
copy:
src: leforward.py
dest: /usr/local/bin/
mode: 0755
when:
- certs.receiver is defined and certs.receiver
# Retrieve all users on this host (creates variable 'passwd' containing results)
- name: get all user details so we can populate home directories
getent:
database: passwd
# Copy users/hostname/username contents into remote home directory
- name: verify explicit user keys exist as expected
copy:
src: "users/{{ inventory_hostname }}/{{ item }}/"
# [item][4] is [username][homedir] where /etc/passwd is tokenized on ':'
# and username becomes the key with remaining fields indexed by integers
dest: "{{ getent_passwd[item][4] }}"
mode: 0600
owner: "{{ item }}"
directory_mode: 0700
loop: "{{ certs.sshKeysForUsers }}"
# TODO: we could make one key per action then restrict actions by ssh key.
# (postfix key, dovecot key, nginx key, leforward key)
- name: verify certmaint receiver key exists
copy:
src: "users/certmaint/"
dest: "{{ getent_passwd[item][4] }}"
mode: 0600
owner: "{{ item }}"
directory_mode: 0700
loop:
- certmaint
- name: allow certmaint group to sudo reload relevant services
lineinfile:
path: /etc/sudoers.d/certmaint_reloads
regexp: "^%certmaint"
line: "%certmaint ALL = (root) NOPASSWD: /usr/sbin/service postfix reload, /usr/sbin/service dovecot reload, /usr/sbin/service nginx reload"
create: yes
mode: 0440
|
