blob: e83a6407959825ea1d25bc41b83bd15c19ba2946 (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
|
---
- name: remove default ubuntu key
file:
path: /etc/ssl/private/ssl-cert-snakeoil.key
state: absent
- name: create cert maint group
group:
name: certmaint
gid: 1070
state: present
- name: create cert maint user
user:
name: certmaint
uid: 1070
group: ssl-cert
groups:
- certmaint
shell: /bin/sh
create_home: yes
state: present
#- name: allow certmaint to maint certs and keys (default)
# acl:
# path: /etc/ssl/
# etype: user
# entity: certmaint
# permissions: rw
# default: yes
# recursive: yes
# state: present
# no_log: true
#- name: allow certmaint to maint certs and keys (actual certs)
# acl:
# path: /etc/ssl/
# etype: user
# entity: certmaint
# permissions: rwx
# state: present
# no_log: true
#- name: allow certmaint to maint certs and keys (actual keys)
# acl:
# path: /etc/ssl/private/
# etype: user
# entity: certmaint
# permissions: rwx
# state: present
# no_log: true
# Keys are private: only owner can read/write, and only group can read
- name: populate required keys (common types)
copy:
src: "tls/private/{{ item[0] }}-key.{{ item[1] }}.pem"
dest: /etc/ssl/private/
mode: 0640
owner: certmaint
group: ssl-cert
loop: "{{ certs.required |product(certs.keyTypes) |list }}"
when: certs.required[0] is string
# Certs are owned by 'certmaint' so user 'certmaint' can update them over scp
# Certs are public (obviously)
- name: populate required certs (common types)
copy:
src: "tls/{{ item[0] }}-cert-combined.{{ item[1] }}.pem"
dest: /etc/ssl/
mode: 0644
owner: certmaint
loop: "{{ certs.required |product(certs.keyTypes) |list }}"
when: certs.required[0] is string
# Keys are private: only owner can read/write, and only group can read
- name: populate required keys (specific types)
copy:
src: "tls/private/{{ item.host }}-key.{{ item.type }}.pem"
dest: /etc/ssl/private/
mode: 0640
owner: certmaint
group: ssl-cert
loop: "{{ certs.required }}"
when: certs.required[0] is mapping
# Certs are owned by 'certmaint' so user 'certmaint' can update them over scp
# Certs are public (obviously)
- name: populate required certs (specific types)
copy:
src: "tls/{{ item.host }}-cert-combined.{{ item.type }}.pem"
dest: /etc/ssl/
mode: 0644
owner: certmaint
loop: "{{ certs.required }}"
when: certs.required[0] is mapping
- name: plop LE cert chain
copy:
src: "tls/lets-encrypt-x3-cross-signed.pem"
dest: /etc/ssl/
mode: 0644
owner: certmaint
- name: plop remote LE challenge redirector
copy:
src: leforward.py
dest: /usr/local/bin/
mode: 0755
when:
- certs.receiver is defined and certs.receiver
# Retrieve all users on this host (creates variable 'passwd' containing results)
- name: get all user details so we can populate home directories
getent:
database: passwd
# Copy users/hostname/username contents into remote home directory
- name: verify explicit user keys exist as expected
copy:
src: "users/{{ inventory_hostname }}/{{ item }}/"
# [item][4] is [username][homedir] where /etc/passwd is tokenized on ':'
# and username becomes the key with remaining fields indexed by integers
dest: "{{ getent_passwd[item][4] }}"
mode: 0600
owner: "{{ item }}"
directory_mode: 0700
loop: "{{ certs.sshKeysForUsers }}"
# TODO: we could make one key per action then restrict actions by ssh key.
# (postfix key, dovecot key, nginx key, leforward key)
- name: verify certmaint receiver key exists
copy:
src: "users/certmaint/"
dest: "{{ getent_passwd[item][4] }}"
mode: 0600
owner: "{{ item }}"
directory_mode: 0700
loop:
- certmaint
- name: allow certmaint group to sudo reload relevant services
lineinfile:
path: /etc/sudoers.d/certmaint_reloads
regexp: "^%certmaint"
line: "%certmaint ALL = (root) NOPASSWD: /usr/sbin/service postfix reload, /usr/sbin/service dovecot reload, /usr/sbin/service nginx reload"
create: yes
mode: 0440
|
