setup - extended and debugged setup

superstes · Apr 10, 2021 · c9f9a40 · c9f9a40
1 parent 9aa9933
commit c9f9a40
Show file tree

Hide file tree

Showing 43 changed files with 3,779 additions and 100 deletions.
diff --git a/setup/roles/core/templates/var/lib/ga/core/config/file/core.conf.j2 b/setup/roles/core/templates/var/lib/ga/core/config/file/core.conf.j2
@@ -1,7 +1,7 @@
 #crypto-recognition
 path_root={{ ga_core_path }}
 path_log={{ ga_path_log }}
-path_backup={{ ga_core_path_backup }}
+path_backup={{ ga_path_backup }}
 sql_server={{ ga_sql_server }}
 sql_port={{ ga_sql_port }}
 sql_user={{ ga_core_service_user }}

diff --git a/setup/roles/ssl_letsencrypt/tasks/cleanup.yml b/setup/roles/ssl_letsencrypt/tasks/cleanup.yml
@@ -1,12 +1,12 @@
 ---
 
-- name: GA | LetsEncrypt | Cleanup | Disable temporary apache site
+- name: GA | Cert LetsEncrypt | Cleanup | Disable temporary apache site
   file:
     state: absent
     dest: "/etc/apache2/sites-enabled/tmp_lets_encrypt.conf"
   register: tmp_site_config
 
-- name: GA | LetsEncrypt | Cleanup | Reload apache
+- name: GA | Cert LetsEncrypt | Cleanup | Reload apache
   service:
     name: 'apache2.service'
     state: reloaded

diff --git a/setup/roles/ssl_letsencrypt/tasks/dependencies.yml b/setup/roles/ssl_letsencrypt/tasks/dependencies.yml
@@ -1,6 +1,6 @@
 ---
 
-- name: GA | LetsEncrypt | Dependencies | Deploying temporary apache site
+- name: GA | Cert LetsEncrypt | Dependencies | Deploying temporary apache site
   template:
     src: 'templates/etc/apache2/sites-available/lets_encrypt.conf.j2'
     dest: "/etc/apache2/sites-available/tmp_lets_encrypt.conf"
@@ -10,7 +10,7 @@
   ignore_errors: yes
   register: tmp_site_config
 
-- name: GA | LetsEncrypt | Dependencies | Enable apache site
+- name: GA | Cert LetsEncrypt | Dependencies | Enable apache site
   file:
     state: link
     src: "/etc/apache2/sites-available/tmp_lets_encrypt.conf"
@@ -19,7 +19,7 @@
     group: 'root'
     mode: 0644
 
-- name: GA | LetsEncrypt | Dependencies | Reload apache
+- name: GA | Cert LetsEncrypt | Dependencies | Reload apache
   service:
     name: 'apache2.service'
     state: reloaded
diff --git a/setup/roles/ssl_letsencrypt/tasks/domain.yml b/setup/roles/ssl_letsencrypt/tasks/domain.yml
@@ -1,11 +1,11 @@
 ---
 
-- name: GA | LetsEncrypt | Checking if key
+- name: GA | Cert LetsEncrypt | Checking if key
   stat:
     path: "{{ ga_ssl_path_key }}"
   register: domain_key
 
-- name: GA | LetsEncrypt | Creating key/cert directories
+- name: GA | Cert LetsEncrypt | Creating key/cert directories
   file:
     path: "{{ item }}"
     state: directory
@@ -16,11 +16,11 @@
   - '/etc/ssl/private'
   - '/etc/ssl/certs'
 
-- name: GA | LetsEncrypt | Getting cert
+- name: GA | Cert LetsEncrypt | Getting cert
   include_tasks: domain_new.yml
   when: not domain_key.stat.exists
 
-- name: GA | LetsEncrypt | Linking certificates
+- name: GA | Cert LetsEncrypt | Linking certificates
   file:
     state: link
     src: "{{ item.value.src }}"

diff --git a/setup/roles/ssl_letsencrypt/tasks/domain_new.yml b/setup/roles/ssl_letsencrypt/tasks/domain_new.yml
@@ -1,29 +1,29 @@
 ---
 
-- name: GA | LetsEncrypt | Creating alternative name string (1/3)
+- name: GA | Cert LetsEncrypt | Creating alternative name string (1/3)
   set_fact:
     _alias: "{{ apache_alias | join(' --domain ') }}"
   when:
     - apache_alias | length > 0
 
-- name: GA | LetsEncrypt | Creating alternative name string (2/3)
+- name: GA | Cert LetsEncrypt | Creating alternative name string (2/3)
   set_fact:
     _apache_alias: "{{ '--domain ' + _alias }}"
   when:
     - apache_alias | length > 0
 
-- name: GA | LetsEncrypt | Creating alternative name string (3/3)
+- name: GA | Cert LetsEncrypt | Creating alternative name string (3/3)
   set_fact:
     _apache_alias: ''
   when:
     - apache_alias | length == 0
 
-- name: GA | LetsEncrypt | Debug => the following command will be issued
+- name: GA | Cert LetsEncrypt | Debug => the following command will be issued
   debug:
     msg: "certbot certonly --apache -{{ certbot_verbosity }} --non-interactive --agree-tos --email {{ certbot_email }} --cert-name {{ ga_web_key }}
              --rsa-key-size {{ letsencrypt_key_size }} --no-redirect --domain {{ ga_web_dns }} {{ _apache_alias }} --cert-path {{ _path_cert }}"
 
-- name: GA | LetsEncrypt | Certbot | Starting certbot
+- name: GA | Cert LetsEncrypt | Certbot | Starting certbot
   shell: "certbot certonly --apache -{{ certbot_verbosity }} --non-interactive --agree-tos --email {{ certbot_email }} --cert-name {{ ga_web_key }}
            --rsa-key-size {{ letsencrypt_key_size }} --no-redirect --domain {{ ga_web_dns }} {{ _apache_alias }}"
   ignore_errors: yes

diff --git a/setup/roles/ssl_letsencrypt/tasks/main.yml b/setup/roles/ssl_letsencrypt/tasks/main.yml
@@ -1,25 +1,25 @@
 ---
 
-- name: GA | LetsEncrypt | Install package
+- name: GA | Cert LetsEncrypt | Install package
   apt:
     name: ['python3', 'python3-certbot-apache', 'software-properties-common']
     state: present
 
-- name: GA | LetsEncrypt | Check if a apache virtualhost is available
+- name: GA | Cert LetsEncrypt | Check if a apache virtualhost is available
   shell: 'ls -l /etc/apache2/sites-enabled/'
   register: enabled_apache_sites
 
-- name: GA | LetsEncrypt | Configuring dependencies
+- name: GA | Cert LetsEncrypt | Configuring dependencies
   include_tasks: dependencies.yml
   when: '"total 0" in enabled_apache_sites["stdout_lines"]'
 
-- name: GA | LetsEncrypt | Configuring certbot
+- name: GA | Cert LetsEncrypt | Configuring certbot
   include_tasks: domain.yml
 
-- name: GA | LetsEncrypt | Cleanup dependencies
+- name: GA | Cert LetsEncrypt | Cleanup dependencies
   include_tasks: cleanup.yml
 
-- name: GA | LetsEncrypt | Adding systemd files for certbot renewal
+- name: GA | Cert LetsEncrypt | Adding systemd files for certbot renewal
   template:
     src: "templates/lib/systemd/system/{{ item }}"
     dest: "/lib/systemd/system/{{ item }}"

diff --git a/setup/roles/ssl_selfsigned/defaults/main.yml b/setup/roles/ssl_selfsigned/defaults/main.yml
@@ -1,2 +1,42 @@
 ---
 
+easyrsa:
+  ca:
+    default:
+      certs:
+        srv:
+          - cn: "{{ ga_web_ssl_selfsigned_cn }}"
+            sub_alt: "DNS:{{ ga_web_dns }}{% for alias in ga_web_alias %},DNS:{{ alias }}{% endfor %}"
+            nopass: true
+
+easyrsa_perms_pub: 644
+easyrsa_perms_priv: 640
+
+easyrsa_path: '/var/lib/easyrsa'
+easyrsa_path_pki: "{{ easyrsa_path }}/pki"
+easyrsa_cert_owner: "{{ ga_web_service_user }}"
+easyrsa_cert_group: "{{ ga_service_group }}"
+
+easyrsa_req_country: 'AT'
+easyrsa_req_province: 'Styria'
+easyrsa_req_city: 'GrowPlace'
+easyrsa_req_org: 'GrowAutomation'
+easyrsa_req_email: 'contact@growautomation.eu'
+easyrsa_req_ou: 'IT'
+
+easyrsa_key_size: '4096'
+easyrsa_key_algo: 'rsa'
+easyrsa_key_digest: 'sha512'
+easyrsa_ca_runtime_days: '9125'
+easyrsa_cert_runtime_days: '3650'
+easyrsa_crl_days: '180'
+easyrsa_renew_days: '90'
+
+easyrsa_ca_cn: 'GrowAutomation SelfSign-CA'
+
+key_generate_random_pwd: 'WILL_BE_RANDOM'
+key_generate_random_pwd_ca: 'ca'
+key_generate_random_pwd_cert: 'cert'
+easyrsa_pwd_file: ".pwd_file"
+easyrsa_ca_pwd: "{{ key_generate_random_pwd }}"
+easyrsa_cert_pwd: "{{ key_generate_random_pwd }}"
diff --git a/setup/roles/ssl_selfsigned/files/var/lib/easyrsa/SOURCE.txt b/setup/roles/ssl_selfsigned/files/var/lib/easyrsa/SOURCE.txt
@@ -0,0 +1 @@
+https://github.com/OpenVPN/easy-rsa
diff --git a/setup/roles/ssl_selfsigned/files/var/lib/easyrsa/VERSION.txt b/setup/roles/ssl_selfsigned/files/var/lib/easyrsa/VERSION.txt
@@ -0,0 +1 @@
+3.0.8