AniNIX/Kapisi
3
0
Fork 0
Code Issues 27 Pull Requests Projects 1 Releases Wiki Activity

Catching up with current successes

Browse Source
This commit is contained in:
DarkFeather
2022-01-25 23:54:43 -06:00
parent 94a4736839
commit 921d53c724
70 changed files with 2912 additions and 355 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
roles/SSL/files/certbot.service Executable file
View File

@@ -0,0 +1,11 @@
[Unit]
Description=Certbot
[Service]
ExecStart=certbot renew -w /var/lib/letsencrypt/ --preferred-chain "ISRG Root X1"
ExecStartPost=/usr/bin/systemctl reload openresty
KillMode=process
Type=oneshot
RemainAfterExit=no
User=root
Group=root

10
roles/SSL/files/certbot.timer Executable file
View File

@@ -0,0 +1,10 @@
[Unit]
Description=Certbot
[Timer]
OnCalendar=Sat *-*-* 00:00
AccuracySec=1us
Persistent=true
[Install]
WantedBy=timers.target

24
roles/SSL/files/manual-ssl-renew
View File

@@ -1,24 +0,0 @@
#!/bin/bash
if [ `whoami` != 'root' ]; then
sudo $0 $@
exit
fi
domain="$1"
certbot certonly -d ${domain} -d "*.${domain}" --manual --force-interactive --reuse-key
cat /etc/letsencrypt/live/${domain}/cert.pem /etc/letsencrypt/live/${domain}/privkey.pem > /etc/letsencrypt/live/${domain}/certkey.pem
# PKCS12 for Emby
echo | openssl pkcs12 -password stdin -export -out /etc/letsencrypt/live/${domain}/ssl.pfx -inkey /etc/letsencrypt/live/${domain}/privkey.pem -in /etc/letsencrypt/live/${domain}/cert.pem -certfile /etc/letsencrypt/live/${domain}/fullchain.pem
cat /etc/letsencrypt/live/${domain}/ssl.pfx > /var/lib/emby/ssl/yggdrasil.pfx
systemctl restart webserver
systemctl restart yggdrasil
echo
echo "Don't forget to send \`/raw reloadmodule m_ssl_openssl.so\` to a NetAdmin session on AniNIX/IRC"
echo Add these to the TLSA records for the domain
bash ./tlsa-generation.bash

4
roles/SSL/files/tlsa-generation.bash
View File

@@ -1,4 +0,0 @@
#!/bin/bash
openssl x509 -in /etc/letsencrypt/live/aninix.net/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}'
openssl x509 -in /etc/letsencrypt/live/aninix.net/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}'

57
roles/SSL/tasks/main.yml
View File

@@ -6,3 +6,60 @@
name:
- certbot
- openssl
- name: Services
become: yes
register: services
copy:
src: "{{ item }}"
dest: /usr/lib/systemd/system
owner: root
group: root
mode: 0644
loop:
- "certbot.service"
- "certbot.timer"
- name: Enable timer
when: services.changed
systemd:
daemon_reload: yes
name: certbot.timer
enabled: yes
state: started
- name: Create letsencrypt folder
become: yes
file:
path: /var/lib/letsencrypt
owner: root
group: http
mode: 2755
- name: Copy TLSA script
become: yes
template:
src: tlsa-generation.bash.j2
dest: /usr/local/sbin/tlsa-generation.bash
owner: root
group: root
mode: 0700
- name: Get proposed TLSA records
become: yes
command: /usr/local/sbin/tlsa-generation.bash
register: tlsa_records
- name: Show proposed TLSA records
debug:
msg: "{{ tlsa_records.stdout_lines }}"
- name: Get TLSA records
delegate_to: localhost
run_once: yes
command: "/bin/bash -c 'printf _443._tcp\\ ; dig _443._tcp.{{ external_domain }} TLSA +short; printf _6697._tcp\\ ; dig _6697._tcp.{{ external_domain }} TLSA +short'"
register: ext_tlsa_records
- name: Show TLSA records
debug:
msg: "{{ ext_tlsa_records.stdout_lines }}"

4
roles/SSL/templates/tlsa-generation.bash.j2 Normal file
View File

@@ -0,0 +1,4 @@
#!/bin/bash
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity }}/chain.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "le-ca TLSA 2 1 1", $NF}'
openssl x509 -in /etc/letsencrypt/live/{{ sslidentity}}/cert.pem -noout -pubkey | openssl rsa -pubin -outform DER | openssl dgst -sha256 -hex | awk '{print "cert TLSA 3 1 1", $NF}'