Commit a91af3f7 authored by Martin van Es's avatar Martin van Es
Browse files

Deploy signer certificate from local deploy host

parent 945ac893
files/*.crt
files/*.key
inventory/group_vars/geodns.yml
inventory/group_vars/mdsigner.yml
.ssh/id_*
Download GeoLite2 DB's from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
This directory should contain:
* GeoDNS config in yaml format
* mdsigner signing certificates (key_spec/cert_spec)
......@@ -2,7 +2,7 @@
tld: srv.mdx.incubator.geant.org
hosts:
proxies:
et2:
hostname: srv1
altname: 'server-md2.et2.com'
......
---
hosts:
signers_tld: srv.mdx.incubator.geant.org
signers:
et2:
hostname: srv1
mdsigner:
test:
signer:
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
metadir: metadata/test
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
mdxcdn:
hostname: srv2
mdsigner:
edugain:
signer:
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
metadir: metadata/edugain
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
alternative-mdx:
hostname: srv3
mdsigner:
test:
name: normal_signer
key_spec: "test.key"
cert_spec: "test.crt"
foobar:
signer:
name: normal_signer
key_spec: "meta.key"
cert_spec: "meta.crt"
metadir: metadata/test
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
{% if hosts[inventory_hostname].get('mdsigner') %}
{% if signers is defined and signers[inventory_hostname].get('mdsigner') %}
<VirtualHost *:80>
ServerName {{ hosts[inventory_hostname]['hostname'] }}-signer.{{ tld }}
{% if hosts[inventory_hostname].get('altname') %}
ServerAlias {{ hosts[inventory_hostname]['altname'] }}
ServerName {{ signers[inventory_hostname]['hostname'] }}-signer.{{ signers_tld }}
{% if signers[inventory_hostname].get('altname') %}
ServerAlias {{ signers[inventory_hostname]['altname'] }}
{% endif %}
DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode
......@@ -11,16 +11,16 @@
</VirtualHost>
{% endif %}
{% if hosts[inventory_hostname].get('mdproxy') %}
{% if proxies is defined and proxies[inventory_hostname].get('mdproxy') %}
<VirtualHost *:80>
ServerName {{ hosts[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
ServerName {{ proxies[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode
ProxyPass "/" "http://127.0.0.1:5002/" nocanon
ProxyPassReverse "/" "http://127.0.0.1:5002/"
</VirtualHost>
{% set mdproxy = hosts[inventory_hostname]['mdproxy'] %}
{% set mdproxy = proxies[inventory_hostname]['mdproxy'] %}
{% for realm, values in mdproxy.items() %}
<VirtualHost *:80>
ServerName proxy-{{ realm }}.{{ tld }}
......@@ -34,3 +34,4 @@
</VirtualHost>
{% endfor %}
{% endif %}
---
{{ hosts[inventory_hostname]['mdproxy'] | tojson }}
{% set mdproxies = proxies[inventory_hostname]['mdproxy'] %}
{% for realm, values in mdproxies.items() %}
{{ realm }}:
signer: {{ values['signer'] }}
{% if values.get('altname') %}
altname: {{ values['altname'] }}
{% endif %}
{% endfor %}
- name: check wheter we can copy certificates
ansible.builtin.stat:
path: "{{ playbook_dir }}/files/{{ item.value.key_spec }}"
delegate_to: localhost
become: no
register: key_spec
- name: Copy certificates when key_spec exists
block:
- name: Copy Key spec
ansible.builtin.copy:
src: "{{ item.value.key_spec }}"
dest: "{{ altmdx_dir }}/{{ item.value.key_spec }}"
- name: Copy Cert spec
ansible.builtin.copy:
src: "{{ item.value.cert_spec }}"
dest: "{{ altmdx_dir }}/{{ item.value.cert_spec }}"
when: key_spec.stat.exists
......@@ -22,22 +22,11 @@
path: "{{ altmdx_metadir }}/{{ item.key }}"
state: directory
mode: '0755'
with_dict: "{{ hosts[inventory_hostname]['mdsigner'] }}"
with_dict: "{{ signers[inventory_hostname]['mdsigner'] }}"
- name: Check existence of metadata signing cert
stat:
path: "{{ altmdx_metadir }}/meta.crt"
register: mdcert
- name: create self-signed Metadata Signing SSL certs
shell: >
openssl genrsa -out "{{ altmdx_dir }}/meta.key" 2048;
openssl req -new -nodes -x509 -subj "/C=NL/CN=metadata"
-days 3650 -key "{{ altmdx_dir }}/meta.key"
-out "{{ altmdx_dir }}/meta.crt" -extensions v3_ca
args:
creates: "{{ altmdx_dir }}/meta.crt"
when: not mdcert.stat.exists
- name: Copy certificates
include_tasks: certificates.yml
loop: "{{ signers[inventory_hostname]['mdsigner'] | dict2items }}"
- name: Copy mdsigner service files
ansible.builtin.template:
......
---
{{ hosts[inventory_hostname]['mdsigner'] | to_yaml }}
{% set mdsigners = signers[inventory_hostname]['mdsigner'] %}
{% for realm, values in mdsigners.items() %}
{{ realm }}:
signer:
name: {{ values['name'] }}
key_spec: {{ values.key_spec }}
cert_spec: {{ values.get('cert_spec') }}
metadir: metadata/{{ realm }}
{% endfor %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment