Skip to content

GitLab

Commit a91af3f7 authored by Martin van Es's avatar Martin van Es
Browse files

Deploy signer certificate from local deploy host

parent 945ac893
Hide whitespace changes
Inline Side-by-side
.gitignore
View file @ a91af3f7
files/*.crt
files/*.key
inventory/group_vars/geodns.yml
inventory/group_vars/mdsigner.yml
.ssh/id_*
files/README
View file @ a91af3f7
Download GeoLite2 DB's from https://dev.maxmind.com/geoip/geolite2-free-geolocation-data
This directory should contain:
* GeoDNS config in yaml format
* mdsigner signing certificates (key_spec/cert_spec)
inventory/group_vars/all.yml
View file @ a91af3f7
......@@ -2,7 +2,7 @@
tld: srv.mdx.incubator.geant.org
hosts:
proxies:
et2:
hostname: srv1
altname: 'server-md2.et2.com'
......
inventory/group_vars/mdsigner.yml.example
View file @ a91af3f7
---
hosts:
signers_tld: srv.mdx.incubator.geant.org
signers:
et2:
hostname: srv1
mdsigner:
test:
signer:
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
metadir: metadata/test
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
mdxcdn:
hostname: srv2
mdsigner:
edugain:
signer:
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
metadir: metadata/edugain
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
alternative-mdx:
hostname: srv3
mdsigner:
test:
name: normal_signer
key_spec: "test.key"
cert_spec: "test.crt"
foobar:
signer:
name: normal_signer
key_spec: "meta.key"
cert_spec: "meta.crt"
metadir: metadata/test
name: hsm_signer
key_spec: pkcs11:///usr/lib/softhsm/libsofthsm2.so/test?pin=secret
roles/apache/templates/md.conf.j2
View file @ a91af3f7
{% if hosts[inventory_hostname].get('mdsigner') %}
{% if signers is defined and signers[inventory_hostname].get('mdsigner') %}
<VirtualHost *:80>
ServerName {{ hosts[inventory_hostname]['hostname'] }}-signer.{{ tld }}
{% if hosts[inventory_hostname].get('altname') %}
ServerAlias {{ hosts[inventory_hostname]['altname'] }}
ServerName {{ signers[inventory_hostname]['hostname'] }}-signer.{{ signers_tld }}
{% if signers[inventory_hostname].get('altname') %}
ServerAlias {{ signers[inventory_hostname]['altname'] }}
{% endif %}
DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode
......@@ -11,16 +11,16 @@
</VirtualHost>
{% endif %}
{% if hosts[inventory_hostname].get('mdproxy') %}
{% if proxies is defined and proxies[inventory_hostname].get('mdproxy') %}
<VirtualHost *:80>
ServerName {{ hosts[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
ServerName {{ proxies[inventory_hostname]['hostname'] }}-proxy.{{ tld }}
DocumentRoot /var/www/html
AllowEncodedSlashes NoDecode
ProxyPass "/" "http://127.0.0.1:5002/" nocanon
ProxyPassReverse "/" "http://127.0.0.1:5002/"
</VirtualHost>
{% set mdproxy = hosts[inventory_hostname]['mdproxy'] %}
{% set mdproxy = proxies[inventory_hostname]['mdproxy'] %}
{% for realm, values in mdproxy.items() %}
<VirtualHost *:80>
ServerName proxy-{{ realm }}.{{ tld }}
......@@ -34,3 +34,4 @@
</VirtualHost>
{% endfor %}
{% endif %}
roles/mdproxy/templates/mdproxy.yaml.j2
View file @ a91af3f7
---
{{ hosts[inventory_hostname]['mdproxy'] | tojson }}
{% set mdproxies = proxies[inventory_hostname]['mdproxy'] %}
{% for realm, values in mdproxies.items() %}
{{ realm }}:
signer: {{ values['signer'] }}
{% if values.get('altname') %}
altname: {{ values['altname'] }}
{% endif %}
{% endfor %}
roles/mdsigner/tasks/certificates.yml 0 → 100644
View file @ a91af3f7
- name: check wheter we can copy certificates
ansible.builtin.stat:
path: "{{ playbook_dir }}/files/{{ item.value.key_spec }}"
delegate_to: localhost
become: no
register: key_spec
- name: Copy certificates when key_spec exists
block:
- name: Copy Key spec
ansible.builtin.copy:
src: "{{ item.value.key_spec }}"
dest: "{{ altmdx_dir }}/{{ item.value.key_spec }}"
- name: Copy Cert spec
ansible.builtin.copy:
src: "{{ item.value.cert_spec }}"
dest: "{{ altmdx_dir }}/{{ item.value.cert_spec }}"
when: key_spec.stat.exists
roles/mdsigner/tasks/main.yml
View file @ a91af3f7
......@@ -22,22 +22,11 @@
path: "{{ altmdx_metadir }}/{{ item.key }}"
state: directory
mode: '0755'
with_dict: "{{ hosts[inventory_hostname]['mdsigner'] }}"
with_dict: "{{ signers[inventory_hostname]['mdsigner'] }}"
- name: Check existence of metadata signing cert
stat:
path: "{{ altmdx_metadir }}/meta.crt"
register: mdcert
- name: create self-signed Metadata Signing SSL certs
shell: >
openssl genrsa -out "{{ altmdx_dir }}/meta.key" 2048;
openssl req -new -nodes -x509 -subj "/C=NL/CN=metadata"
-days 3650 -key "{{ altmdx_dir }}/meta.key"
-out "{{ altmdx_dir }}/meta.crt" -extensions v3_ca
args:
creates: "{{ altmdx_dir }}/meta.crt"
when: not mdcert.stat.exists
- name: Copy certificates
include_tasks: certificates.yml
loop: "{{ signers[inventory_hostname]['mdsigner'] | dict2items }}"
- name: Copy mdsigner service files
ansible.builtin.template:
......
roles/mdsigner/templates/mdsigner.yaml.j2
View file @ a91af3f7
---
{{ hosts[inventory_hostname]['mdsigner'] | to_yaml }}
{% set mdsigners = signers[inventory_hostname]['mdsigner'] %}
{% for realm, values in mdsigners.items() %}
{{ realm }}:
signer:
name: {{ values['name'] }}
key_spec: {{ values.key_spec }}
cert_spec: {{ values.get('cert_spec') }}
metadir: metadata/{{ realm }}
{% endfor %}
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment