Updates for CA certificate signing

2022-05-13 18:25:56 -06:00 · 2022-05-13 18:25:56 -06:00 · fd70f6d343
commit fd70f6d343
parent 333100675b
12 changed files with 176 additions and 174 deletions
--- a/freeipa/freeipa.yaml
+++ b/freeipa/freeipa.yaml
@ -31,9 +31,10 @@

  tasks:
  - name: Start service httpd, if not started
-    ansible.builtin.service:
+    service:
      name: httpd
-      state: started
+      state: restarted
+      enabled: yes

  - name: Open HTTPS port
    firewalld:
--- a/freeipa/inventory-cedn.yaml
+++ b/freeipa/inventory-cedn.yaml
@ -10,3 +10,4 @@ ipaserver_master_password="prueba123!"
 ipaserver_auto_forwarders=yes
 ipaadmin_password="prueba123!"
 ipadm_password="prueba123!"
+ipaserver_setup_firewalld=yes
--- a/nextcloud/ansible/roles/common/tasks/main.yml
+++ b/nextcloud/ansible/roles/common/tasks/main.yml
@ -8,90 +8,21 @@
      reload: true
      sysctl_file: /etc/sysctl.conf

+  - name: Copy the CA Certificate to /etc/pki/ca-trust/source/anchors/
+    copy:
+      src: certificates/nextcloud_CA.crt
+      dest: /etc/pki/ca-trust/source/anchors/nextcloud_CA.crt
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Trust the new CA
+    command: update-ca-trust
+
+  # TODO: separar tasks generales de tasks de nextcloud
  - name: Tasks for Red Hat distros
    include: redhat_tasks.yaml
    when:
      ansible_distribution_file_variety == 'RedHat'

-  - name: Configure Nginx Nextcloud pool
-    template: src=nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf"
-    tags:
-      - notify_push
-
-  - name: Configure PHP
-    template: src=php.ini.j2 dest="{{ php_ini_path }}/php.ini"
-
-  - name: Configure PHP FPM pool
-    template: src=www.conf.j2 dest="{{ php_pool_path }}/www.conf"
-
-  # nextcloud specific tasks
-  #- name: Ensure that Nextcloud target directory exists
-  #  ansible.builtin.file:
-  #    path: /var/www/nextcloud
-  #    state: directory
-  #    mode: '0755'
-  #    owner: "{{ web_user }}"
-
-  - name: Download Nextcloud
-    get_url:
-      url: "https://download.nextcloud.com/server/releases/nextcloud-{{nextcloud_version}}.tar.bz2"
-      dest: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2"
-      checksum: "{{ nextcloud_checksum }}"
-    when:
-      nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true
-
-  - name: Unpack Nextcloud
-    ansible.builtin.unarchive:
-      src: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2"
-      dest: "{{ nextcloud_path }}"
-      remote_src: yes
-      owner: "{{ web_user }}"
-      extra_opts:
-        - --strip-components=1
-    when:
-      nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true
-
-  - name: Create nginx ssl directory
-    file:
-      path: /etc/ssl/nginx
-      state: directory
-
-  - name: Generate Nginx SSL Private Key
-    openssl_privatekey:
-      path: "{{ nginx_ssl_key_file }}"
-      size: "{{ key_size }}"
-      type: "{{ key_type }}"
-      backup: yes
-
-  - name: Generate Nginx SSL CSR
-    openssl_csr:
-      path: "{{ nginx_ssl_csr_file }}"
-      privatekey_path: "{{ nginx_ssl_key_file }}"
-      country_name: "{{ country_name }}"
-      organization_name: "{{ organization_name }}"
-      email_address: "{{ email_address }}"
-      common_name: "nextcloud"
-      subject_alt_name: "DNS:{{ ansible_hostname }},DNS:{{ nextcloud_domain_name }},DNS:{{ server_hostname }}"
-
-  - name: Generate Nginx Self Signed OpenSSL certificate
-    openssl_certificate:
-      path: "{{ nginx_ssl_cert_file }}" 
-      privatekey_path: "{{ nginx_ssl_key_file }}"
-      csr_path: "{{ nginx_ssl_csr_file }}"
-      provider: selfsigned
-
-  - name: Enable nginx service
-    systemd:
-      name: nginx
-      enabled: yes
-      state: restarted
-    tags:
-      - notify_push
-
-  - name: Enable php-fpm service
-    systemd:
-      name: "{{ php_fpm_service }}"
-      enabled: yes
-      state: restarted
-

--- a/nextcloud/ansible/roles/common/tasks/redhat_tasks.yaml
+++ b/nextcloud/ansible/roles/common/tasks/redhat_tasks.yaml
@ -1,43 +1,44 @@
  - name: Install System Packages
-    action: package name={{item}} state=present
-    with_items:
-       - nginx
-       - sudo
-       - php-fpm
-       - postgresql
-       - postgresql-server
-       - python3-psycopg2
-       - redis
-       - php-pgsql
-       - php-cli
-       - php-curl
-       - php-dom
-       - php-exif
-       - php-fileinfo
-       - php-gd
-       - php-iconv
-       - php-json
-       - php-ldap
-       - php-mbstring
-       - php-openssl
-       - php-pcre
-       - php-pdo
-       - php-session
-       - php-simplexml
-       - php-xmlwriter
-       - php-spl
-       - php-zip
-       - php-filter
-       - php-ldap
-       - php-smbclient
-       - php-imap
-       - php-gmp
-       - php-process
-       - php-pecl-imagick
-       - php-pecl-memcached
-       - php-pecl-apcu
-       - php-pecl-redis
-       - python3-pyOpenSSL
+    package: 
+      state: latest
+      name: 
+	      - nginx
+	      - sudo
+	      - php-fpm
+	      - postgresql
+	      - postgresql-server
+	      - python3-psycopg2
+	      - redis
+	      - php-pgsql
+	      - php-cli
+	      - php-curl
+	      - php-dom
+	      - php-exif
+	      - php-fileinfo
+	      - php-gd
+	      - php-iconv
+	      - php-json
+	      - php-ldap
+	      - php-mbstring
+	      - php-openssl
+	      - php-pcre
+	      - php-pdo
+	      - php-session
+	      - php-simplexml
+	      - php-xmlwriter
+	      - php-spl
+	      - php-zip
+	      - php-filter
+	      - php-ldap
+	      - php-smbclient
+	      - php-imap
+	      - php-gmp
+	      - php-process
+	      - php-pecl-imagick
+	      - php-pecl-memcached
+	      - php-pecl-apcu
+	      - php-pecl-redis
+	      - python3-pyOpenSSL

  - name: Import Collabora key
    ansible.builtin.rpm_key:
--- a/nextcloud/ansible/roles/nextcloud/tasks/main.yml
+++ b/nextcloud/ansible/roles/nextcloud/tasks/main.yml
@ -1,5 +1,73 @@
 ---
 # tasks file for nextcloud
+  - name: Configure nginx Nextcloud pool
+    template: src=nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf"
+    tags:
+      - notify_push
+
+  - name: Configure PHP
+    template: src=php.ini.j2 dest="{{ php_ini_path }}/php.ini"
+
+  - name: Configure PHP FPM pool
+    template: src=www.conf.j2 dest="{{ php_pool_path }}/www.conf"
+
+  # nextcloud specific tasks
+  #- name: Ensure that Nextcloud target directory exists
+  #  ansible.builtin.file:
+  #    path: /var/www/nextcloud
+  #    state: directory
+  #    mode: '0755'
+  #    owner: "{{ web_user }}"
+
+  - name: Download Nextcloud
+    get_url:
+      url: "https://download.nextcloud.com/server/releases/nextcloud-{{nextcloud_version}}.tar.bz2"
+      dest: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2"
+      checksum: "{{ nextcloud_checksum }}"
+    when:
+      nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true
+
+  - name: Unpack Nextcloud
+    ansible.builtin.unarchive:
+      src: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2"
+      dest: "{{ nextcloud_path }}"
+      remote_src: yes
+      owner: "{{ web_user }}"
+      extra_opts:
+        - --strip-components=1
+    when:
+      nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true
+
+  # TODO: crear variable para el certificates/nginx_key.pem
+  - name: Copy the nginx certificate key to /etc/pki/tls/private/
+    copy:
+      src: certificates/nginx_key.pem
+      dest: "{{ nginx_ssl_key_file }}"
+      owner: root
+      group: nginx
+      mode: '0640'
+
+  - name: Copy the nginx Certificate to /etc/pki/tls/certs/
+    copy:
+      src: certificates/nginx.crt
+      dest: "{{ nginx_ssl_cert_file }}"
+      owner: root
+      group: root
+      mode: '0644'
+
+  - name: Enable nginx service
+    systemd:
+      name: nginx
+      enabled: yes
+      state: restarted
+    tags:
+      - notify_push
+
+  - name: Enable php-fpm service
+    systemd:
+      name: "{{ php_fpm_service }}"
+      enabled: yes
+      state: restarted

  - name: Install nextcloud to database
    ansible.builtin.shell:
--- a/nextcloud/ansible/roles/redis/tasks/main.yml
+++ b/nextcloud/ansible/roles/redis/tasks/main.yml
@ -1,32 +1,20 @@
 ---
 # tasks file for redis
-  - name: Generate Redis SSL Private Key
-    openssl_privatekey:
-      path: "{{ redis_cert_private_key }}"
-      size: "{{ key_size }}"
-      type: "{{ key_type }}"
-      backup: yes
-      owner: redis
+  - name: Copy the redis certificate key to /etc/pki/tls/private/
+    copy:
+      src: certificates/redis_key.pem
+      dest: "{{ redis_ssl_key_file }}"
+      owner: root
+      group: nginx
+      mode: '0640'

-
-  #FIXME versionar para debian 10 o crear un paquete de redis para debian 10 con soporte de TLS
-  - name: Generate Redis SSL CSR
-    openssl_csr:
-      path: "{{ redis_csr }}"
-      privatekey_path: "{{ redis_cert_private_key }}"
-      country_name: "{{ country_name }}"
-      organization_name: "{{ organization_name }}"
-      email_address: "{{ email_address }}"
-      common_name: "{{ server_hostname }}"
-      owner: redis
-
-  - name: Generate Redis Self Signed OpenSSL certificate
-    openssl_certificate:
-      path: "{{ redis_cert }}" 
-      privatekey_path: "{{ redis_cert_private_key }}"
-      csr_path: "{{ redis_csr }}"
-      provider: selfsigned
-      owner: redis
+  - name: Copy the redis Certificate to /etc/pki/tls/certs/
+    copy:
+      src: certificates/redis.crt
+      dest: "{{ redis_ssl_cert_file }}"
+      owner: root
+      group: root
+      mode: '0644'

  - name: Set Redis Configuration
    template: src=redis.conf.j2 dest="{{ redis_dir }}/redis.conf" owner=root group=root mode=0644
--- a/nextcloud/ansible/test_roles.yaml
+++ b/nextcloud/ansible/test_roles.yaml
@ -1,3 +1,14 @@
+- hosts: localhost
+  vars_files:
+    - vars/main.yaml
+  vars:
+    services:
+      - nginx
+      - postgresql
+      - redis
+  roles:
+    - { role: certificates }
+
 - hosts: all
  vars_files:
    - vars/main.yaml
@ -16,14 +27,16 @@
  roles:
    - { role: redis, become=yes, become_user=root }

+- hosts: nextcloud
+  vars_files:
+    - vars/nextcloud.yaml
+  roles:
+    - { role: nextcloud, become=yes, become_user=root }
+
 - hosts: loolwsd
  vars_files:
    - vars/loolwsd.yaml
  roles:
    - { role: loolwsd, become=yes, become_user=root }

- hosts: nextcloud
-  vars_files:
-    - vars/nextcloud.yaml
-  roles:
-    - { role: nextcloud, become=yes, become_user=root }
+
--- a/nextcloud/ansible/vars/loolwsd.yaml
+++ b/nextcloud/ansible/vars/loolwsd.yaml
@ -32,12 +32,12 @@
    organization_name: "AnsibleNextcloud"
    #server_hostname: "{{ ansible_hostname }}"
    server_hostname: "{{ nextcloud_domain_name }}"
-    redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem"
-    redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt"
+    redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem"
+    redis_cert: "/etc/pki/tls/certs/redis.crt"
    redis_csr: "/etc/pki/tls/certs/redis-self.csr"
    generate_self_signed_cert: true
-    nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt"
-    nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" 
+    nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" 
+    nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt"
    nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr"
    #nextcloud_domain: "cloud.example.com"
    code_enable_ssl: false
--- a/nextcloud/ansible/vars/main.yaml
+++ b/nextcloud/ansible/vars/main.yaml
@ -32,12 +32,12 @@
    organization_name: "AnsibleNextcloud"
    #server_hostname: "{{ ansible_hostname }}"
    server_hostname: "{{ nextcloud_domain_name }}"
-    redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem"
-    redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt"
+    redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem"
+    redis_cert: "/etc/pki/tls/certs/redis.crt"
    redis_csr: "/etc/pki/tls/certs/redis-self.csr"
    generate_self_signed_cert: true
-    nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt"
-    nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" 
+    nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" 
+    nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt"
    nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr"
    #nextcloud_domain: "cloud.example.com"
    code_enable_ssl: false
--- a/nextcloud/ansible/vars/nextcloud.yaml
+++ b/nextcloud/ansible/vars/nextcloud.yaml
@ -32,12 +32,12 @@
    organization_name: "AnsibleNextcloud"
    #server_hostname: "{{ ansible_hostname }}"
    server_hostname: "{{ nextcloud_domain_name }}"
-    redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem"
-    redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt"
+    redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem"
+    redis_cert: "/etc/pki/tls/certs/redis.crt"
    redis_csr: "/etc/pki/tls/certs/redis-self.csr"
    generate_self_signed_cert: true
-    nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt"
-    nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" 
+    nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" 
+    nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt"
    nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr"
    #nextcloud_domain: "cloud.example.com"
    code_enable_ssl: false
--- a/nextcloud/ansible/vars/postgresql.yaml
+++ b/nextcloud/ansible/vars/postgresql.yaml
@ -10,7 +10,6 @@
    document_root: "{{ '/usr/share/nginx/html' if ansible_distribution_file_variety == 'RedHat' else '/var/www/html' }}"
    web_user: "{{ 'nginx' if ansible_distribution_file_variety == 'RedHat' else 'www-data' }}"
    pg_hba_conf: "{{ '/var/lib/pgsql/data/pg_hba.conf' if ansible_distribution_file_variety == 'RedHat' else '/etc/postgresql/13/main/pg_hba.conf' }}"
-    postgresql_conf: "{{ '/var/lib/pgsql/data/postgresql.conf' if ansible_distribution_file_variety == 'RedHat' else '/etc/postgresql/13/main/postgresql.conf' }}"
    redis_dir: "{{ '/etc' if ansible_distribution_file_variety == 'RedHat' else '/etc/redis' }}"
    redis_user: "nextcloud"
    redis_url: "https://127.0.0.1"
@ -33,12 +32,12 @@
    organization_name: "AnsibleNextcloud"
    #server_hostname: "{{ ansible_hostname }}"
    server_hostname: "{{ nextcloud_domain_name }}"
-    redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem"
-    redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt"
+    redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem"
+    redis_cert: "/etc/pki/tls/certs/redis.crt"
    redis_csr: "/etc/pki/tls/certs/redis-self.csr"
    generate_self_signed_cert: true
-    nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt"
-    nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" 
+    nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" 
+    nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt"
    nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr"
    #nextcloud_domain: "cloud.example.com"
    code_enable_ssl: false
--- a/nextcloud/ansible/vars/redis.yaml
+++ b/nextcloud/ansible/vars/redis.yaml
@ -32,12 +32,12 @@
    organization_name: "AnsibleNextcloud"
    #server_hostname: "{{ ansible_hostname }}"
    server_hostname: "{{ nextcloud_domain_name }}"
-    redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem"
-    redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt"
+    redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem"
+    redis_cert: "/etc/pki/tls/certs/redis.crt"
    redis_csr: "/etc/pki/tls/certs/redis-self.csr"
    generate_self_signed_cert: true
-    nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt"
-    nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" 
+    nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" 
+    nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt"
    nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr"
    #nextcloud_domain: "cloud.example.com"
    code_enable_ssl: false