From fd70f6d3432c5bd5415b3278a68fe23f9c3db273 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Iv=C3=A1n=20Chavero?= Date: Fri, 13 May 2022 18:25:56 -0600 Subject: [PATCH] Updates for CA certificate signing --- freeipa/freeipa.yaml | 5 +- freeipa/inventory-cedn.yaml | 1 + nextcloud/ansible/roles/common/tasks/main.yml | 93 +++---------------- .../roles/common/tasks/redhat_tasks.yaml | 79 ++++++++-------- .../ansible/roles/nextcloud/tasks/main.yml | 68 ++++++++++++++ nextcloud/ansible/roles/redis/tasks/main.yml | 40 +++----- nextcloud/ansible/test_roles.yaml | 23 ++++- nextcloud/ansible/vars/loolwsd.yaml | 8 +- nextcloud/ansible/vars/main.yaml | 8 +- nextcloud/ansible/vars/nextcloud.yaml | 8 +- nextcloud/ansible/vars/postgresql.yaml | 9 +- nextcloud/ansible/vars/redis.yaml | 8 +- 12 files changed, 176 insertions(+), 174 deletions(-) diff --git a/freeipa/freeipa.yaml b/freeipa/freeipa.yaml index 8dbd8e3..abc75bb 100644 --- a/freeipa/freeipa.yaml +++ b/freeipa/freeipa.yaml @@ -31,9 +31,10 @@ tasks: - name: Start service httpd, if not started - ansible.builtin.service: + service: name: httpd - state: started + state: restarted + enabled: yes - name: Open HTTPS port firewalld: diff --git a/freeipa/inventory-cedn.yaml b/freeipa/inventory-cedn.yaml index ca534b8..a1e4d8f 100644 --- a/freeipa/inventory-cedn.yaml +++ b/freeipa/inventory-cedn.yaml @@ -10,3 +10,4 @@ ipaserver_master_password="prueba123!" ipaserver_auto_forwarders=yes ipaadmin_password="prueba123!" ipadm_password="prueba123!" +ipaserver_setup_firewalld=yes diff --git a/nextcloud/ansible/roles/common/tasks/main.yml b/nextcloud/ansible/roles/common/tasks/main.yml index 0bdc0c0..f199344 100644 --- a/nextcloud/ansible/roles/common/tasks/main.yml +++ b/nextcloud/ansible/roles/common/tasks/main.yml @@ -8,90 +8,21 @@ reload: true sysctl_file: /etc/sysctl.conf + - name: Copy the CA Certificate to /etc/pki/ca-trust/source/anchors/ + copy: + src: certificates/nextcloud_CA.crt + dest: /etc/pki/ca-trust/source/anchors/nextcloud_CA.crt + owner: root + group: root + mode: '0644' + + - name: Trust the new CA + command: update-ca-trust + + # TODO: separar tasks generales de tasks de nextcloud - name: Tasks for Red Hat distros include: redhat_tasks.yaml when: ansible_distribution_file_variety == 'RedHat' - - name: Configure Nginx Nextcloud pool - template: src=nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf" - tags: - - notify_push - - - name: Configure PHP - template: src=php.ini.j2 dest="{{ php_ini_path }}/php.ini" - - - name: Configure PHP FPM pool - template: src=www.conf.j2 dest="{{ php_pool_path }}/www.conf" - - # nextcloud specific tasks - #- name: Ensure that Nextcloud target directory exists - # ansible.builtin.file: - # path: /var/www/nextcloud - # state: directory - # mode: '0755' - # owner: "{{ web_user }}" - - - name: Download Nextcloud - get_url: - url: "https://download.nextcloud.com/server/releases/nextcloud-{{nextcloud_version}}.tar.bz2" - dest: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2" - checksum: "{{ nextcloud_checksum }}" - when: - nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true - - - name: Unpack Nextcloud - ansible.builtin.unarchive: - src: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2" - dest: "{{ nextcloud_path }}" - remote_src: yes - owner: "{{ web_user }}" - extra_opts: - - --strip-components=1 - when: - nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true - - - name: Create nginx ssl directory - file: - path: /etc/ssl/nginx - state: directory - - - name: Generate Nginx SSL Private Key - openssl_privatekey: - path: "{{ nginx_ssl_key_file }}" - size: "{{ key_size }}" - type: "{{ key_type }}" - backup: yes - - - name: Generate Nginx SSL CSR - openssl_csr: - path: "{{ nginx_ssl_csr_file }}" - privatekey_path: "{{ nginx_ssl_key_file }}" - country_name: "{{ country_name }}" - organization_name: "{{ organization_name }}" - email_address: "{{ email_address }}" - common_name: "nextcloud" - subject_alt_name: "DNS:{{ ansible_hostname }},DNS:{{ nextcloud_domain_name }},DNS:{{ server_hostname }}" - - - name: Generate Nginx Self Signed OpenSSL certificate - openssl_certificate: - path: "{{ nginx_ssl_cert_file }}" - privatekey_path: "{{ nginx_ssl_key_file }}" - csr_path: "{{ nginx_ssl_csr_file }}" - provider: selfsigned - - - name: Enable nginx service - systemd: - name: nginx - enabled: yes - state: restarted - tags: - - notify_push - - - name: Enable php-fpm service - systemd: - name: "{{ php_fpm_service }}" - enabled: yes - state: restarted - diff --git a/nextcloud/ansible/roles/common/tasks/redhat_tasks.yaml b/nextcloud/ansible/roles/common/tasks/redhat_tasks.yaml index 6bc9722..4ac0d3e 100644 --- a/nextcloud/ansible/roles/common/tasks/redhat_tasks.yaml +++ b/nextcloud/ansible/roles/common/tasks/redhat_tasks.yaml @@ -1,43 +1,44 @@ - name: Install System Packages - action: package name={{item}} state=present - with_items: - - nginx - - sudo - - php-fpm - - postgresql - - postgresql-server - - python3-psycopg2 - - redis - - php-pgsql - - php-cli - - php-curl - - php-dom - - php-exif - - php-fileinfo - - php-gd - - php-iconv - - php-json - - php-ldap - - php-mbstring - - php-openssl - - php-pcre - - php-pdo - - php-session - - php-simplexml - - php-xmlwriter - - php-spl - - php-zip - - php-filter - - php-ldap - - php-smbclient - - php-imap - - php-gmp - - php-process - - php-pecl-imagick - - php-pecl-memcached - - php-pecl-apcu - - php-pecl-redis - - python3-pyOpenSSL + package: + state: latest + name: + - nginx + - sudo + - php-fpm + - postgresql + - postgresql-server + - python3-psycopg2 + - redis + - php-pgsql + - php-cli + - php-curl + - php-dom + - php-exif + - php-fileinfo + - php-gd + - php-iconv + - php-json + - php-ldap + - php-mbstring + - php-openssl + - php-pcre + - php-pdo + - php-session + - php-simplexml + - php-xmlwriter + - php-spl + - php-zip + - php-filter + - php-ldap + - php-smbclient + - php-imap + - php-gmp + - php-process + - php-pecl-imagick + - php-pecl-memcached + - php-pecl-apcu + - php-pecl-redis + - python3-pyOpenSSL - name: Import Collabora key ansible.builtin.rpm_key: diff --git a/nextcloud/ansible/roles/nextcloud/tasks/main.yml b/nextcloud/ansible/roles/nextcloud/tasks/main.yml index 5b8daea..1545535 100644 --- a/nextcloud/ansible/roles/nextcloud/tasks/main.yml +++ b/nextcloud/ansible/roles/nextcloud/tasks/main.yml @@ -1,5 +1,73 @@ --- # tasks file for nextcloud + - name: Configure nginx Nextcloud pool + template: src=nextcloud_nginx.conf.j2 dest="{{ nginx_path }}/nextcloud_nginx.conf" + tags: + - notify_push + + - name: Configure PHP + template: src=php.ini.j2 dest="{{ php_ini_path }}/php.ini" + + - name: Configure PHP FPM pool + template: src=www.conf.j2 dest="{{ php_pool_path }}/www.conf" + + # nextcloud specific tasks + #- name: Ensure that Nextcloud target directory exists + # ansible.builtin.file: + # path: /var/www/nextcloud + # state: directory + # mode: '0755' + # owner: "{{ web_user }}" + + - name: Download Nextcloud + get_url: + url: "https://download.nextcloud.com/server/releases/nextcloud-{{nextcloud_version}}.tar.bz2" + dest: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2" + checksum: "{{ nextcloud_checksum }}" + when: + nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true + + - name: Unpack Nextcloud + ansible.builtin.unarchive: + src: "/usr/src/nextcloud-{{nextcloud_version}}.tar.bz2" + dest: "{{ nextcloud_path }}" + remote_src: yes + owner: "{{ web_user }}" + extra_opts: + - --strip-components=1 + when: + nextcloud_is_unpacked.stat.exists != true and ansible_local['nextcloud']['is_installed'] != true + + # TODO: crear variable para el certificates/nginx_key.pem + - name: Copy the nginx certificate key to /etc/pki/tls/private/ + copy: + src: certificates/nginx_key.pem + dest: "{{ nginx_ssl_key_file }}" + owner: root + group: nginx + mode: '0640' + + - name: Copy the nginx Certificate to /etc/pki/tls/certs/ + copy: + src: certificates/nginx.crt + dest: "{{ nginx_ssl_cert_file }}" + owner: root + group: root + mode: '0644' + + - name: Enable nginx service + systemd: + name: nginx + enabled: yes + state: restarted + tags: + - notify_push + + - name: Enable php-fpm service + systemd: + name: "{{ php_fpm_service }}" + enabled: yes + state: restarted - name: Install nextcloud to database ansible.builtin.shell: diff --git a/nextcloud/ansible/roles/redis/tasks/main.yml b/nextcloud/ansible/roles/redis/tasks/main.yml index 048de46..89de06a 100644 --- a/nextcloud/ansible/roles/redis/tasks/main.yml +++ b/nextcloud/ansible/roles/redis/tasks/main.yml @@ -1,32 +1,20 @@ --- # tasks file for redis - - name: Generate Redis SSL Private Key - openssl_privatekey: - path: "{{ redis_cert_private_key }}" - size: "{{ key_size }}" - type: "{{ key_type }}" - backup: yes - owner: redis + - name: Copy the redis certificate key to /etc/pki/tls/private/ + copy: + src: certificates/redis_key.pem + dest: "{{ redis_ssl_key_file }}" + owner: root + group: nginx + mode: '0640' - - #FIXME versionar para debian 10 o crear un paquete de redis para debian 10 con soporte de TLS - - name: Generate Redis SSL CSR - openssl_csr: - path: "{{ redis_csr }}" - privatekey_path: "{{ redis_cert_private_key }}" - country_name: "{{ country_name }}" - organization_name: "{{ organization_name }}" - email_address: "{{ email_address }}" - common_name: "{{ server_hostname }}" - owner: redis - - - name: Generate Redis Self Signed OpenSSL certificate - openssl_certificate: - path: "{{ redis_cert }}" - privatekey_path: "{{ redis_cert_private_key }}" - csr_path: "{{ redis_csr }}" - provider: selfsigned - owner: redis + - name: Copy the redis Certificate to /etc/pki/tls/certs/ + copy: + src: certificates/redis.crt + dest: "{{ redis_ssl_cert_file }}" + owner: root + group: root + mode: '0644' - name: Set Redis Configuration template: src=redis.conf.j2 dest="{{ redis_dir }}/redis.conf" owner=root group=root mode=0644 diff --git a/nextcloud/ansible/test_roles.yaml b/nextcloud/ansible/test_roles.yaml index b23bbdb..1ce8c7a 100644 --- a/nextcloud/ansible/test_roles.yaml +++ b/nextcloud/ansible/test_roles.yaml @@ -1,3 +1,14 @@ +- hosts: localhost + vars_files: + - vars/main.yaml + vars: + services: + - nginx + - postgresql + - redis + roles: + - { role: certificates } + - hosts: all vars_files: - vars/main.yaml @@ -16,14 +27,16 @@ roles: - { role: redis, become=yes, become_user=root } +- hosts: nextcloud + vars_files: + - vars/nextcloud.yaml + roles: + - { role: nextcloud, become=yes, become_user=root } + - hosts: loolwsd vars_files: - vars/loolwsd.yaml roles: - { role: loolwsd, become=yes, become_user=root } -- hosts: nextcloud - vars_files: - - vars/nextcloud.yaml - roles: - - { role: nextcloud, become=yes, become_user=root } + diff --git a/nextcloud/ansible/vars/loolwsd.yaml b/nextcloud/ansible/vars/loolwsd.yaml index cdfb0aa..7e9493f 100644 --- a/nextcloud/ansible/vars/loolwsd.yaml +++ b/nextcloud/ansible/vars/loolwsd.yaml @@ -32,12 +32,12 @@ organization_name: "AnsibleNextcloud" #server_hostname: "{{ ansible_hostname }}" server_hostname: "{{ nextcloud_domain_name }}" - redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem" - redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt" + redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem" + redis_cert: "/etc/pki/tls/certs/redis.crt" redis_csr: "/etc/pki/tls/certs/redis-self.csr" generate_self_signed_cert: true - nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt" - nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" + nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" + nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt" nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr" #nextcloud_domain: "cloud.example.com" code_enable_ssl: false diff --git a/nextcloud/ansible/vars/main.yaml b/nextcloud/ansible/vars/main.yaml index cdfb0aa..7e9493f 100644 --- a/nextcloud/ansible/vars/main.yaml +++ b/nextcloud/ansible/vars/main.yaml @@ -32,12 +32,12 @@ organization_name: "AnsibleNextcloud" #server_hostname: "{{ ansible_hostname }}" server_hostname: "{{ nextcloud_domain_name }}" - redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem" - redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt" + redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem" + redis_cert: "/etc/pki/tls/certs/redis.crt" redis_csr: "/etc/pki/tls/certs/redis-self.csr" generate_self_signed_cert: true - nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt" - nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" + nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" + nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt" nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr" #nextcloud_domain: "cloud.example.com" code_enable_ssl: false diff --git a/nextcloud/ansible/vars/nextcloud.yaml b/nextcloud/ansible/vars/nextcloud.yaml index cdfb0aa..7e9493f 100644 --- a/nextcloud/ansible/vars/nextcloud.yaml +++ b/nextcloud/ansible/vars/nextcloud.yaml @@ -32,12 +32,12 @@ organization_name: "AnsibleNextcloud" #server_hostname: "{{ ansible_hostname }}" server_hostname: "{{ nextcloud_domain_name }}" - redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem" - redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt" + redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem" + redis_cert: "/etc/pki/tls/certs/redis.crt" redis_csr: "/etc/pki/tls/certs/redis-self.csr" generate_self_signed_cert: true - nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt" - nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" + nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" + nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt" nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr" #nextcloud_domain: "cloud.example.com" code_enable_ssl: false diff --git a/nextcloud/ansible/vars/postgresql.yaml b/nextcloud/ansible/vars/postgresql.yaml index 8fa5428..7e9493f 100644 --- a/nextcloud/ansible/vars/postgresql.yaml +++ b/nextcloud/ansible/vars/postgresql.yaml @@ -10,7 +10,6 @@ document_root: "{{ '/usr/share/nginx/html' if ansible_distribution_file_variety == 'RedHat' else '/var/www/html' }}" web_user: "{{ 'nginx' if ansible_distribution_file_variety == 'RedHat' else 'www-data' }}" pg_hba_conf: "{{ '/var/lib/pgsql/data/pg_hba.conf' if ansible_distribution_file_variety == 'RedHat' else '/etc/postgresql/13/main/pg_hba.conf' }}" - postgresql_conf: "{{ '/var/lib/pgsql/data/postgresql.conf' if ansible_distribution_file_variety == 'RedHat' else '/etc/postgresql/13/main/postgresql.conf' }}" redis_dir: "{{ '/etc' if ansible_distribution_file_variety == 'RedHat' else '/etc/redis' }}" redis_user: "nextcloud" redis_url: "https://127.0.0.1" @@ -33,12 +32,12 @@ organization_name: "AnsibleNextcloud" #server_hostname: "{{ ansible_hostname }}" server_hostname: "{{ nextcloud_domain_name }}" - redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem" - redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt" + redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem" + redis_cert: "/etc/pki/tls/certs/redis.crt" redis_csr: "/etc/pki/tls/certs/redis-self.csr" generate_self_signed_cert: true - nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt" - nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" + nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" + nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt" nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr" #nextcloud_domain: "cloud.example.com" code_enable_ssl: false diff --git a/nextcloud/ansible/vars/redis.yaml b/nextcloud/ansible/vars/redis.yaml index cdfb0aa..7e9493f 100644 --- a/nextcloud/ansible/vars/redis.yaml +++ b/nextcloud/ansible/vars/redis.yaml @@ -32,12 +32,12 @@ organization_name: "AnsibleNextcloud" #server_hostname: "{{ ansible_hostname }}" server_hostname: "{{ nextcloud_domain_name }}" - redis_cert_private_key: "/etc/pki/tls/private/redis-cert-private-key.pem" - redis_cert: "/etc/pki/tls/certs/redis-self-cert.crt" + redis_cert_private_key: "/etc/pki/tls/private/redis_key.pem" + redis_cert: "/etc/pki/tls/certs/redis.crt" redis_csr: "/etc/pki/tls/certs/redis-self.csr" generate_self_signed_cert: true - nginx_ssl_cert_file: "/etc/pki/tls/private/nginx-self-signed.crt" - nginx_ssl_key_file: "/etc/pki/tls/certs/nginx-self-signed.key" + nginx_ssl_key_file: "/etc/pki/tls/private/nginx_key.pem" + nginx_ssl_cert_file: "/etc/pki/tls/certs/nginx.crt" nginx_ssl_csr_file: "/etc/pki/tls/certs/nginx-self-signed.csr" #nextcloud_domain: "cloud.example.com" code_enable_ssl: false