diff --git a/playbooks/group_vars/db.yml b/playbooks/group_vars/db.yml index 374377a1..f465adb0 100644 --- a/playbooks/group_vars/db.yml +++ b/playbooks/group_vars/db.yml @@ -37,6 +37,7 @@ postgresql_ssl_certificate: csr_common_name: "{{ db_server.host }}" certificate_filename: "{{ postgresql.base_directory }}/certs/server.crt" provider: selfsigned + selfsigned_not_after: "+3650d" cache_filename: "{{ database_server_certificate_cache_filename }}" # where to store the server certificate in cache firewalld_rich_rules: diff --git a/playbooks/group_vars/omero.yml b/playbooks/group_vars/omero.yml index 8c784c45..d676bfdc 100644 --- a/playbooks/group_vars/omero.yml +++ b/playbooks/group_vars/omero.yml @@ -14,6 +14,7 @@ postgresql_client_ssl_certificate: csr_common_name: "{{ web_server.host }}" certificate_filename: /opt/omero/server/.postgresql/postgresql.crt provider: selfsigned + selfsigned_not_after: "+3650d" cache_filename: "{{ database_client_certificate_cache_filename }}" # where to store the client certificate in cache # firewalld diff --git a/playbooks/group_vars/xnat.yml b/playbooks/group_vars/xnat.yml index eb35a9fe..82a74a94 100644 --- a/playbooks/group_vars/xnat.yml +++ b/playbooks/group_vars/xnat.yml @@ -60,6 +60,7 @@ postgresql_client_ssl_certificate: csr_common_name: "{{ web_server.host }}" certificate_filename: /usr/share/tomcat/.postgresql/postgresql.crt provider: selfsigned + selfsigned_not_after: "+3650d" cache_filename: "{{ database_client_certificate_cache_filename }}" # where to store the client certificate in cache java: diff --git a/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml b/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml index 3b7a6549..e6d7d469 100644 --- a/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml +++ b/playbooks/molecule/resources/monitoring/inventory/host_vars/mserv.yml @@ -9,3 +9,4 @@ monitoring_server_ssl_certificate: csr_common_name: "{{ hostvars['mserv']['hostname'] }}" certificate_filename: /etc/ssl/certs/{{ hostvars['mserv']['hostname'] }}.cert provider: selfsigned + selfsigned_not_after: "+3650d" diff --git a/roles/nginx/README.md b/roles/nginx/README.md index 8f38247c..5d2b9d9c 100644 --- a/roles/nginx/README.md +++ b/roles/nginx/README.md @@ -32,8 +32,8 @@ variables: | ------------------------------- | ----------------------------------------------------------------------------------------- | | `nginx_use_ssl` | Whether to use SSL. Defaults to `true` | | `nginx_certs_dir` | Where to store the certificates. Defaults to `/etc/nginx/ssl` | -| `nginx_server_cert_cache` | Path to SSL certificate on the Ansible Controller. Required if using SSL; no default | -| `nginx_server_key_cache` | Path to SSL certificate on the Ansible Controller. Required if using SSL; no default | +| `nginx_server_cert_cache` | Path to SSL certificates on the Ansible host. Required if using SSL; no default | +| `nginx_server_key_cache` | Path to SSL certificate on the Ansible host. Required if using SSL; no default | | `nginx_ssl_cert_file` | Path to copy the SSL certificate to. Defaults to `/etc/nginx/ssl/server.cert` | | `nginx_ssl_key_file` | Path to copy the SSL key to. Defaults to `/etc/nginx/ssl/server.key` | | `nginx_diffie_helman_size_bits` | Bit size for OpenSSL Diffie-Hellman Parameters. Defaults to `4096` | diff --git a/roles/nginx/molecule/resources/inventory/group_vars/all.yml b/roles/nginx/molecule/resources/inventory/group_vars/all.yml index 018954e3..585a1fa2 100644 --- a/roles/nginx/molecule/resources/inventory/group_vars/all.yml +++ b/roles/nginx/molecule/resources/inventory/group_vars/all.yml @@ -1,6 +1,39 @@ --- +nginx_owner: root +nginx_group: root + nginx_server_name: molecule.instance.local nginx_proxy_port: 8000 nginx_diffie_helman_size_bits: 2048 nginx_root: /home/ -nginx_use_ssl: false + +nginx_use_ssl: true +nginx_certs_dir: /etc/nginx/ssl +nginx_ssl_cert_file: /etc/nginx/ssl/server.cert +nginx_ssl_key_file: /etc/nginx/ssl/server.key +nginx_server_cert_cache: /etc/ssl/certs/server.cert +nginx_server_key_cache: /etc//ssl/certs/server.key + +nginx_old_ssl_certificate: + owner: "{{ nginx_owner }}" + group: "{{ nginx_group }}" + certificate_directory: /etc/ssl/certs + privatekey_filename: "{{ nginx_server_key_cache }}" + use_pk8: false + csr_filename: /etc/ssl/certs/server.csr" + csr_common_name: "{{ nginx_server_name }}" + certificate_filename: "{{ nginx_server_cert_cache }}" + provider: selfsigned + selfsigned_not_after: "+365d" + +nginx_new_ssl_certificate: + owner: "{{ nginx_owner }}" + group: "{{ nginx_group }}" + certificate_directory: "{{ nginx_certs_dir }}" + privatekey_filename: "{{ nginx_ssl_key_file }}" + use_pk8: false + csr_filename: "{{ nginx_certs_dir }}/server.csr" + csr_common_name: "{{ nginx_server_name }}" + certificate_filename: "{{ nginx_ssl_cert_file }}" + provider: selfsigned + selfsigned_not_after: "+3650d" diff --git a/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml b/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml index 8be670cc..aff12e5b 100644 --- a/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml +++ b/roles/nginx/molecule/resources/inventory/group_vars/centos7.yml @@ -11,6 +11,7 @@ install_python: - libselinux-python - policycoreutils-python pip_packages: + - cryptography - gunicorn - Flask diff --git a/roles/nginx/molecule/resources/inventory/group_vars/rocky9.yml b/roles/nginx/molecule/resources/inventory/group_vars/rocky9.yml index e587b569..044f6ca3 100644 --- a/roles/nginx/molecule/resources/inventory/group_vars/rocky9.yml +++ b/roles/nginx/molecule/resources/inventory/group_vars/rocky9.yml @@ -11,6 +11,7 @@ install_python: - python3-libselinux - policycoreutils-python-utils pip_packages: + - cryptography - gunicorn - flask diff --git a/roles/nginx/molecule/resources/prepare.yml b/roles/nginx/molecule/resources/prepare.yml index 3c014205..279191e4 100644 --- a/roles/nginx/molecule/resources/prepare.yml +++ b/roles/nginx/molecule/resources/prepare.yml @@ -44,3 +44,18 @@ ansible.builtin.systemd: name: gunicorn state: restarted + +- name: Create SSL certificates for nginx + hosts: all + gather_facts: true + tasks: + - name: Create SSL certificate that expires in 1 year and store in server cache + ansible.builtin.include_role: + name: mirsg.infrastructure.ssl_certificates + vars: + ssl_certificate: "{{ nginx_old_ssl_certificate }}" # noqa: var-naming[no-role-prefix] + - name: Create SSL certificate that expires in 10 years and store in nginx certificate directory + ansible.builtin.include_role: + name: mirsg.infrastructure.ssl_certificates + vars: + ssl_certificate: "{{ nginx_new_ssl_certificate }}" # noqa: var-naming[no-role-prefix] diff --git a/roles/nginx/molecule/resources/verify.yml b/roles/nginx/molecule/resources/verify.yml index 267189cd..d2c6fcc5 100644 --- a/roles/nginx/molecule/resources/verify.yml +++ b/roles/nginx/molecule/resources/verify.yml @@ -4,7 +4,7 @@ tasks: - name: Get server status ansible.builtin.uri: - url: http://localhost:8080 + url: https://localhost:8080 method: GET headers: Host: molecule.instance.local diff --git a/roles/ssl_certificates/README.md b/roles/ssl_certificates/README.md index 21a50120..4db6e0c4 100644 --- a/roles/ssl_certificates/README.md +++ b/roles/ssl_certificates/README.md @@ -95,6 +95,7 @@ ssl_certificate: csr_common_name: "db" certificate_filename: "/var/lib/pgsql/server.crt" provider: "selfsigned" + selfsigned_not_after: "+3650d" cache_filename: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/pg_certificates/db.postgresql_server.crt" @@ -118,6 +119,7 @@ ssl_certificate: csr_common_name: "{{ web_hostname }}" certificate_filename: "/usr/share/tomcat/.postgresql/postgresql.crt" provider: "selfsigned" + selfsigned_not_after: "+3650d" cache_filename: "{{ lookup('env', 'HOME') }}/ansible_persistent_files/pg_certificates/db.postgresql_client.crt" diff --git a/roles/ssl_certificates/tasks/main.yml b/roles/ssl_certificates/tasks/main.yml index 636e4fe2..f6cc4884 100644 --- a/roles/ssl_certificates/tasks/main.yml +++ b/roles/ssl_certificates/tasks/main.yml @@ -35,6 +35,7 @@ privatekey_path: "{{ ssl_certificate.privatekey_filename }}" csr_path: "{{ ssl_certificate.csr_filename }}" provider: "{{ ssl_certificate.provider }}" + selfsigned_not_after: "{{ ssl_certificate.selfsigned_not_after }}" mode: "0400" owner: "{{ ssl_certificate.owner }}" group: "{{ ssl_certificate.group }}"