From c158a21dfcf98f2e3dd65ed74ea7ef89f7e9dc09 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Wed, 5 May 2021 20:41:28 +0200 Subject: [PATCH] nginx: separate self-signed certs --- group_vars/all | 1 + roles/nginx/tasks/main.yml | 56 ++----------------------------- roles/nginx/tasks/self-signed.yml | 37 ++++++++++++++++++++ 3 files changed, 41 insertions(+), 53 deletions(-) create mode 100644 roles/nginx/tasks/self-signed.yml diff --git a/group_vars/all b/group_vars/all index 33e2a05..0574a7f 100644 --- a/group_vars/all +++ b/group_vars/all @@ -1,4 +1,5 @@ base_domain: "dev.local" +self_signed: false admin_email: "lukas@kucharczyk.xyz" server_ip: "192.168.0.107" data_folder: "{{ playbook_dir }}/docker-data" diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 335737b..552df97 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -5,59 +5,9 @@ mode: '0755' loop: - "{{ nginx_confd_folder }}" -- name: generate root ca - command: openssl req \ - -x509 \ - -new \ - -nodes \ - -newkey rsa:2048 \ - -keyout "{{ data_folder }}/nginx/rootca.key" \ - -out "{{ data_folder }}/nginx/rootca.pem" \ - -sha256 \ - -days 3650 \ - -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}" - args: - creates: rootca.* -- name: generate wildcard csr - command: openssl req \ - -new \ - -nodes \ - -newkey rsa:2048 \ - -keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \ - -out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ - -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}" - args: - creates: "{{ data_folder }}/nginx/{{ base_domain }}.*" -- name: sign wildcard csr with root ca - command: openssl x509 \ - -req \ - -in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ - -CA "{{ data_folder }}/nginx/rootca.pem" \ - -CAkey "{{ data_folder }}/nginx/rootca.key" \ - -CAcreateserial \ - -out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \ - -days 3650 \ - -sha256 - args: - creates: "{{ data_folder }}/nginx/{{ base_domain }}.crt" -- name: install root ca - command: trust anchor "{{ data_folder }}/nginx/rootca.pem" - args: - creates: /etc/ca-certificates/extracted/cadir/Homelab* - become: yes -- name: copy certificates - copy: - src: "{{ item }}" - dest: "{{ data_folder }}/nginx" - mode: '0755' - loop: - - "{{ data_folder }}/nginx/{{ base_domain }}.key" - - "{{ data_folder }}/nginx/{{ base_domain }}.crt" -- name: copy .conf file - template: - src: nginx.conf.j2 - dest: "{{ data_folder }}/nginx/nginx.conf" - mode: '0755' +- name: generate and install self-signed certs + import_tasks: self-signed.yml + when: self_signed - name: create nginx bridge network docker_network: name: nginx-internal diff --git a/roles/nginx/tasks/self-signed.yml b/roles/nginx/tasks/self-signed.yml new file mode 100644 index 0000000..9192a96 --- /dev/null +++ b/roles/nginx/tasks/self-signed.yml @@ -0,0 +1,37 @@ +- name: generate root ca + command: openssl req \ + -x509 \ + -new \ + -nodes \ + -newkey rsa:2048 \ + -keyout "{{ data_folder }}/nginx/rootca.key" \ + -out "{{ data_folder }}/nginx/rootca.pem" \ + -sha256 \ + -days 3650 \ + -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}" +- name: generate wildcard csr + command: openssl req \ + -new \ + -nodes \ + -newkey rsa:2048 \ + -keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \ + -out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ + -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}" +- name: sign wildcard csr with root ca + command: openssl x509 \ + -req \ + -in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ + -CA "{{ data_folder }}/nginx/rootca.pem" \ + -CAkey "{{ data_folder }}/nginx/rootca.key" \ + -CAcreateserial \ + -out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \ + -days 3650 \ + -sha256 +- name: install root ca + command: trust anchor "{{ data_folder }}/nginx/rootca.pem" + become: yes +- name: copy .conf file + template: + src: nginx.conf.j2 + dest: "{{ data_folder }}/nginx/nginx.conf" + mode: '0755' \ No newline at end of file