nginx: separate self-signed certs

This commit is contained in:
Lukáš Kucharczyk 2021-05-05 20:41:28 +02:00
parent d0d33b47b9
commit c158a21dfc
No known key found for this signature in database
GPG Key ID: 65524498C0196B64
3 changed files with 41 additions and 53 deletions

View File

@ -1,4 +1,5 @@
base_domain: "dev.local"
self_signed: false
admin_email: "lukas@kucharczyk.xyz"
server_ip: "192.168.0.107"
data_folder: "{{ playbook_dir }}/docker-data"

View File

@ -5,59 +5,9 @@
mode: '0755'
loop:
- "{{ nginx_confd_folder }}"
- name: generate root ca
command: openssl req \
-x509 \
-new \
-nodes \
-newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/rootca.key" \
-out "{{ data_folder }}/nginx/rootca.pem" \
-sha256 \
-days 3650 \
-subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
args:
creates: rootca.*
- name: generate wildcard csr
command: openssl req \
-new \
-nodes \
-newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \
-out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
args:
creates: "{{ data_folder }}/nginx/{{ base_domain }}.*"
- name: sign wildcard csr with root ca
command: openssl x509 \
-req \
-in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
-CA "{{ data_folder }}/nginx/rootca.pem" \
-CAkey "{{ data_folder }}/nginx/rootca.key" \
-CAcreateserial \
-out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \
-days 3650 \
-sha256
args:
creates: "{{ data_folder }}/nginx/{{ base_domain }}.crt"
- name: install root ca
command: trust anchor "{{ data_folder }}/nginx/rootca.pem"
args:
creates: /etc/ca-certificates/extracted/cadir/Homelab*
become: yes
- name: copy certificates
copy:
src: "{{ item }}"
dest: "{{ data_folder }}/nginx"
mode: '0755'
loop:
- "{{ data_folder }}/nginx/{{ base_domain }}.key"
- "{{ data_folder }}/nginx/{{ base_domain }}.crt"
- name: copy .conf file
template:
src: nginx.conf.j2
dest: "{{ data_folder }}/nginx/nginx.conf"
mode: '0755'
- name: generate and install self-signed certs
import_tasks: self-signed.yml
when: self_signed
- name: create nginx bridge network
docker_network:
name: nginx-internal

View File

@ -0,0 +1,37 @@
- name: generate root ca
command: openssl req \
-x509 \
-new \
-nodes \
-newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/rootca.key" \
-out "{{ data_folder }}/nginx/rootca.pem" \
-sha256 \
-days 3650 \
-subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
- name: generate wildcard csr
command: openssl req \
-new \
-nodes \
-newkey rsa:2048 \
-keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \
-out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
-subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
- name: sign wildcard csr with root ca
command: openssl x509 \
-req \
-in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
-CA "{{ data_folder }}/nginx/rootca.pem" \
-CAkey "{{ data_folder }}/nginx/rootca.key" \
-CAcreateserial \
-out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \
-days 3650 \
-sha256
- name: install root ca
command: trust anchor "{{ data_folder }}/nginx/rootca.pem"
become: yes
- name: copy .conf file
template:
src: nginx.conf.j2
dest: "{{ data_folder }}/nginx/nginx.conf"
mode: '0755'