From e48997e1399fed6ef35ea10f12e3c4d5f9b19d25 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= Date: Fri, 14 May 2021 23:52:06 +0200 Subject: [PATCH] Move certificates to Ansible Vault (#27) --- playbook.yml | 2 ++ roles/nginx/files/dev.local.crt | 20 -------------------- roles/nginx/files/dev.local.csr | 17 ----------------- roles/nginx/files/dev.local.key | 28 ---------------------------- roles/nginx/files/rootca.key | 28 ---------------------------- roles/nginx/files/rootca.pem | 21 --------------------- roles/nginx/files/rootca.srl | 1 - roles/nginx/tasks/self-signed.yml | 14 ++++++++------ 8 files changed, 10 insertions(+), 121 deletions(-) delete mode 100644 roles/nginx/files/dev.local.crt delete mode 100644 roles/nginx/files/dev.local.csr delete mode 100644 roles/nginx/files/dev.local.key delete mode 100644 roles/nginx/files/rootca.key delete mode 100644 roles/nginx/files/rootca.pem delete mode 100644 roles/nginx/files/rootca.srl diff --git a/playbook.yml b/playbook.yml index 26a4eb8..eeff7ac 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,3 +4,5 @@ - docker - nginx - jellyfin + vars_files: + - vault/certs/{{ base_domain }}.yml diff --git a/roles/nginx/files/dev.local.crt b/roles/nginx/files/dev.local.crt deleted file mode 100644 index 9eefd00..0000000 --- a/roles/nginx/files/dev.local.crt +++ /dev/null @@ -1,20 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDNTCCAh0CFA+NVMwkGKvL8NbRd7waRkEHYcf/MA0GCSqGSIb3DQEBCwUAMFUx -CzAJBgNVBAYTAkNaMQ8wDQYDVQQHDAZQcmFndWUxEDAOBgNVBAMMB0hvbWVsYWIx -IzAhBgkqhkiG9w0BCQEWFGx1a2FzQGt1Y2hhcmN6eWsueHl6MB4XDTIxMDUxMzIy -MDA1NloXDTMxMDUxMTIyMDA1NlowWTELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlBy -YWd1ZTEUMBIGA1UEAwwLKi5kZXYubG9jYWwxIzAhBgkqhkiG9w0BCQEWFGx1a2Fz -QGt1Y2hhcmN6eWsueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA -0/jsQ6h6PodfYxTSAwUIY9+AXQ519Km4YNnxH5Ma3AjFH0asJyYR/CC6Zx4VOI1c -ZvelLHH/fonuLygSVc9zG5e3k62m6WHxZDDD0GidbmsgPMfPK5r1m9B2McbqWlVD -R0Y7FuGCQb0PqClJu86knw2kaYaFHrMVyBgZXAqXfEYIVJJ5SL8Yzo/lyoSHwlmk -lZ3LjnvlJ9IAOVpoWiuxmCzzEpGWQyve47HgyN5Q6Um8C0hgwj9fbA9L8Ns8PKt3 -y+ypFJMO8gXsup4h7VhRz8KpqdBpo9ghMsvxTAUiPGkerUEjqiIFK2Iz1bZ8yL5d -/Gh0EM6ii2FSwsTpVzJ0xQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQBjaFbfxfut -blYjPZ3mn1hbo3w5kqo9Ly7OLU4mCoK/DFzUBJbIj471B+7cK8hjmvzDUCQxRQWx -pBOBzOR4VSF4Z/xKKc1tWQJSC1r5JP0qmkYrmgIgLVi/gdZVYc7qLQbAlJhIOqD1 -vQnXrBRqUm7J2ThqFdBuILvR20Pkoa2GnH3ufnQvdSs4WPWocR+fKYbx/DKjpAbU -GWg1HnL+7PiflV1HDAkc2kiNQy70/bxcQq1HvQRxjm5C15ojdVzyqPy+CwQo+JOd -IdueOS9mM6CQATnwQxK0XKkyH1yI9M83ahQbArwWTzejRWJQd0xYWdQgiEr4aWWV -DONUin6JUgVV ------END CERTIFICATE----- diff --git a/roles/nginx/files/dev.local.csr b/roles/nginx/files/dev.local.csr deleted file mode 100644 index 5b87dee..0000000 --- a/roles/nginx/files/dev.local.csr +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE REQUEST----- -MIICnjCCAYYCAQAwWTELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEUMBIG -A1UEAwwLKi5kZXYubG9jYWwxIzAhBgkqhkiG9w0BCQEWFGx1a2FzQGt1Y2hhcmN6 -eWsueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0/jsQ6h6Podf -YxTSAwUIY9+AXQ519Km4YNnxH5Ma3AjFH0asJyYR/CC6Zx4VOI1cZvelLHH/fonu -LygSVc9zG5e3k62m6WHxZDDD0GidbmsgPMfPK5r1m9B2McbqWlVDR0Y7FuGCQb0P -qClJu86knw2kaYaFHrMVyBgZXAqXfEYIVJJ5SL8Yzo/lyoSHwlmklZ3LjnvlJ9IA -OVpoWiuxmCzzEpGWQyve47HgyN5Q6Um8C0hgwj9fbA9L8Ns8PKt3y+ypFJMO8gXs -up4h7VhRz8KpqdBpo9ghMsvxTAUiPGkerUEjqiIFK2Iz1bZ8yL5d/Gh0EM6ii2FS -wsTpVzJ0xQIDAQABoAAwDQYJKoZIhvcNAQELBQADggEBAD9stDlWNlzkGFsTJc36 -CfT7/qovjmxWGJLsuczU7oBwf6nwPuV0W3fUvl2tqz5Nnff4wOnKkRlrR54R0Obl -6KgebvwjACypYkFcL075qrdBpm52yiDWfE7ZOAU7tRCZ7DtMeEtSx/g/03bVp0n1 -7rZm2eeiXB/m7VqabxK1eRwnDktXGuRWpRK7OpQQ0UuKSTlRsI8o4N4r0af8DInP -C3mWATJ56dsWaVhW1fBvSFAjrdho1vPadyC2Lb71MyM1H8IQSW8pQlyvAOlw+JVE -iEaTYt7miCODHzKSMv73Or2XGYMEFtoLDot3B+rBQun8TQwujDrMA7KU25NcgfQ+ -d+Y= ------END CERTIFICATE REQUEST----- diff --git a/roles/nginx/files/dev.local.key b/roles/nginx/files/dev.local.key deleted file mode 100644 index dbb3a3f..0000000 --- a/roles/nginx/files/dev.local.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDT+OxDqHo+h19j -FNIDBQhj34BdDnX0qbhg2fEfkxrcCMUfRqwnJhH8ILpnHhU4jVxm96Uscf9+ie4v -KBJVz3Mbl7eTrabpYfFkMMPQaJ1uayA8x88rmvWb0HYxxupaVUNHRjsW4YJBvQ+o -KUm7zqSfDaRphoUesxXIGBlcCpd8RghUknlIvxjOj+XKhIfCWaSVncuOe+Un0gA5 -WmhaK7GYLPMSkZZDK97jseDI3lDpSbwLSGDCP19sD0vw2zw8q3fL7KkUkw7yBey6 -niHtWFHPwqmp0Gmj2CEyy/FMBSI8aR6tQSOqIgUrYjPVtnzIvl38aHQQzqKLYVLC -xOlXMnTFAgMBAAECggEBAMuHAOPdyrJrLM1n2lYH6QxsN0YicmOe6mgkGv8kMe// -g7YKF5XnWfFqQ1BrdBi+snAzbCcGtjj7mvUwVpqJ+44M2Lk1TURdRHfc0sczC6ZP -ub5iY6sMuLMJL9OPmMlvgI/ZATdxA663J2dhbWikezA02x5viTX24f0kFoVnrhgl -LYSVOVOl94vk1jByJVtJeusd5JwF6JZ6Ws8My7Fzh3hHMepcB5uVfYr20O7FZHEX -DAlVN7MSh7nM0a4WsZPg5S5KLMZlhTyqosRwx9n5Y08S8BRYMLNyetRICDe6MIn9 -cJllAR/W51WsvmH/LHmLTRA6eC4rxO744z0DDpGuc6kCgYEA+44eS79TCRG6zQjo -Jt2VMcdUpqTwcXWwllpZh071SV3wMQTlzRwAM8QdPga5O0qYe/UBVxx4dh5MinpN -TnGP+4sBlME2Q8iUml5jNU8Fwuo1XZWkdrTmeJl/DyJ2iqokPyJSp/iFhFWuNhJS -eNgmu7gvLPMhQjdfTDsom4OSAt8CgYEA17fBltxcWmQV6XxkVbVLnrdesvGv8zGg -VIod02wW39G0WR5FEffu+TEOcsdkQGqH9gCUkyEomGzZKGDmzCu+PpLjb1KIBkf+ -8tt4o4Za91XgOm79m2sP5qczwXqUOsgRZBNPTDrbwIA4Y4pMYoxwx4aQF9DLl0Vt -jqNhHtn2ANsCgYA0LcSG/cahiPXwdbqB5VB/JNOgRXJCdqEMbu1HLc+fSkb6RAPO -ydIY6sMODKL7c3uxqp5+jT9HcP17c+b5MIEnMiw/yNwSr1ZztsRpWFzfk2lCYjnd -DaUIuv4qC4H/PU+LcPkoMlqvmn4qZR6KRnuyUIAomL37WDUCQPspVt9AjQKBgQDB -1euNbLtLuc16vXzHCx5FIw5kCwqIo5om/OiqFuFDAwNkZO+5oqjIoA0UlBiATXmY -UpMu1cfNl1lWkCQzaEcNoR3e5TE3O7Bad12iytKolzDiMOOPqRdjsfCutT/Gxgni -e/twSx81jcGdqCLVFs8sarzFuaeHaSp11lcpyr7jqwKBgQDWL0Dx6/ybyma/NcWD -liF6OMkxwvA58c7eoG2pOSENxMhe5rA9uzaYj0jjLCEIwF5X5uI5vsnnl1vKtfA4 -YAly4qve/lhCqM9YvRi1l2Oi5aeZLqVKF8tA81k5kK/O7dKjHvq8hLIipcQ2Esfy -3X+EPcWIxFSX64m5+Ib+cch6hg== ------END PRIVATE KEY----- diff --git a/roles/nginx/files/rootca.key b/roles/nginx/files/rootca.key deleted file mode 100644 index 82a1b29..0000000 --- a/roles/nginx/files/rootca.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAH/nCewvHL6pP -tGUyUwVBiL6T3er0mS4rM6ifoQxEGb1EsURyngik0I1IaPn9ciI09JnUdXpKnMS3 -/jhHlkibD93datDPHEdPTdw1TZmQLcJyWW5MQ52/DMKDokCzWdQNENEL7I9A8GUD -V1Rl8E3G/uKHAzj2ULI1S+MwY+5URF3MLABmxFEfWcIBNef42wQ67hx74WlwOVVK -GNTVyd6EkRXDXu/YoMnZUdWOUxk6Bo9eKALOiVoTDtJOgubs5LT8MmhIosI6SqDM -lPq7huLLPD09egDrQqU13LfOG/+N7LXwsTcQXNV6irzMgNTE7vsWDyO+q8m4J1BU -sMWHnOpxAgMBAAECggEAD6SK2WLbWqRu4X52ntpTmzpfCfsPnkq6j5ntKNIcBY9y -8ZzdTdfALGsula62bARW9KjVvY6zHlAVVEXGn02FK9rm3ZhM2BAdXj+gplZjInIX -WugdKuh2d4+6Zq1XR0MRGN89phLktwzbrKH3pTUjoAgwuX1xrdx0JhK/tLjuNr4W -CBtmz2X6lzKeD9S7PHu33Tqseg1GCfQYBKyDrCOgWBq8/V0eoAQB3g4t3ZIfzAYN -Ft4BEB3prNBgLhuea43DRNcUnIu2k9/LzLTpGJE8oqM55yUEULdWIvRQJHEDfah2 -1YiDCzzd3CCYgk6CjRaEihL+WPJfohKzDghnrhVp4QKBgQDw6CTWcm6S7/+eO6qP -PnyFPK/1ajCwc1KsVEjiS2OQ9WMK6d8pfA9o6lCjlRcu8kCO6CXQS8vXwg7G3PBY -7ndMUoyTD5X32uG/VXY1LxYtCdrjKWsnZP/cuTtcodaG/Sp+5Pa1eO00cG6ckCQr -FU8BLqeLhOSjlFinvoEVqPFriwKBgQDMKW2xTeqQpbLuTgvGcFglhTiyjGzIwtf7 -Du0ZqF7LpzY95CUBOL9YZBBcAzarCnemzDeMy7aDuIesVP0JPGdTC2f4W/X++WUO -7CXJH7Xt/ULQLXDwRyQiMCKNCCNQtpDfP/Uzf6Ts/F3rIYre3NzscTbUradD3RMd -OqyIyzwxcwKBgBGhK3D2Ftlx7sbpnuW0sPAfLNFM4BtJlTc/Q8YrtjGZg5H843Pp -vEb1Psl506R/3fGXU40WvugfL22mJYCckuZm9Bqe/V6SCgsyeeASfhD1s6sEEO9l -GMRSWeHBhi2CwWVf5B4Lp3A6+h1C/yKYAJwZifFP3FuMM6Cy9Eddga1ZAoGBAKCR -SKM0y3F90E8Z9KrZ+olv0FqklH4Et8bNQ251fDChTsi4YN4oGl1TPYaQRHOa5OW7 -IUlLgjzwaUwA/40/A2hNxTSQZtVkobVtxn36waPuFpkR1Aw1d1aoEtRmfRfirefX -LmqVTknQZbEijUyf2eTfWadE+BMokPrhBYcEiE+/AoGBANdhUebsG0AGYvM2SuHy -UQFmwamIzSUdBPXvNDALoCOi/9t0ySakxmBOyaUFY6k1WOW/fvBJ4eTGdlIUO6Ee -v1vMxpjLb8Z5H19qK/qSu1Q4PI70q0uThaWFFQ4Hhadb1m1vfxZ7u/jqx3rxCVqD -dw4+Bq5YpiLXR11wW29gx6dx ------END PRIVATE KEY----- diff --git a/roles/nginx/files/rootca.pem b/roles/nginx/files/rootca.pem deleted file mode 100644 index 68532ab..0000000 --- a/roles/nginx/files/rootca.pem +++ /dev/null @@ -1,21 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDizCCAnOgAwIBAgIUYUlmu4VunV3uvnrMuV9MOXRJmjowDQYJKoZIhvcNAQEL -BQAwVTELMAkGA1UEBhMCQ1oxDzANBgNVBAcMBlByYWd1ZTEQMA4GA1UEAwwHSG9t -ZWxhYjEjMCEGCSqGSIb3DQEJARYUbHVrYXNAa3VjaGFyY3p5ay54eXowHhcNMjEw -NTEzMjIwMDU1WhcNMzEwNTExMjIwMDU1WjBVMQswCQYDVQQGEwJDWjEPMA0GA1UE -BwwGUHJhZ3VlMRAwDgYDVQQDDAdIb21lbGFiMSMwIQYJKoZIhvcNAQkBFhRsdWth -c0BrdWNoYXJjenlrLnh5ejCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB -AMAf+cJ7C8cvqk+0ZTJTBUGIvpPd6vSZLiszqJ+hDEQZvUSxRHKeCKTQjUho+f1y -IjT0mdR1ekqcxLf+OEeWSJsP3d1q0M8cR09N3DVNmZAtwnJZbkxDnb8MwoOiQLNZ -1A0Q0Qvsj0DwZQNXVGXwTcb+4ocDOPZQsjVL4zBj7lREXcwsAGbEUR9ZwgE15/jb -BDruHHvhaXA5VUoY1NXJ3oSRFcNe79igydlR1Y5TGToGj14oAs6JWhMO0k6C5uzk -tPwyaEiiwjpKoMyU+ruG4ss8PT16AOtCpTXct84b/43stfCxNxBc1XqKvMyA1MTu -+xYPI76rybgnUFSwxYec6nECAwEAAaNTMFEwHQYDVR0OBBYEFMIPcuQ9X1fX4grD -O+mb1PipZfPYMB8GA1UdIwQYMBaAFMIPcuQ9X1fX4grDO+mb1PipZfPYMA8GA1Ud -EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEBAHKHCIGmFygvzyXENSbzFcwI -vSLkB/pb3NLXIcFtFI2hu3NdXkf2Lf/YdSTeXz0TS9M4EyDouVg4rKrGfgQCXwpd -FK05b9x2MBrKm1sLMr8gofYvKYlRzF+Fedr/d1S9ze/FE2UbMuzjc70vjRpKd8yN -nRATyJdicWUqhZZC2TB2ko3G6vzoUxIHQH7PPHjpJW1kYspio/+ohYSmh9rpqeSG -MHYyBsjSbEJJOdkaWWxc+OWhLuhfD4lZlmmzyVBBQ0HQ/shztPaWYogHVpU9yAEW -kasPGcwXxrpIaQo06U5qmmDbwfUadljfaOicMuu4Rv2xQPGvdNy49uYdSERlKpQ= ------END CERTIFICATE----- diff --git a/roles/nginx/files/rootca.srl b/roles/nginx/files/rootca.srl deleted file mode 100644 index d31dcda..0000000 --- a/roles/nginx/files/rootca.srl +++ /dev/null @@ -1 +0,0 @@ -0F8D54CC2418ABCBF0D6D177BC1A46410761C7FF diff --git a/roles/nginx/tasks/self-signed.yml b/roles/nginx/tasks/self-signed.yml index 3b0c028..65d08e1 100644 --- a/roles/nginx/tasks/self-signed.yml +++ b/roles/nginx/tasks/self-signed.yml @@ -30,11 +30,13 @@ -days 3650 \ -sha256 when: generate_cert.wildcard -- name: copy wildcard certificate and key +- name: copy wildcard certificate and key from vault copy: - src: "{{ item }}" - dest: "{{ data_folder }}/nginx/{{ item }}" + content: "{{ item.content }}" + dest: "{{ data_folder }}/nginx/{{ item.name }}" + owner: root + group: root mode: '0700' - loop: - - "{{ base_domain }}.crt" - - "{{ base_domain }}.key" \ No newline at end of file + with_items: + - "{{ certificates }}" + no_log: true \ No newline at end of file