diff --git a/group_vars/all b/group_vars/all index 244a443..a894657 100644 --- a/group_vars/all +++ b/group_vars/all @@ -1,5 +1,9 @@ base_domain: "dev.local" -self_signed: false +self_signed: true +generate_cert: + # only copy existing if both are false + root: false + wildcard: false admin_email: "lukas@kucharczyk.xyz" server_ip: "192.168.0.104" data_folder: "/home/vagrant/docker-data" diff --git a/playbook.yml b/playbook.yml index 26a4eb8..eeff7ac 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,3 +4,5 @@ - docker - nginx - jellyfin + vars_files: + - vault/certs/{{ base_domain }}.yml diff --git a/roles/nginx/files/localhost.crt b/roles/nginx/files/localhost.crt deleted file mode 100644 index 6317e38..0000000 --- a/roles/nginx/files/localhost.crt +++ /dev/null @@ -1,24 +0,0 @@ ------BEGIN CERTIFICATE----- -MIID8zCCAtugAwIBAgIUPXGk144K0wqfLNwO7MK4g3ddbewwDQYJKoZIhvcNAQEL -BQAwgYgxCzAJBgNVBAYTAkNaMRMwEQYDVQQIDApTb21lLVN0YXRlMQ8wDQYDVQQH -DAZQcmFndWUxGDAWBgNVBAoMD0t1Y2hhcmN6eWsgTHRkLjEUMBIGA1UEAwwLKi5k -ZXYubG9jYWwxIzAhBgkqhkiG9w0BCQEWFGx1a2FzQGt1Y2hhcmN6eWsueHl6MB4X -DTIxMDQyNjIxMDA1OFoXDTMxMDQyNDIxMDA1OFowgYgxCzAJBgNVBAYTAkNaMRMw -EQYDVQQIDApTb21lLVN0YXRlMQ8wDQYDVQQHDAZQcmFndWUxGDAWBgNVBAoMD0t1 -Y2hhcmN6eWsgTHRkLjEUMBIGA1UEAwwLKi5kZXYubG9jYWwxIzAhBgkqhkiG9w0B -CQEWFGx1a2FzQGt1Y2hhcmN6eWsueHl6MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A -MIIBCgKCAQEAx/LUqs2Z8GS9x0KZrlrdL9Ndsskw5Q8EYGNJDxqebncMAkFbYbi1 -ZhHz4mnVzLKFg6mQ7yXdnUz5DFCltEQcQHpIULPcbLyj3XXBA0Hd40Hc8+7hghJ0 -Un9tH47JwMetnlNQcvmY2XJfQ+MV92pmIh7qzvkyj1EgjkNaTdf87zYl6zYnPJjy -MU7K3KMikPd8jECh5zhsrw9imgr86bqtWBjNkcA3F9Oauui6UhyN3/eGIa74+vx6 -nYomiMSjuN3zkN0cyxX/PFVOZZOzTbmHUIPhIN3p5pXLhqA9tc3ePpifRATzU+Sn -ePPM++PVvSgf2PMFvTtPC/z/jKXHDB4C2QIDAQABo1MwUTAdBgNVHQ4EFgQUUa10 -hrJc8F/WBDC0rWVISN5o6C8wHwYDVR0jBBgwFoAUUa10hrJc8F/WBDC0rWVISN5o -6C8wDwYDVR0TAQH/BAUwAwEB/zANBgkqhkiG9w0BAQsFAAOCAQEAZOwIDGg+CzK3 -/wwIE3ttv/OeU1lHu8I87dR51ixG6kGfj6+iKyP9OhA4If+mRIlMRSmigZe/ENbw -2tVDcoIogu8zw3SLlpMzxSDiAE3Ro4O60x8IQ7+HNOvbfiVq5Hdhb39T9VvDkNv8 -k9mectnlqTNRmbw9oYDbg7zjY+5yGz264QeakF2UwJdtGlDUHVt2w83WJLY/rYAv -uuowVf4Tqt1evIr5lfsxVbRO9oVzBnbivYZPe5hjNxOBXTti17DfedIC+y6bLavm -VNlba18xxCDEPadyJnOSLFQlD0aoMoV7m5hZCJZEciw6X/JpX3SIpRF0MQm02RPi -wncx4+iqGA== ------END CERTIFICATE----- diff --git a/roles/nginx/files/localhost.key b/roles/nginx/files/localhost.key deleted file mode 100644 index 783da5b..0000000 --- a/roles/nginx/files/localhost.key +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDH8tSqzZnwZL3H -QpmuWt0v012yyTDlDwRgY0kPGp5udwwCQVthuLVmEfPiadXMsoWDqZDvJd2dTPkM -UKW0RBxAekhQs9xsvKPddcEDQd3jQdzz7uGCEnRSf20fjsnAx62eU1By+ZjZcl9D -4xX3amYiHurO+TKPUSCOQ1pN1/zvNiXrNic8mPIxTsrcoyKQ93yMQKHnOGyvD2Ka -Cvzpuq1YGM2RwDcX05q66LpSHI3f94Yhrvj6/HqdiiaIxKO43fOQ3RzLFf88VU5l -k7NNuYdQg+Eg3enmlcuGoD21zd4+mJ9EBPNT5Kd488z749W9KB/Y8wW9O08L/P+M -pccMHgLZAgMBAAECggEANoUiNAin5wKxNLoWSZKBKV9K90sgx/SWTuoDq9ioRpqz -bZIApt7Ep7ZRd/U/1PcArOv5lxwOF6w7ZH5BEKxZv8MYINlKS2QMkoBfRtIY/LSi -2OjUGLGLgks4qBg5LxXDY554G0GvyesDyvEKtlIO01L218TfYnDOnbwDzaINV/RC -W/nbyx8Z5teorU+vS5IlDaNMDSFkAMFOfQ8gNrwCaWxX2FJRUyyzM/54J4bNgGUi -+3APpt8w4N54CrMbI6FzyQhUbAY9MRFryaLgw22v0haiM1nAE9BWpU5m20Q8Ilx8 -f1e9PVDqwTXshxx01b0Z6RrHZViyi9+XOo6QU+4xYQKBgQDrYQZ8trvV3j+1E6Eu -rESMni+93ZbhRMbVVUDOhxU7BzfsFnvGodQms9sCaNQrexML0xH9DhWbssCDOvOm -MWSOnxUA1yivMiYvE4FzEM5iRRyFSjE3uS3+FZ0yY3iUr1vf9G9fJrtt/ag05AF5 -ZywhmvvtiA06F9+/qZzMW4jxfQKBgQDZdy/tYZQI9PlfznI6juy/Kx310vGNN9aW -Zzv3WRon40awiRMxUhGViiq9eD1IEzLDIXGXHdOI4E+DQUd+pn7Cr08QoWbOQk2n -BujCDY0mevc2kDi5NASa2SUFvUXo/vCqZdfP/EA7BudYwknZp3hCV+nZt6DcW+M2 -+WLYjxTVjQKBgGs/QTpv9HQFGRgDgqyGd5FuvigPoCCyOrqXZrjzmbvUlSlwMSOX -NtgPmRmm9A1/vXTkzkx0L2pK7yacJMoztTK6z1IbtwDko7tNcu0f2jmybcVZwcU3 -Dfq4lHCSHC37HKyVbm13c20xZ4P546YSWWxSdrmLBSPUHvHwcW43wtTtAoGBAMOb -yAqYiRX9dQrOokU2JpJWcF6cXhaOsYEcXv5AsZxLfVxyEEd+8L44R/Wh4E2ipziK -LqildY9bZWpFH9A2ZzMric0FwXmqfjrNpjRXCC4i0ZfM5pkAx1uaEwk0lVvdZhGA -Bj3ZQtVVgmd+a/tR/oR+m6Tw3csZBCqA7H6rRSxJAoGBAIFd0PRdKm5+mUc575GQ -sxVznovODCdRyOAeD9IKyCcpMo8zB9uiNDRPG/sUebnowC3v7EeCYUUHlUDtsSjc -BZyasg71mrZElWg2mDonw/J9fcrEPGrh59wmqk49MLvzB0An/eP+gGK3RFgbijkN -EZcByagGNGdICcaaxr+RhgcU ------END PRIVATE KEY----- diff --git a/roles/nginx/files/snippets/block-exploits.conf b/roles/nginx/files/snippets/block-exploits.conf new file mode 100644 index 0000000..093bda2 --- /dev/null +++ b/roles/nginx/files/snippets/block-exploits.conf @@ -0,0 +1,136 @@ +## Block SQL injections +set $block_sql_injections 0; + +if ($query_string ~ "union.*select.*\(") { + set $block_sql_injections 1; +} + +if ($query_string ~ "union.*all.*select.*") { + set $block_sql_injections 1; +} + +if ($query_string ~ "concat.*\(") { + set $block_sql_injections 1; +} + +if ($block_sql_injections = 1) { + return 403; +} + +## Block file injections +set $block_file_injections 0; + +if ($query_string ~ "[a-zA-Z0-9_]=http://") { + set $block_file_injections 1; +} + +if ($query_string ~ "[a-zA-Z0-9_]=(\.\.//?)+") { + set $block_file_injections 1; +} + +if ($query_string ~ "[a-zA-Z0-9_]=/([a-z0-9_.]//?)+") { + set $block_file_injections 1; +} + +if ($block_file_injections = 1) { + return 403; +} + +## Block common exploits +set $block_common_exploits 0; + +if ($query_string ~ "(<|%3C).*script.*(>|%3E)") { + set $block_common_exploits 1; +} + +if ($query_string ~ "GLOBALS(=|\[|\%[0-9A-Z]{0,2})") { + set $block_common_exploits 1; +} + +if ($query_string ~ "_REQUEST(=|\[|\%[0-9A-Z]{0,2})") { + set $block_common_exploits 1; +} + +if ($query_string ~ "proc/self/environ") { + set $block_common_exploits 1; +} + +if ($query_string ~ "mosConfig_[a-zA-Z_]{1,21}(=|\%3D)") { + set $block_common_exploits 1; +} + +if ($query_string ~ "base64_(en|de)code\(.*\)") { + set $block_common_exploits 1; +} + +if ($block_common_exploits = 1) { + return 403; +} + +## Block spam +set $block_spam 0; + +if ($query_string ~ "\b(ultram|unicauca|valium|viagra|vicodin|xanax|ypxaieo)\b") { + set $block_spam 1; +} + +if ($query_string ~ "\b(erections|hoodia|huronriveracres|impotence|levitra|libido)\b") { + set $block_spam 1; +} + +if ($query_string ~ "\b(ambien|blue\spill|cialis|cocaine|ejaculation|erectile)\b") { + set $block_spam 1; +} + +if ($query_string ~ "\b(lipitor|phentermin|pro[sz]ac|sandyauer|tramadol|troyhamby)\b") { + set $block_spam 1; +} + +if ($block_spam = 1) { + return 403; +} + +## Block user agents +set $block_user_agents 0; + +# Disable Akeeba Remote Control 2.5 and earlier +if ($http_user_agent ~ "Indy Library") { + set $block_user_agents 1; +} + +# Common bandwidth hoggers and hacking tools. +if ($http_user_agent ~ "libwww-perl") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "GetRight") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "GetWeb!") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "Go!Zilla") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "Download Demon") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "Go-Ahead-Got-It") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "TurnitinBot") { + set $block_user_agents 1; +} + +if ($http_user_agent ~ "GrabNet") { + set $block_user_agents 1; +} + +if ($block_user_agents = 1) { + return 403; +} diff --git a/roles/nginx/files/snippets/cache-assets.conf b/roles/nginx/files/snippets/cache-assets.conf new file mode 100644 index 0000000..07305fa --- /dev/null +++ b/roles/nginx/files/snippets/cache-assets.conf @@ -0,0 +1,31 @@ +location ~* ^.*\.(css|js|jpe?g|gif|png|woff|eot|ttf|svg|ico|css\.map|js\.map)$ { + if_modified_since off; + + # use the public cache + proxy_cache public-cache; + proxy_cache_key $host$request_uri; + + # ignore these headers for media + proxy_ignore_headers Set-Cookie Cache-Control Expires X-Accel-Expires; + + # cache 200s and also 404s (not ideal but there are a few 404 images for some reason) + proxy_cache_valid any 30m; + proxy_cache_valid 404 1m; + + # strip this header to avoid If-Modified-Since requests + proxy_hide_header Last-Modified; + proxy_hide_header Cache-Control; + proxy_hide_header Vary; + + proxy_cache_bypass 0; + proxy_no_cache 0; + + proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504 http_404; + proxy_connect_timeout 5s; + proxy_read_timeout 45s; + + expires @30m; + access_log off; + + include conf.d/include/proxy.conf; +} \ No newline at end of file diff --git a/roles/nginx/files/snippets/force-ssl.conf b/roles/nginx/files/snippets/force-ssl.conf new file mode 100644 index 0000000..23083a1 --- /dev/null +++ b/roles/nginx/files/snippets/force-ssl.conf @@ -0,0 +1,3 @@ +if ($scheme = "http") { + return 301 https://$host$request_uri; +} \ No newline at end of file diff --git a/roles/nginx/files/snippets/letsencrypt-acme-challenge.conf b/roles/nginx/files/snippets/letsencrypt-acme-challenge.conf new file mode 100644 index 0000000..2075713 --- /dev/null +++ b/roles/nginx/files/snippets/letsencrypt-acme-challenge.conf @@ -0,0 +1,29 @@ +# Rule for legitimate ACME Challenge requests (like /.well-known/acme-challenge/xxxxxxxxx) +# We use ^~ here, so that we don't check other regexes (for speed-up). We actually MUST cancel +# other regex checks, because in our other config files have regex rule that denies access to files with dotted names. +location ^~ /.well-known/acme-challenge/ { + # Since this is for letsencrypt authentication of a domain and they do not give IP ranges of their infrastructure + # we need to open up access by turning off auth and IP ACL for this location. + auth_basic off; + allow all; + + # Set correct content type. According to this: + # https://community.letsencrypt.org/t/using-the-webroot-domain-verification-method/1445/29 + # Current specification requires "text/plain" or no content header at all. + # It seems that "text/plain" is a safe option. + default_type "text/plain"; + + # This directory must be the same as in /etc/letsencrypt/cli.ini + # as "webroot-path" parameter. Also don't forget to set "authenticator" parameter + # there to "webroot". + # Do NOT use alias, use root! Target directory is located here: + # /var/www/common/letsencrypt/.well-known/acme-challenge/ + root /data/letsencrypt-acme-challenge; +} + +# Hide /acme-challenge subdirectory and return 404 on all requests. +# It is somewhat more secure than letting Nginx return 403. +# Ending slash is important! +location = /.well-known/acme-challenge/ { + return 404; +} \ No newline at end of file diff --git a/roles/nginx/files/snippets/proxy.conf b/roles/nginx/files/snippets/proxy.conf new file mode 100644 index 0000000..f086a73 --- /dev/null +++ b/roles/nginx/files/snippets/proxy.conf @@ -0,0 +1,7 @@ +add_header X-Served-By $host; +proxy_set_header Host $host; +proxy_set_header X-Forwarded-Scheme $scheme; +proxy_set_header X-Forwarded-Proto $scheme; +proxy_set_header X-Forwarded-For $remote_addr; +proxy_set_header X-Real-IP $remote_addr; +proxy_pass $forward_scheme://$server:$port; \ No newline at end of file diff --git a/roles/nginx/files/snippets/ssl-ciphers.conf b/roles/nginx/files/snippets/ssl-ciphers.conf new file mode 100644 index 0000000..e9bae0c --- /dev/null +++ b/roles/nginx/files/snippets/ssl-ciphers.conf @@ -0,0 +1,9 @@ +ssl_session_timeout 5m; +ssl_session_cache shared:SSL:50m; + +# intermediate configuration. tweak to your needs. +ssl_protocols TLSv1.2 TLSv1.3; +ssl_ciphers 'EECDH+AESGCM:AES256+EECDH:AES256+EDH:EDH+AESGCM:ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE- +ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AE +S128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES'; +ssl_prefer_server_ciphers on; \ No newline at end of file diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml index 552df97..cc55864 100644 --- a/roles/nginx/tasks/main.yml +++ b/roles/nginx/tasks/main.yml @@ -1,11 +1,17 @@ +# If self_signed = true, in nginx/files: generate root CA (if regenereate_root_ca = true), +# and sign a wildcard certificate. Copy certificates to /etc/ssl/. - name: ensure directories exist file: path: "{{ item }}" state: directory mode: '0755' loop: - - "{{ nginx_confd_folder }}" -- name: generate and install self-signed certs + - "{{ data_folder }}/nginx" + - "{{ data_folder }}/nginx/conf.d" + - "{{ data_folder }}/nginx/sites-enabled" + - "{{ data_folder }}/nginx/sites-available" + - "{{ data_folder }}/nginx/snippets" +- name: generate self-signed certs import_tasks: self-signed.yml when: self_signed - name: create nginx bridge network @@ -14,6 +20,18 @@ attachable: true internal: true state: present +- name: copy nginx.conf + template: + src: nginx.conf.j2 + dest: "{{ data_folder }}/nginx/nginx.conf" + mode: '0755' +- name: copy snippets + template: + src: "{{ item }}" + dest: "{{ data_folder }}/nginx/snippets/{{ item | basename | regex_replace('.j2$', '') }}" + mode: '0755' + with_fileglob: + - "../templates/snippets/*.conf" - name: run container docker_container: name: 'nginx' @@ -22,10 +40,13 @@ - name: bridge - name: nginx-internal volumes: + - "{{ data_folder }}/nginx/conf.d:/etc/nginx/conf.d" - "{{ data_folder }}/nginx/nginx.conf:/etc/nginx/nginx.conf" - - "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/nginx/{{ base_domain }}.key" - - "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/nginx/{{ base_domain }}.crt" - - "{{ nginx_confd_folder }}:/etc/nginx/conf.d" + - "{{ data_folder }}/nginx/sites-available:/etc/nginx/sites-available" + - "{{ data_folder }}/nginx/sites-enabled:/etc/nginx/sites-enabled" + - "{{ data_folder }}/nginx/snippets:/etc/nginx/snippets" + - "{{ data_folder }}/nginx/{{ base_domain }}.key:/etc/ssl/{{ base_domain }}.key" + - "{{ data_folder }}/nginx/{{ base_domain }}.crt:/etc/ssl/{{ base_domain }}.crt" ports: - "80:80" - "443:443" diff --git a/roles/nginx/tasks/self-signed.yml b/roles/nginx/tasks/self-signed.yml index 9192a96..65d08e1 100644 --- a/roles/nginx/tasks/self-signed.yml +++ b/roles/nginx/tasks/self-signed.yml @@ -4,34 +4,39 @@ -new \ -nodes \ -newkey rsa:2048 \ - -keyout "{{ data_folder }}/nginx/rootca.key" \ - -out "{{ data_folder }}/nginx/rootca.pem" \ + -keyout "{{ playbook_dir }}/roles/nginx/files/rootca.key" \ + -out "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \ -sha256 \ -days 3650 \ -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}" + when: generate_cert.root - name: generate wildcard csr command: openssl req \ -new \ -nodes \ -newkey rsa:2048 \ - -keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \ - -out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ + -keyout "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.key" \ + -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \ -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}" + when: generate_cert.wildcard - name: sign wildcard csr with root ca command: openssl x509 \ -req \ - -in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \ - -CA "{{ data_folder }}/nginx/rootca.pem" \ - -CAkey "{{ data_folder }}/nginx/rootca.key" \ + -in "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \ + -CA "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \ + -CAkey "{{ playbook_dir }}/roles/nginx/files/rootca.key" \ -CAcreateserial \ - -out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \ + -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.crt" \ -days 3650 \ -sha256 -- name: install root ca - command: trust anchor "{{ data_folder }}/nginx/rootca.pem" - become: yes -- name: copy .conf file - template: - src: nginx.conf.j2 - dest: "{{ data_folder }}/nginx/nginx.conf" - mode: '0755' \ No newline at end of file + when: generate_cert.wildcard +- name: copy wildcard certificate and key from vault + copy: + content: "{{ item.content }}" + dest: "{{ data_folder }}/nginx/{{ item.name }}" + owner: root + group: root + mode: '0700' + with_items: + - "{{ certificates }}" + no_log: true \ No newline at end of file diff --git a/roles/nginx/templates/nginx.conf.j2 b/roles/nginx/templates/nginx.conf.j2 index dc3ffc0..255f97c 100644 --- a/roles/nginx/templates/nginx.conf.j2 +++ b/roles/nginx/templates/nginx.conf.j2 @@ -27,7 +27,8 @@ http { #gzip on; resolver 127.0.0.11 valid=30; - ssl_certificate /etc/nginx/{{ base_domain }}.crt; - ssl_certificate_key /etc/nginx/{{ base_domain }}.key; + {% if self_signed == true %} + include /etc/nginx/snippets/self-signed.conf; + {% endif %} include /etc/nginx/conf.d/*.conf; } \ No newline at end of file diff --git a/roles/nginx/templates/snippets/self-signed.conf.j2 b/roles/nginx/templates/snippets/self-signed.conf.j2 new file mode 100644 index 0000000..aa3a09c --- /dev/null +++ b/roles/nginx/templates/snippets/self-signed.conf.j2 @@ -0,0 +1,2 @@ +ssl_certificate /etc/ssl/{{ base_domain }}.crt; +ssl_certificate_key /etc/ssl/{{ base_domain }}.key; \ No newline at end of file diff --git a/vault/certs/dev.local.yml b/vault/certs/dev.local.yml new file mode 100644 index 0000000..510c9f7 --- /dev/null +++ b/vault/certs/dev.local.yml @@ -0,0 +1,169 @@ +$ANSIBLE_VAULT;1.1;AES256 +38336334376563396233646135353633346463616233373137313438653832636265333439316432 +6231626239633464333936613964306466336538346436650a343561633630356235663936616139 +38623538663762623861313531333163326631616263663536323834353763376436656332663439 +3532636463333538620a313565336133333139656563393932336134393036343935613366643664 +62636164316463616164393333313939653533303866313061666234363234663561353037306331 +30613865323764643966633030343732343137353765313831636235346236326534353961376133 +66353962383133666131323638336438393630313039383735363738386237356434373939303835 +62326533633633663339366165353539386133663438653961313063613966386565333866623866 +65626133626331666232363138613864616235383235383837396233313465363562613462393031 +35363238343838626163373066643037623532306132653562303034323138376139356361626338 +30333539323464306130393835343865336233613266346230333138666233666164303063363061 +62393234306337396539626338373532636237636663653635643031383566646338613963626134 +37666165383739323866633131643135633734383737613265383036643761633662336639336563 +38346465336166363837323436633264626634663064623562343863326234613937613766333037 +63303863616366366134663862653238323863323466313137353465613735393639393863616633 +35326161353739343064666665363435386437336633336366646537613831326235353261613937 +37636165313463616134663439353665373665313037323736383361323433613838633464633433 +34656238363265656161633433323832316434353232386337373030303637316531326236666334 +65396466386261376235396666383664313834636365623834626436343064373535363662613737 +64663762663935376639393039376531656435343261396539613334386131623732396366633766 +30393465666661326166663164343862643237666361616332643332653765316435646261663166 +66343361363761336530326334613066623032666165663063643662636337363439663237303365 +65393238356634643538313266396661626338633261373935343631346261633638373837313630 +66336266376165393566376138346435303564613837346238653562353661643531353436303138 +33613036643062626135663933323266666539656265616565313432626262656437613038373236 +34636236303433333030313836636361366238333363363664613062663333623734626639643137 +38336166613733323038626536353234643133333130323037373435303264346164356534323633 +34663564643065656263343731643537303231333766313363396331336564373663656233323462 +36333836636132393761623638343635326630633665336161376363376231386536366232333163 +33633462306135333939663231343834616637336261663463646137313165326239623439386262 +39356136633265333539383636333437636539396164323932643865653137616330346163643365 +62303866643062376134336666613161653238383863346465643638313436316463353538303738 +36383164353938373439653136666436356439613031356332656161643664626263313864666635 +32623164313362643232323536663666323037636261313135653533343136333362613631623637 +39383366383166343139653132653863333865313733656330616232633133353238333434333338 +36396132343931303230303164333632336331336130326137313832653735666331363563373264 +36663562663461616237363863656337646239396539666533336466623962333765323864626432 +35613764326331623533353138626265656663366136373463646235623566643466373666383936 +39333463396537323831653865316435396262336666333362343363356238386564313638613337 +63613438353264383863643265616566333262323934646131613764326265653434613361346663 +39643734393162383261393030653061356330653738626666613932663061396665623138316538 +36343831303166303739643635333466623062396561653433623065616533346261666162636231 +39663865383638363430316236336266323238306366346638376266393939346536373236653662 +64636265336632336462653463346364373761373234333961376464386438333561646133363733 +32633830663532393131613262636361386163376539356439623966666665656265666539336639 +39646433626334663862393138613666393137303739313936353938613137653666636235643131 +61663632383862323632393361336263366235396239346566663761653735396661343663376435 +62656534323463393531386637623366316466633433633933363564393435633361323437613036 +32363531303465373537353237313438346534626165363564353639666134396263393333313934 +63313463643834343633343231386537376566303539633536333235336161386631356531323866 +36643934643337363865386631643931303038353462333035363537356539646665383365333766 +63663139396366643834623232306365376633363332626336303661326237383736336365323763 +66316530343133636230636234616665353939663332316364613362343261393934626264383732 +32613363316632643332333065653766646464633066316433656430366330653365626466336230 +34356433623030383662663564306533646563306337346535353065666239336661343033356635 +64636231343636386432316662626538633066656261326465363438333064373534376637316333 +31396364336234663832303261366639313132343663666530343136363434333662383733336530 +66396563616166333633623363383963383432663630356431323132626336633630343066313735 +31666462386163636334386131616261616531366463366362663133633065633234306536343431 +31376630393035373034633463336463303132326563646330623830626564613433323866643362 +34323436356366643661323563333564353863373035336565613739636562363736636530653139 +31663931616230313436323230336461336637613539653165343664663165303364633464313939 +63333131613366626234656235393463343534343864363463616634633533623730306536343964 +34383030303535393737386163346531623333393162666161626162616137343832383835376262 +34663437353930393135306433663566396636333430363334306631646663326234373331376138 +34366661626635636330353835323430343635343833363037663139646233356165643265333466 +39633437393963626666653236656535316432613739336431653864353739313461663536636230 +34353034333831396235323365613036323537386662373435653362326538343262643637373164 +64323665373035383735613563623537653832643733393037653038626437636563326138653962 +64343734343630663837363239393836623565663634323437616233636438656662323932323465 +38613038636138656634346533393864613862623939633961623337623533643162613631353962 +34633063346361653132343036636638323230383564393734386531313562383132633637656362 +31636162393337656533656538643437306136336436393634366562343637313465356634616164 +39333535373561653362366338656132623137343038646333363563343864653330316133306635 +32643263346136643766663236613132653465363461656331613237623765323961343966306633 +63323866623836663231373464643863326562636539313238646536636131626564366438646462 +66333139393062643434356366363565336564373865386163303737653336396434316663346364 +39656339336366663437393130373535626566303133316333363764346536333865393865346231 +61633939323537343863373731343539386237346332323932633837333762383864326163333164 +34373138663763313163303065353031653164316536653635376664346434643064633439663635 +32313464373532336263393565333236303833383533346566346565393730383636633063393566 +64396565323961653532616166383637323437373062663436333433346635363630313865633632 +33316462323433643235666166363538383964356462376663336165663035353938306134626665 +31313638363461393865396233613264366661616161653730616366353566393131616438316637 +39333362666666313964383730363230336565333938623931346664376631373133633862656565 +64316336643564396661333066356235336265613832316362613033616661366334613261313862 +63613031356561346334626666343966633633356464313465666464366332633134323731323336 +31386131373835326439643230343630386331346230383937653739613734323430343538653635 +62383563393334333331383032323138386632363164633236643562313239393034313033346331 +62643433363331653564346163623261616463633761366538393532393563386130636330396131 +36393231303937303332363135623230373164636165323637303561343366373930333465353939 +33643533323363333738663634336361393837396164353936306361313532383963326133316166 +64636337353234353632373835326165663162356461646133323832393130343966316139383338 +33363238636532376534303163653732366134343366616235313838363034356531303930633661 +65383337636532633165323961373234386237313764633839363962616135663437653764646230 +66393739383135326332393038343561343538333735643932316361633936363338353066363537 +36336635343936346134636464323164643639313765383534643865663333383136666163383138 +62313738646538303338343132383536386436353265613735336663373366626566343636626562 +65373463396238616230396165356335633231623834633735623763316264613231323930363566 +38633833666661333535613461643035326131663862313335366231396666303861353739653039 +65306533343130316134346362386236363735363334376161313064343961623466356334323938 +63303738303831366463396165393062663633303031663461643563613364323463323561613930 +39633663326165333033326631326233333833646164333033386366343839376664613830623532 +30333733646432393763633563376135626535643961666362383962366464363132353564383735 +37393365396464646430343038656430363931663835393463326561666138303730383864666364 +35646339346630393761323839613131316464646465376635656335393361366365353064336133 +36326462633637393236323065383436383330653662623036346465333663626239313264373466 +64396262393565373738623233363665636264666330386337313732363466353766623562613864 +35393665383937656533643062373261633462363064656134663132373532373632623332383530 +65303739393834323266323062623663333034633132366439393862326134323630323563353935 +64396464633438643262653664323238366130643461376133646238656463373531333137323662 +38633532623766336431323331303135616432306362323937633535373031623265616139663133 +34313962353434343139656336643064333961383531353461303035616532623862643864323737 +61333866386165336537313065366661313439643430623164633361646666393337626436333564 +35393564653866333339376462316338333237303663616466643235366633376564323832643238 +64393735323131653131626235366438343032326461616137326634353731303162656135653162 +62313639346366326534313432353731396161383764616431313266643639666432363931353930 +35363834353361343566313631636439376265356231623637323063333265653236616330346662 +36346564626638643832623436356332663536623533366539656264363936646362323262323561 +31386639636430623963663730663664626639303532653465636132663834383362633938353432 +65393062393933613963623864303339613638643261323033623364343266626231623566623734 +36373331333266356332616131376463613766623365393439613033616262306361366534356534 +31393366313263666564356330616566326336663730323262663463666238376538663037303663 +32623964373535663838656538306561376130343736623336316266393361343161643335303834 +37353338333265316632393263613032373164323064646632363664643335666530303465646237 +33666338306631313465323661656533363734633366383337396132646561663461356138356665 +34663735323132653139646633323766336566346164316331626637663532643266666630383837 +64343736633765383239656633633466336633333332626436373363353138393733623339356433 +66323031316663666134303464326264653762306634326638636135646636333734396362306239 +62303037323639616531343364336632396465346631616536366636363838313164316637656638 +62653834393636303766386636323131383039613436666131373163353463393665393338333366 +31323734633337343330313136356665326139356433343230386437636538386636663037633936 +61333466376564666364336563653334306665336634336363653962386135353961343030623865 +39346138386135656338326632373734333933666237343764303963363536323032653938303338 +37326132393036323532666163666235303635363936343265326333613561643938353061663035 +31356431343664383164363065316164643166653934386436633262323836303230303133636530 +37376437393364393435393535363563333936323866623434353161343965343630333363633564 +35656666316262636438323839613731356362623638323033306137633530326164643165303333 +34353537663830333538653438333365333332643039666433653961646339643365333566626235 +37313166313734353661326362306265396639326565326533323632633832353339613362626465 +65383539346566396261346166336436343939363339663462366262306434366266633664303264 +33383731313934353161333465643861663038313833663163336261626537623130653564336433 +63646131383464633937643838636364303165373361353738383736323035306666343766613866 +33336663643634633266653337653761636231346338383938613534656361653963323861343161 +62623538643834383734326335653839306531353065393961303536363137303031356636626664 +32376163353662346539653064643265663236333031316430633930333066623837386235663164 +32366430383531366230393830393463396435373036383135643535376330643635373531366263 +33653934633066613838333864633762323364356461313465616664376532323338393432323763 +62306537376436363337666134626238323436333137616333633332653638356561316531353735 +39306534316138623363383566636439376233316635346230386337633565383639336164393137 +38623738656132336433303730326135643265333261363132363261303538353236623433326233 +30666632336261383930376536346530666662666237653136646138316566353532366433343338 +32303961316433396330336333363835313964383863646337333137343062303630326237653931 +38633862643431306638643535316632326432613763396437636661333664363733376532656239 +31353736646232633961383661303036336135323061386263383364306366616137646535316662 +31393036356132643337623964643734666662613632323437316565626237306630633765636436 +65303435363665643135343863626663613836313866363837393134306332373036323063623662 +37386138623262633133303334373037663539613462666436373031366165343261393835306465 +35313733633735653466633263333936383939663264386264613566646632643133393661633061 +31353634646366393236666230346262353633633233633231666638643131663862323061656338 +30346361633531656332303235383837643436386362623065323963353565653163346131616665 +35313232396230336333396361336533623738383035353963373264613132663861393062303732 +32633738616339343035306532313735343936313339396564353432346132353036653765646337 +64666663363663653631323061333735623063383639613531633464653635333630343031326535 +65353330356438656235346137353662323938636262363434336633336431633064316238396534 +35373439643764303361306164653934616632353339313633623866366436666161316231336262 +63383131383939326666613439323662663730313632336235363338643537313938313439326166 +66396638633235633062 diff --git a/vault/certs/rootca.yml b/vault/certs/rootca.yml new file mode 100644 index 0000000..715a9ff --- /dev/null +++ b/vault/certs/rootca.yml @@ -0,0 +1,169 @@ +$ANSIBLE_VAULT;1.1;AES256 +34323366343164353236363233636338666233613462643461333533323138353263336535396562 +6561666233663865653236666634343532613164343734340a393138646130313638663037393163 +35623231636337393563373764363863313739306562336634633864323831393834626139396230 +6665393538376334300a326137643930376664643336623661363438613465383439313065333332 +37633063643537323431346363643063366366373336353966363561653862343739656265316632 +38323639613638356461343931323736643138346434353737323065613738613465323163346234 +62363062376532366134303634636632333663646563353362373565313038313030356265303739 +36643739386535376236643337643639373762323162336461363833353266356433643034636664 +61353634333930373039373965356664663438313461333363613739336139313461306637323865 +65343137636266653535626132326265383530393566376564613961336237363939343166336435 +64646164353831363262633964316136326439356666386232623937383265306232646663633930 +37643565396532356536666536613539393163303561356635393133376265363236643666666531 +35343363373036646132393135373265393739366563326533386435323064333731616666353762 +34623132353538653338633565653463343761333433363434653364386634633166326535666238 +30383035623862633164323133643266363039383962383937623964373131616536353135636436 +38313130393438616664666333363265343830626461663362616266656630376238623466366235 +65633164306234663037336639363264643235393866623266303039633862356466663161623162 +37363034396232306361626166306266313639663130666265653931616638356530653462663365 +34383763303035323838653366626265623861316430356330646533663561653663636265666431 +30383264623065326132313039306562343336636264333461323763316135326166383833653036 +39313565366136376666336263356565663235653535613933633866393737313835303231336164 +32373862356432653065626534396538393830643033366336366533643535663762303266353062 +64613733323662666634333839393066346566393037353463313166343436623464376236303732 +38386438316431633535346431376632386532316263393638653466343032343935323232666364 +61343266363838303132356636643939383262633133633833393565323637373161616434613538 +30306664663137643538326162626562316462313338623861623030343339623564666138646332 +66363238396162383736333738323263626461623732376661653633643033366363396536623130 +30366362373134613134663839343731343338353564643130323833613433326237653065313739 +61313933616562323933303037363162316462316530336461636335626563336364646234623733 +65353733313138333235663735343534383831613264396162663166306530633031326662303836 +66666138363363323939616234313232653261323766666333393230313231663832383038366166 +37353065646337373761643332633731613532663736326234653731613266333963303539336431 +37613030326235653066653636666666393030633033633737333632346538363634363631613830 +38393463623533653835336533393732653533633232363062613438336639643063343533363732 +32323432303730636461323564343036353766616635643735393732376132646633393865383234 +61663535326563643966313536393237663832333562323065346362326433303731303962383634 +62396137633733313639373030383038643939393130613734333138633166376364353766376266 +38313130643435353230326238636566656661396438393333323364623338633739646364376261 +62613865393264636234326635376638613234613163613530386665346632366566313162373931 +34386135386434333935666636643365323337393931616231323938653233353138356335656533 +62643637306631613731373233616132613338333362633632663839373032303733303632393163 +35383034336132653636626162326638323662613961366262366432626165623063373738313835 +63386463356233353461346433643234306264313866356131303938326638313835313264323465 +30623162643632633032343932356531343838333435656238336139633836663639396566353937 +38663733393335393031373336373864323666326333633330343237393266346662303762663664 +32393931666236623633383236633661636266386430616130343530313831376131306130376339 +64656133366637366235386263616635303835666132373331643861663730336266343562303434 +61306632323839383230313235616366383365383739343761653736636338323535373834366133 +37336539666562316362303931373630633564343565613361326366303131643235393565303833 +35616134373532383236316530663662393637326364663263646265356636316466343637313066 +35613230646638393338363262653936336365376565643238613665386531316565666539653065 +35336436666464333762336264363766303662343062313038613739653733613239336238613739 +36646439343666616161633431333532623833366639343430383761323137326136653734363236 +65613763303361306434393132653362333939386630643037643139323031306565373430316636 +39343635336135616335353534323531633561333539306566393765633034613864306262393333 +62376134336338386237653865656338393232613230303138366133636331663337646563616237 +39376465343738613638633237353666643538353761376164623031336637316436653336303864 +31326230333333363162653561643933383730303565336166333933616432656466363463636438 +66323030323631323936393938353030383266353364643730353261646461613362623733646638 +32396466396330386331303733363837366530343036303731313763653036323866636139356161 +31343462383539613766633261633662653135656337333538646637346431353366396339313032 +33376165623866396236386461323936653164663537303630623238353963633435613733316235 +63383563366637343037363361326661373236323231363061656534376434663833663164633938 +34326231393864363665613839663038653735313637653833643239663963303233363465643664 +37663361343765623735376538306538393061373530343032356637333834613966616236333639 +66636237313539643964653230353832373433656465343064666631616237353139653962663435 +31653966313235643438323135326435313664366238373537643665346535636534363661326561 +33613737306136663936613132656631643932383862356263616132373239356533366537396536 +38626462316664383631353262313735343163343435366164636535366163633561616664383737 +32663934343830613132633664613965663064383165313933343638626639663764393933333138 +31613962323035316133393265643936393933366233363431343766653732656636323334353539 +36343465343362623734383337343366613539653465623834653833356464343235333734633136 +37363932343865623333626531663965396236616130656232306564323763636535353466393731 +32306563643566306566643936396230353933626136386634646430343533623932356632343538 +36313563663032363237643538313161313038396566313535663062353833393565303332613336 +61316461623139343664663833633662333463366266363635316434363434633362633230616539 +32613237306330326463353933393964373366346137633431353266346237623838316134326430 +62323039636334326261346137333138656366663666656664363537616639663039356433643166 +37633135353738303239653839393163643962656565393836386434393835643231333966366261 +38366265393238333934653736373530636663663961386339656164663865633337386262393963 +39376637316134623665636436393032613361316630656266303838626661376438633337626366 +65346235313432316665336331643033373061333734323538613433323566613162633835353434 +62316161306663656433326339316632643762616239336239656135343166633635353238636538 +33643035333534346439343637623764396361343565313833393865353537643539643161336530 +63343637633133653563353739656434323834613938323466313835616463393734313739333530 +30333736363432613139343734626564323838353932313830313536353534323538353465643730 +38343963373862336530326337366634353261363531393637356361623030366562313564386133 +34373735613337636664386534666537336338636233636461653330623464376630663437303631 +30623861363934353661363764313265363233356665653261313262356461353439333030393936 +62663039376562656161666663333461363330376333653631326539306633633330356338346232 +34353261376163613831633832613532366230363533643434326134373439653433643839386439 +34663962353433633532636239373136306435343461623936653661383037623236363265393264 +37366132343366326537393138636366303865316630663938333730373938636531303537323666 +34343833323631353131353763326265313363643661646632353261643636646666336631346163 +66303031663663643736623837373061363063626662343435333865313930663662616332333337 +39303138353033366338343735346137613731373938343464363362613934663761356232643730 +64393434316131613630343431643933666433306335316335646131326664376264366562306530 +62393062303661633231663639383231353034303237633338333730316666353135383033623934 +34393135666438316232623537666335633933373766376363623736613037393034613538343539 +36356237396464636464323633623436636266366238386564633635386663666535623631666333 +32343464326237623862363833356135666562333061663931323064623762326463376266373266 +66356433613962646332653135363437616466633136303630623738316531373639376238366238 +61383966613134393366653663313435616232646164613737376664613433653761366534316338 +34623436613139393137346563343333313766343662653138663135633564633034323665653065 +62613636343138396236353936363763366631656661626536313338326534353237626537626135 +33643131303331353430393665376531343136656234326161333535373536396465616561363561 +35633266383962313030323966336530663865386263653538303661386163333336376534393565 +66386539373432616431393935643563653332663464306230366163376231636666313863663164 +35653230363836393834663839303961386561303535333964353631383966366263653136623634 +36643339633566663330363830353436303063366162393666663634643830613461336133373832 +38303061663131393162393066343837373130373631643062396466336635306336393631653762 +34363432383031353662343862333034393136616262333334373364376339613865633731393961 +65396566643535663666633836313935343439303335353731333639653135326264663935333133 +36363264653639353639313264353531303766383138353464313036613735656632343233663937 +38623962363566336661366566633766663938323366383865643637323961613935633636333165 +65323039353739343137336537633033383464346535623461653163353662383831323961393336 +66376463316265663164326531653261353038653665356339366465653262393963346361323634 +38303962313461613066393730323237626163666461326464326664656530316230633830336130 +31353632306432626361626437396236666361376666356439393862373033326635303332323030 +38613762356137353737373136353563623038376430653338643030363533333263666233626536 +38616637376335663230396365633833653765366532356532353265366665393238663333303439 +65616161646566613161386438333736373061626234376632373534656638623535313064653436 +36623665323931396533643932303036613366613465633866346261363835306634306639333865 +32626466376131333132353661313265636237623534326166663034336136393566306332363964 +39626365306438383531326138663264363438366335333161373135646632333962626233616562 +61303464363131663963633433386331663433316638356138313836663165323230323364363666 +65386564326531393966656235666536376532376437643431393130313537633566386239383066 +61383631363436303664383134633530303331666666653439373530643330643438613336326639 +34666239373161396264643066333932643231663864373439343934613534306462363830353363 +34303832663130613262613736316665663234366438376233353663316565373833623062373839 +33643963666662313264616234643833333732353331623939343633643737313761626235363731 +32346561333931626630376165666135376434613333636337343336306564666565356538363938 +61313233643431623139313366383931343566323162333264653537393736336132643936656136 +30336563376531353065613638333237623664343331393765616665333139643735396265383334 +62613039386537373364643065323734663564393066646164363038313237313865396663363231 +34623833373937656138303337633438343531303366623838653465316330373362626234376532 +61663963393639323766376238633566326231666561366163663039326632623662363539326533 +34353161633236306663653066326534666631633332363237326635663132343333373332613035 +62313961323734323537353964633135616530613931333462323339626537346538363338343632 +38336666643634373434623833633863306534363831346161653835393638333436393034613963 +37343731663664373462633037396262643562623334396237393330356365353230366631323334 +62663435656362333136666432303766623931623464656133636633363165653933653165623435 +66303539383634346466373965353733623637663862393730363865636363303733613165623965 +64663663376232656230326632306536623531343564663933343265303339313632623965383839 +32653236633332666166386437326336343731333335626430663763373833343036343961393764 +39646337356266613734323963366465316238636131633663326332613931633236386333666631 +66643138653235643833663664306533373066386136663862646634643934653562383530306565 +32613037313633646365366535303632363638363764336664306361333037313431393831333333 +34326635626233373737313064643834393734356265333535393830646535356235646266303463 +34656430316434346339333762666432393736653566346332303636313963646338326333343962 +66613563636363373164633666366332373735373533396233623165623965393432663534313835 +63393436343765383332316635643465383163623833343931363034393830646164346532333039 +64313136613133383762333961313234613431663933383565636237656636393939623765633735 +36333037313561393633346661356634353035623265326136356661653830343135323138616664 +39353563323736363062363233396461303337346131626333353863383638373337656634366662 +65336230336236313234626266366235663032386561646238343430613034646465393434643636 +32376464316162306134616639343232346638333734333464306432626138653436616134333163 +36366665653965393433663237343361363430396563363730626330653736316530326265366366 +65653733663663306137303632353336663437363834653231653166386533323762653136333664 +30626661353637613365643137643462346632306133353363393962376638353865383562633338 +36323833636431613837356331313336613065663162356266323964303635303464663630303730 +66303933633533376239336331326637656231646236656636613164333365326132306161396363 +38646136623762326537353664333139333661393230363363303231613864383337613635316561 +38623536633264383864636334333334353533653565646435396635306232353137656432656163 +31633264383731303437656131386236653137633735333362643938313461336530666235623230 +38623333653961383762623131613732366633353732323635306261623561353535343438303465 +36323833393261313766326161623930313335353237343632653736383435336264363238336262 +64666136393230323937