diff --git a/group_vars/wildcard-cert.yml b/group_vars/wildcard-cert.yml new file mode 100644 index 0000000..abc2167 --- /dev/null +++ b/group_vars/wildcard-cert.yml @@ -0,0 +1,21 @@ +apache_ssl_certificate_data: >- + {{ + query( + "kubernetes.core.k8s", + kind="Secret", + namespace="default", + resource_name="pyrocufflink-cert" + )[0].data["tls.crt"] + | b64decode + }} + +apache_ssl_certificate_key_data: >- + {{ + query( + "kubernetes.core.k8s", + kind="Secret", + namespace="default", + resource_name="pyrocufflink-cert" + )[0].data["tls.key"] + | b64decode + }} diff --git a/hosts b/hosts index 3fa4958..e20569d 100644 --- a/hosts +++ b/hosts @@ -255,6 +255,13 @@ vps-04485add.vps.ovh.us [wheelhost] file0.pyrocufflink.blue +[wildcard-cert] + +[wildcard-cert:children] +file-servers +gitea +pxe + [zezere] [zigbee2mqtt:children] diff --git a/roles/apache/files/bw0.pyrocufflink.blue.cer b/roles/apache/files/bw0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/bw0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/bw0.pyrocufflink.blue.key b/roles/apache/files/bw0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/bw0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/file0.pyrocufflink.blue.cer b/roles/apache/files/file0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/file0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/file0.pyrocufflink.blue.key b/roles/apache/files/file0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/file0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/git0.pyrocufflink.blue.cer b/roles/apache/files/git0.pyrocufflink.blue.cer deleted file mode 120000 index 901785b..0000000 --- a/roles/apache/files/git0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../.certs/certificates/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/git0.pyrocufflink.blue.cnf b/roles/apache/files/git0.pyrocufflink.blue.cnf deleted file mode 100644 index 9a30579..0000000 --- a/roles/apache/files/git0.pyrocufflink.blue.cnf +++ /dev/null @@ -1,19 +0,0 @@ -# vim: set ft=dosini : - -[req] -prompt = no -default_md = sha256 -distinguished_name = req_distinguished_name -req_extensions = req_extensions - -[req_distinguished_name] -countryName = US -organizationName = Dustin C. Hatch -commonName = git.pyrocufflink.blue - -[req_extensions] -subjectAltName = @alt_names - -[alt_names] -DNS.0 = git.pyrocufflink.blue -DNS.1 = git.pyrocufflink.net diff --git a/roles/apache/files/git0.pyrocufflink.blue.key b/roles/apache/files/git0.pyrocufflink.blue.key deleted file mode 120000 index 44ddfa7..0000000 --- a/roles/apache/files/git0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../.certs/certificates/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/hass1.pyrocufflink.blue.cer b/roles/apache/files/hass1.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/hass1.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/hass1.pyrocufflink.blue.key b/roles/apache/files/hass1.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/hass1.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/hass2.pyrocufflink.blue.cer b/roles/apache/files/hass2.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/hass2.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/hass2.pyrocufflink.blue.key b/roles/apache/files/hass2.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/hass2.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/jenkins0.pyrocufflink.blue.cer b/roles/apache/files/jenkins0.pyrocufflink.blue.cer deleted file mode 120000 index 62ab971..0000000 --- a/roles/apache/files/jenkins0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.pem \ No newline at end of file diff --git a/roles/apache/files/jenkins0.pyrocufflink.blue.key b/roles/apache/files/jenkins0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/jenkins0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/logs0.pyrocufflink.blue.cer b/roles/apache/files/logs0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/logs0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/logs0.pyrocufflink.blue.key b/roles/apache/files/logs0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/logs0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/matrix0.pyrocufflink.blue.cer b/roles/apache/files/matrix0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/matrix0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/matrix0.pyrocufflink.blue.key b/roles/apache/files/matrix0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/matrix0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/motion0.pyrocufflink.blue.cer b/roles/apache/files/motion0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/motion0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/motion0.pyrocufflink.blue.key b/roles/apache/files/motion0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/motion0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 781ea74..5d911a6 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -20,35 +20,40 @@ - name: ensure tls private key exists copy: - src={{ item }} - dest={{ apache_ssl_certificate_key }} - mode=0400 - setype=cert_t - with_fileglob: - - '{{ inventory_hostname }}.key' + content: >- + {{ apache_ssl_certificate_key_data }} + dest: >- + {{ apache_ssl_certificate_key }} + mode: u=r,go= + setype: cert_t + diff: false + when: apache_ssl_certificate_key_data is defined notify: reload httpd tags: - cert - name: ensure tls certificate exists copy: - src={{ item }} - dest={{ apache_ssl_certificate }} - mode=0644 - setype=cert_t - with_fileglob: - - '{{ inventory_hostname }}.cer' + content: >- + {{ apache_ssl_certificate_data }} + dest: >- + {{ apache_ssl_certificate }} + mode: u=rw,go=r + setype: cert_t + when: apache_ssl_certificate_data is defined tags: - cert notify: reload httpd - name: ensure tls ca certificate exists copy: - src={{ item }} - dest={{ apache_ssl_ca_certificate }} - mode=0644 - setype=cert_t - when: apache_ssl_ca_certificate is defined - with_fileglob: - - '{{ inventory_hostname }}-ca.crt' + content: >- + {{ apache_ssl_ca_certificate_data }} + dest: >- + {{ apache_ssl_ca_certificate }} + mode: u=rw,go=r + setype: cert_t + when: + apache_ssl_ca_certificate is defined and + apache_ssl_ca_certificate_data is defined notify: reload httpd tags: - cert