From 906819dd1c6f1944f04758a50c0b649e1042996c Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Wed, 9 Jul 2025 11:59:17 -0500 Subject: [PATCH] r/apache: Use variables for HTTPS cert/key content Using files for certificates and private keys is less than ideal. The only way to "share" a certificate between multiple hosts is with symbolic links, which means the configuration policy has to be prepared for each managed system. As we're moving toward a much more dynamic environment, this becomes problematic; the host-provisioner will never be able to copy a certificate to a new host that was just created. Further, I have never really liked the idea of storing certificates and private keys in Git anyway, even if it is in a submodule with limited access. --- group_vars/wildcard-cert.yml | 21 +++++++++ hosts | 7 +++ roles/apache/files/bw0.pyrocufflink.blue.cer | 1 - roles/apache/files/bw0.pyrocufflink.blue.key | 1 - .../apache/files/file0.pyrocufflink.blue.cer | 1 - .../apache/files/file0.pyrocufflink.blue.key | 1 - roles/apache/files/git0.pyrocufflink.blue.cer | 1 - roles/apache/files/git0.pyrocufflink.blue.cnf | 19 -------- roles/apache/files/git0.pyrocufflink.blue.key | 1 - .../apache/files/hass1.pyrocufflink.blue.cer | 1 - .../apache/files/hass1.pyrocufflink.blue.key | 1 - .../apache/files/hass2.pyrocufflink.blue.cer | 1 - .../apache/files/hass2.pyrocufflink.blue.key | 1 - .../files/jenkins0.pyrocufflink.blue.cer | 1 - .../files/jenkins0.pyrocufflink.blue.key | 1 - .../apache/files/logs0.pyrocufflink.blue.cer | 1 - .../apache/files/logs0.pyrocufflink.blue.key | 1 - .../files/matrix0.pyrocufflink.blue.cer | 1 - .../files/matrix0.pyrocufflink.blue.key | 1 - .../files/motion0.pyrocufflink.blue.cer | 1 - .../files/motion0.pyrocufflink.blue.key | 1 - roles/apache/tasks/main.yml | 43 +++++++++++-------- 22 files changed, 52 insertions(+), 56 deletions(-) create mode 100644 group_vars/wildcard-cert.yml delete mode 120000 roles/apache/files/bw0.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/bw0.pyrocufflink.blue.key delete mode 120000 roles/apache/files/file0.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/file0.pyrocufflink.blue.key delete mode 120000 roles/apache/files/git0.pyrocufflink.blue.cer delete mode 100644 roles/apache/files/git0.pyrocufflink.blue.cnf delete mode 120000 roles/apache/files/git0.pyrocufflink.blue.key delete mode 120000 roles/apache/files/hass1.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/hass1.pyrocufflink.blue.key delete mode 120000 roles/apache/files/hass2.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/hass2.pyrocufflink.blue.key delete mode 120000 roles/apache/files/jenkins0.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/jenkins0.pyrocufflink.blue.key delete mode 120000 roles/apache/files/logs0.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/logs0.pyrocufflink.blue.key delete mode 120000 roles/apache/files/matrix0.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/matrix0.pyrocufflink.blue.key delete mode 120000 roles/apache/files/motion0.pyrocufflink.blue.cer delete mode 120000 roles/apache/files/motion0.pyrocufflink.blue.key diff --git a/group_vars/wildcard-cert.yml b/group_vars/wildcard-cert.yml new file mode 100644 index 0000000..abc2167 --- /dev/null +++ b/group_vars/wildcard-cert.yml @@ -0,0 +1,21 @@ +apache_ssl_certificate_data: >- + {{ + query( + "kubernetes.core.k8s", + kind="Secret", + namespace="default", + resource_name="pyrocufflink-cert" + )[0].data["tls.crt"] + | b64decode + }} + +apache_ssl_certificate_key_data: >- + {{ + query( + "kubernetes.core.k8s", + kind="Secret", + namespace="default", + resource_name="pyrocufflink-cert" + )[0].data["tls.key"] + | b64decode + }} diff --git a/hosts b/hosts index 3fa4958..e20569d 100644 --- a/hosts +++ b/hosts @@ -255,6 +255,13 @@ vps-04485add.vps.ovh.us [wheelhost] file0.pyrocufflink.blue +[wildcard-cert] + +[wildcard-cert:children] +file-servers +gitea +pxe + [zezere] [zigbee2mqtt:children] diff --git a/roles/apache/files/bw0.pyrocufflink.blue.cer b/roles/apache/files/bw0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/bw0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/bw0.pyrocufflink.blue.key b/roles/apache/files/bw0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/bw0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/file0.pyrocufflink.blue.cer b/roles/apache/files/file0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/file0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/file0.pyrocufflink.blue.key b/roles/apache/files/file0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/file0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/git0.pyrocufflink.blue.cer b/roles/apache/files/git0.pyrocufflink.blue.cer deleted file mode 120000 index 901785b..0000000 --- a/roles/apache/files/git0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../.certs/certificates/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/git0.pyrocufflink.blue.cnf b/roles/apache/files/git0.pyrocufflink.blue.cnf deleted file mode 100644 index 9a30579..0000000 --- a/roles/apache/files/git0.pyrocufflink.blue.cnf +++ /dev/null @@ -1,19 +0,0 @@ -# vim: set ft=dosini : - -[req] -prompt = no -default_md = sha256 -distinguished_name = req_distinguished_name -req_extensions = req_extensions - -[req_distinguished_name] -countryName = US -organizationName = Dustin C. Hatch -commonName = git.pyrocufflink.blue - -[req_extensions] -subjectAltName = @alt_names - -[alt_names] -DNS.0 = git.pyrocufflink.blue -DNS.1 = git.pyrocufflink.net diff --git a/roles/apache/files/git0.pyrocufflink.blue.key b/roles/apache/files/git0.pyrocufflink.blue.key deleted file mode 120000 index 44ddfa7..0000000 --- a/roles/apache/files/git0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../.certs/certificates/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/hass1.pyrocufflink.blue.cer b/roles/apache/files/hass1.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/hass1.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/hass1.pyrocufflink.blue.key b/roles/apache/files/hass1.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/hass1.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/hass2.pyrocufflink.blue.cer b/roles/apache/files/hass2.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/hass2.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/hass2.pyrocufflink.blue.key b/roles/apache/files/hass2.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/hass2.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/jenkins0.pyrocufflink.blue.cer b/roles/apache/files/jenkins0.pyrocufflink.blue.cer deleted file mode 120000 index 62ab971..0000000 --- a/roles/apache/files/jenkins0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.pem \ No newline at end of file diff --git a/roles/apache/files/jenkins0.pyrocufflink.blue.key b/roles/apache/files/jenkins0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/jenkins0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/logs0.pyrocufflink.blue.cer b/roles/apache/files/logs0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/logs0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/logs0.pyrocufflink.blue.key b/roles/apache/files/logs0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/logs0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/matrix0.pyrocufflink.blue.cer b/roles/apache/files/matrix0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/matrix0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/matrix0.pyrocufflink.blue.key b/roles/apache/files/matrix0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/matrix0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/files/motion0.pyrocufflink.blue.cer b/roles/apache/files/motion0.pyrocufflink.blue.cer deleted file mode 120000 index fa9cde3..0000000 --- a/roles/apache/files/motion0.pyrocufflink.blue.cer +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.crt \ No newline at end of file diff --git a/roles/apache/files/motion0.pyrocufflink.blue.key b/roles/apache/files/motion0.pyrocufflink.blue.key deleted file mode 120000 index 0345a4d..0000000 --- a/roles/apache/files/motion0.pyrocufflink.blue.key +++ /dev/null @@ -1 +0,0 @@ -../../../certs/lego/_.pyrocufflink.net.key \ No newline at end of file diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 781ea74..5d911a6 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -20,35 +20,40 @@ - name: ensure tls private key exists copy: - src={{ item }} - dest={{ apache_ssl_certificate_key }} - mode=0400 - setype=cert_t - with_fileglob: - - '{{ inventory_hostname }}.key' + content: >- + {{ apache_ssl_certificate_key_data }} + dest: >- + {{ apache_ssl_certificate_key }} + mode: u=r,go= + setype: cert_t + diff: false + when: apache_ssl_certificate_key_data is defined notify: reload httpd tags: - cert - name: ensure tls certificate exists copy: - src={{ item }} - dest={{ apache_ssl_certificate }} - mode=0644 - setype=cert_t - with_fileglob: - - '{{ inventory_hostname }}.cer' + content: >- + {{ apache_ssl_certificate_data }} + dest: >- + {{ apache_ssl_certificate }} + mode: u=rw,go=r + setype: cert_t + when: apache_ssl_certificate_data is defined tags: - cert notify: reload httpd - name: ensure tls ca certificate exists copy: - src={{ item }} - dest={{ apache_ssl_ca_certificate }} - mode=0644 - setype=cert_t - when: apache_ssl_ca_certificate is defined - with_fileglob: - - '{{ inventory_hostname }}-ca.crt' + content: >- + {{ apache_ssl_ca_certificate_data }} + dest: >- + {{ apache_ssl_ca_certificate }} + mode: u=rw,go=r + setype: cert_t + when: + apache_ssl_ca_certificate is defined and + apache_ssl_ca_certificate_data is defined notify: reload httpd tags: - cert