r/apache: Use variables for HTTPS cert/key content

Using files for certificates and private keys is less than ideal. The only way to "share" a certificate between multiple hosts is with symbolic links, which means the configuration policy has to be prepared for each managed system. As we're moving toward a much more dynamic environment, this becomes problematic; the host-provisioner will never be able to copy a certificate to a new host that was just created. Further, I have never really liked the idea of storing certificates and private keys in Git anyway, even if it is in a submodule with limited access.
2025-07-09 11:59:17 -05:00
parent f08f147931
commit 906819dd1c
22 changed files with 52 additions and 56 deletions
--- a/roles/apache/files/bw0.pyrocufflink.blue.cer
+++ b/roles/apache/files/bw0.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/bw0.pyrocufflink.blue.key
+++ b/roles/apache/files/bw0.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/file0.pyrocufflink.blue.cer
+++ b/roles/apache/files/file0.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/file0.pyrocufflink.blue.key
+++ b/roles/apache/files/file0.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/git0.pyrocufflink.blue.cer
+++ b/roles/apache/files/git0.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../.certs/certificates/_.pyrocufflink.net.crt
--- a/roles/apache/files/git0.pyrocufflink.blue.cnf
+++ b/roles/apache/files/git0.pyrocufflink.blue.cnf
@@ -1,19 +0,0 @@
-# vim: set ft=dosini :
-
-[req]
-prompt = no
-default_md = sha256
-distinguished_name = req_distinguished_name
-req_extensions = req_extensions
-
-[req_distinguished_name]
-countryName = US
-organizationName = Dustin C. Hatch
-commonName = git.pyrocufflink.blue
-
-[req_extensions]
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.0 = git.pyrocufflink.blue
-DNS.1 = git.pyrocufflink.net
--- a/roles/apache/files/git0.pyrocufflink.blue.key
+++ b/roles/apache/files/git0.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../.certs/certificates/_.pyrocufflink.net.key
--- a/roles/apache/files/hass1.pyrocufflink.blue.cer
+++ b/roles/apache/files/hass1.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/hass1.pyrocufflink.blue.key
+++ b/roles/apache/files/hass1.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/hass2.pyrocufflink.blue.cer
+++ b/roles/apache/files/hass2.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/hass2.pyrocufflink.blue.key
+++ b/roles/apache/files/hass2.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/jenkins0.pyrocufflink.blue.cer
+++ b/roles/apache/files/jenkins0.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.pem
--- a/roles/apache/files/jenkins0.pyrocufflink.blue.key
+++ b/roles/apache/files/jenkins0.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/logs0.pyrocufflink.blue.cer
+++ b/roles/apache/files/logs0.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/logs0.pyrocufflink.blue.key
+++ b/roles/apache/files/logs0.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/matrix0.pyrocufflink.blue.cer
+++ b/roles/apache/files/matrix0.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/matrix0.pyrocufflink.blue.key
+++ b/roles/apache/files/matrix0.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/motion0.pyrocufflink.blue.cer
+++ b/roles/apache/files/motion0.pyrocufflink.blue.cer
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/motion0.pyrocufflink.blue.key
+++ b/roles/apache/files/motion0.pyrocufflink.blue.key
@@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@@ -20,35 +20,40 @@

 - name: ensure tls private key exists
  copy:
-    src={{ item }}
-    dest={{ apache_ssl_certificate_key }}
-    mode=0400
-    setype=cert_t
-  with_fileglob:
-  - '{{ inventory_hostname }}.key'
+    content: >-
+      {{ apache_ssl_certificate_key_data }}
+    dest: >-
+      {{ apache_ssl_certificate_key }}
+    mode: u=r,go=
+    setype: cert_t
+  diff: false
+  when: apache_ssl_certificate_key_data is defined
  notify: reload httpd
  tags:
  - cert
 - name: ensure tls certificate exists
  copy:
-   src={{ item }}
-   dest={{ apache_ssl_certificate }}
-   mode=0644
-   setype=cert_t
-  with_fileglob:
-  - '{{ inventory_hostname }}.cer'
+    content: >-
+      {{ apache_ssl_certificate_data }}
+    dest: >-
+      {{ apache_ssl_certificate }}
+    mode: u=rw,go=r
+    setype: cert_t
+  when: apache_ssl_certificate_data is defined
  tags:
  - cert
  notify: reload httpd
 - name: ensure tls ca certificate exists
  copy:
-    src={{ item }}
-    dest={{ apache_ssl_ca_certificate }}
-    mode=0644
-    setype=cert_t
-  when: apache_ssl_ca_certificate is defined
-  with_fileglob:
-  - '{{ inventory_hostname }}-ca.crt'
+    content: >-
+      {{ apache_ssl_ca_certificate_data }}
+    dest: >-
+      {{ apache_ssl_ca_certificate }}
+    mode: u=rw,go=r
+    setype: cert_t
+  when:
+    apache_ssl_ca_certificate is defined and
+    apache_ssl_ca_certificate_data is defined
  notify: reload httpd
  tags:
  - cert
				`@@ -1 +0,0 @@`
				`../../../.certs/certificates/_.pyrocufflink.net.crt`