r/apache: Use variables for HTTPS cert/key content
Using files for certificates and private keys is less than ideal. The only way to "share" a certificate between multiple hosts is with symbolic links, which means the configuration policy has to be prepared for each managed system. As we're moving toward a much more dynamic environment, this becomes problematic; the host-provisioner will never be able to copy a certificate to a new host that was just created. Further, I have never really liked the idea of storing certificates and private keys in Git anyway, even if it is in a submodule with limited access.unifi-restore
parent
f08f147931
commit
906819dd1c
|
|
@ -0,0 +1,21 @@
|
||||||
|
apache_ssl_certificate_data: >-
|
||||||
|
{{
|
||||||
|
query(
|
||||||
|
"kubernetes.core.k8s",
|
||||||
|
kind="Secret",
|
||||||
|
namespace="default",
|
||||||
|
resource_name="pyrocufflink-cert"
|
||||||
|
)[0].data["tls.crt"]
|
||||||
|
| b64decode
|
||||||
|
}}
|
||||||
|
|
||||||
|
apache_ssl_certificate_key_data: >-
|
||||||
|
{{
|
||||||
|
query(
|
||||||
|
"kubernetes.core.k8s",
|
||||||
|
kind="Secret",
|
||||||
|
namespace="default",
|
||||||
|
resource_name="pyrocufflink-cert"
|
||||||
|
)[0].data["tls.key"]
|
||||||
|
| b64decode
|
||||||
|
}}
|
||||||
7
hosts
7
hosts
|
|
@ -255,6 +255,13 @@ vps-04485add.vps.ovh.us
|
||||||
[wheelhost]
|
[wheelhost]
|
||||||
file0.pyrocufflink.blue
|
file0.pyrocufflink.blue
|
||||||
|
|
||||||
|
[wildcard-cert]
|
||||||
|
|
||||||
|
[wildcard-cert:children]
|
||||||
|
file-servers
|
||||||
|
gitea
|
||||||
|
pxe
|
||||||
|
|
||||||
[zezere]
|
[zezere]
|
||||||
|
|
||||||
[zigbee2mqtt:children]
|
[zigbee2mqtt:children]
|
||||||
|
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../.certs/certificates/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1,19 +0,0 @@
|
||||||
# vim: set ft=dosini :
|
|
||||||
|
|
||||||
[req]
|
|
||||||
prompt = no
|
|
||||||
default_md = sha256
|
|
||||||
distinguished_name = req_distinguished_name
|
|
||||||
req_extensions = req_extensions
|
|
||||||
|
|
||||||
[req_distinguished_name]
|
|
||||||
countryName = US
|
|
||||||
organizationName = Dustin C. Hatch
|
|
||||||
commonName = git.pyrocufflink.blue
|
|
||||||
|
|
||||||
[req_extensions]
|
|
||||||
subjectAltName = @alt_names
|
|
||||||
|
|
||||||
[alt_names]
|
|
||||||
DNS.0 = git.pyrocufflink.blue
|
|
||||||
DNS.1 = git.pyrocufflink.net
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../.certs/certificates/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.pem
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.crt
|
|
||||||
|
|
@ -1 +0,0 @@
|
||||||
../../../certs/lego/_.pyrocufflink.net.key
|
|
||||||
|
|
@ -20,35 +20,40 @@
|
||||||
|
|
||||||
- name: ensure tls private key exists
|
- name: ensure tls private key exists
|
||||||
copy:
|
copy:
|
||||||
src={{ item }}
|
content: >-
|
||||||
dest={{ apache_ssl_certificate_key }}
|
{{ apache_ssl_certificate_key_data }}
|
||||||
mode=0400
|
dest: >-
|
||||||
setype=cert_t
|
{{ apache_ssl_certificate_key }}
|
||||||
with_fileglob:
|
mode: u=r,go=
|
||||||
- '{{ inventory_hostname }}.key'
|
setype: cert_t
|
||||||
|
diff: false
|
||||||
|
when: apache_ssl_certificate_key_data is defined
|
||||||
notify: reload httpd
|
notify: reload httpd
|
||||||
tags:
|
tags:
|
||||||
- cert
|
- cert
|
||||||
- name: ensure tls certificate exists
|
- name: ensure tls certificate exists
|
||||||
copy:
|
copy:
|
||||||
src={{ item }}
|
content: >-
|
||||||
dest={{ apache_ssl_certificate }}
|
{{ apache_ssl_certificate_data }}
|
||||||
mode=0644
|
dest: >-
|
||||||
setype=cert_t
|
{{ apache_ssl_certificate }}
|
||||||
with_fileglob:
|
mode: u=rw,go=r
|
||||||
- '{{ inventory_hostname }}.cer'
|
setype: cert_t
|
||||||
|
when: apache_ssl_certificate_data is defined
|
||||||
tags:
|
tags:
|
||||||
- cert
|
- cert
|
||||||
notify: reload httpd
|
notify: reload httpd
|
||||||
- name: ensure tls ca certificate exists
|
- name: ensure tls ca certificate exists
|
||||||
copy:
|
copy:
|
||||||
src={{ item }}
|
content: >-
|
||||||
dest={{ apache_ssl_ca_certificate }}
|
{{ apache_ssl_ca_certificate_data }}
|
||||||
mode=0644
|
dest: >-
|
||||||
setype=cert_t
|
{{ apache_ssl_ca_certificate }}
|
||||||
when: apache_ssl_ca_certificate is defined
|
mode: u=rw,go=r
|
||||||
with_fileglob:
|
setype: cert_t
|
||||||
- '{{ inventory_hostname }}-ca.crt'
|
when:
|
||||||
|
apache_ssl_ca_certificate is defined and
|
||||||
|
apache_ssl_ca_certificate_data is defined
|
||||||
notify: reload httpd
|
notify: reload httpd
|
||||||
tags:
|
tags:
|
||||||
- cert
|
- cert
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue