r/apache: Use variables for HTTPS cert/key content

Using files for certificates and private keys is less than ideal. The only way to "share" a certificate between multiple hosts is with symbolic links, which means the configuration policy has to be prepared for each managed system. As we're moving toward a much more dynamic environment, this becomes problematic; the host-provisioner will never be able to copy a certificate to a new host that was just created. Further, I have never really liked the idea of storing certificates and private keys in Git anyway, even if it is in a submodule with limited access.
2025-07-09 11:59:17 -05:00 · 2025-07-09 11:59:17 -05:00 · 906819dd1c
parent f08f147931
commit 906819dd1c
22 changed files with 52 additions and 56 deletions
--- a/group_vars/wildcard-cert.yml
+++ b/group_vars/wildcard-cert.yml
@ -0,0 +1,21 @@
+apache_ssl_certificate_data: >-
+  {{
+  query(
+    "kubernetes.core.k8s",
+    kind="Secret",
+    namespace="default",
+    resource_name="pyrocufflink-cert"
+  )[0].data["tls.crt"]
+  | b64decode
+  }}
+
+apache_ssl_certificate_key_data: >-
+  {{
+  query(
+    "kubernetes.core.k8s",
+    kind="Secret",
+    namespace="default",
+    resource_name="pyrocufflink-cert"
+  )[0].data["tls.key"]
+  | b64decode
+  }}
--- a/7
+++ b/7
@ -255,6 +255,13 @@ vps-04485add.vps.ovh.us
 [wheelhost]
 file0.pyrocufflink.blue

+[wildcard-cert]
+
+[wildcard-cert:children]
+file-servers
+gitea
+pxe
+
 [zezere]

 [zigbee2mqtt:children]
--- a/roles/apache/files/bw0.pyrocufflink.blue.cer
+++ b/roles/apache/files/bw0.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/bw0.pyrocufflink.blue.key
+++ b/roles/apache/files/bw0.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/file0.pyrocufflink.blue.cer
+++ b/roles/apache/files/file0.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/file0.pyrocufflink.blue.key
+++ b/roles/apache/files/file0.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/git0.pyrocufflink.blue.cer
+++ b/roles/apache/files/git0.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../.certs/certificates/_.pyrocufflink.net.crt
--- a/roles/apache/files/git0.pyrocufflink.blue.cnf
+++ b/roles/apache/files/git0.pyrocufflink.blue.cnf
@ -1,19 +0,0 @@
-# vim: set ft=dosini :
-
-[req]
-prompt = no
-default_md = sha256
-distinguished_name = req_distinguished_name
-req_extensions = req_extensions
-
-[req_distinguished_name]
-countryName = US
-organizationName = Dustin C. Hatch
-commonName = git.pyrocufflink.blue
-
-[req_extensions]
-subjectAltName = @alt_names
-
-[alt_names]
-DNS.0 = git.pyrocufflink.blue
-DNS.1 = git.pyrocufflink.net
--- a/roles/apache/files/git0.pyrocufflink.blue.key
+++ b/roles/apache/files/git0.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../.certs/certificates/_.pyrocufflink.net.key
--- a/roles/apache/files/hass1.pyrocufflink.blue.cer
+++ b/roles/apache/files/hass1.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/hass1.pyrocufflink.blue.key
+++ b/roles/apache/files/hass1.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/hass2.pyrocufflink.blue.cer
+++ b/roles/apache/files/hass2.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/hass2.pyrocufflink.blue.key
+++ b/roles/apache/files/hass2.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/jenkins0.pyrocufflink.blue.cer
+++ b/roles/apache/files/jenkins0.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.pem
--- a/roles/apache/files/jenkins0.pyrocufflink.blue.key
+++ b/roles/apache/files/jenkins0.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/logs0.pyrocufflink.blue.cer
+++ b/roles/apache/files/logs0.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/logs0.pyrocufflink.blue.key
+++ b/roles/apache/files/logs0.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/matrix0.pyrocufflink.blue.cer
+++ b/roles/apache/files/matrix0.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/matrix0.pyrocufflink.blue.key
+++ b/roles/apache/files/matrix0.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/files/motion0.pyrocufflink.blue.cer
+++ b/roles/apache/files/motion0.pyrocufflink.blue.cer
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.crt
--- a/roles/apache/files/motion0.pyrocufflink.blue.key
+++ b/roles/apache/files/motion0.pyrocufflink.blue.key
@ -1 +0,0 @@
-../../../certs/lego/_.pyrocufflink.net.key
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@ -20,35 +20,40 @@

 - name: ensure tls private key exists
  copy:
-    src={{ item }}
-    dest={{ apache_ssl_certificate_key }}
-    mode=0400
-    setype=cert_t
-  with_fileglob:
-  - '{{ inventory_hostname }}.key'
+    content: >-
+      {{ apache_ssl_certificate_key_data }}
+    dest: >-
+      {{ apache_ssl_certificate_key }}
+    mode: u=r,go=
+    setype: cert_t
+  diff: false
+  when: apache_ssl_certificate_key_data is defined
  notify: reload httpd
  tags:
  - cert
 - name: ensure tls certificate exists
  copy:
-   src={{ item }}
-   dest={{ apache_ssl_certificate }}
-   mode=0644
-   setype=cert_t
-  with_fileglob:
-  - '{{ inventory_hostname }}.cer'
+    content: >-
+      {{ apache_ssl_certificate_data }}
+    dest: >-
+      {{ apache_ssl_certificate }}
+    mode: u=rw,go=r
+    setype: cert_t
+  when: apache_ssl_certificate_data is defined
  tags:
  - cert
  notify: reload httpd
 - name: ensure tls ca certificate exists
  copy:
-    src={{ item }}
-    dest={{ apache_ssl_ca_certificate }}
-    mode=0644
-    setype=cert_t
-  when: apache_ssl_ca_certificate is defined
-  with_fileglob:
-  - '{{ inventory_hostname }}-ca.crt'
+    content: >-
+      {{ apache_ssl_ca_certificate_data }}
+    dest: >-
+      {{ apache_ssl_ca_certificate }}
+    mode: u=rw,go=r
+    setype: cert_t
+  when:
+    apache_ssl_ca_certificate is defined and
+    apache_ssl_ca_certificate_data is defined
  notify: reload httpd
  tags:
  - cert
				`@ -1 +0,0 @@`
				`../../../.certs/certificates/_.pyrocufflink.net.crt`