diff options
| author | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-12-25 20:23:03 +0100 |
|---|---|---|
| committer | Matthieu Saulnier <fantom@fedoraproject.org> | 2018-12-25 20:23:03 +0100 |
| commit | 0695eeca0ddca7ddbf13b6b2ea2045aa6490d2e4 (patch) | |
| tree | a87135c27eba7f85ad61d434bc1c121adef6617f | |
| parent | 2fd2b7edb1b153820f8e6592a2e428c36976a291 (diff) | |
| download | playbooks-ansible-0695eeca0ddca7ddbf13b6b2ea2045aa6490d2e4.tar.gz playbooks-ansible-0695eeca0ddca7ddbf13b6b2ea2045aa6490d2e4.tar.xz playbooks-ansible-0695eeca0ddca7ddbf13b6b2ea2045aa6490d2e4.zip | |
Replace ssl certificate names with variables and add links for compatibilty
| -rw-r--r-- | roles/mtaserver/templates/main.cf.j2 | 4 | ||||
| -rw-r--r-- | roles/proxy/defaults/main.yml | 1 | ||||
| -rw-r--r-- | roles/proxy/tasks/config.yml | 55 | ||||
| -rw-r--r-- | roles/proxy/templates/squid.conf.j2 | 8 |
4 files changed, 57 insertions, 11 deletions
diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2 index 90850f6..379dc47 100644 --- a/roles/mtaserver/templates/main.cf.j2 +++ b/roles/mtaserver/templates/main.cf.j2 @@ -741,8 +741,8 @@ readme_directory = /usr/share/doc/postfix/README_FILES {% if mtadomain is defined %} smtpd_tls_auth_only = yes -smtpd_tls_key_file = /etc/pki/tls/private/casperlefantom.{{ crtversion }}.key -smtpd_tls_cert_file = /etc/pki/tls/certs/casperlefantom.{{ crtversion }}.crt +smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key +smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt smtpd_tls_security_level = may smtpd_tls_ciphers = high diff --git a/roles/proxy/defaults/main.yml b/roles/proxy/defaults/main.yml index b30fbfe..7b73d68 100644 --- a/roles/proxy/defaults/main.yml +++ b/roles/proxy/defaults/main.yml @@ -3,6 +3,7 @@ fwdport: 8200 revport: 80 revports: 443 crtversion: 1 +maindomain: casperlefantom.net peers: - [ '9090', 'cockpit', 'vhost_cockpit', 'localhost', '127.0.0.1' ] - [ '8101', 'casper-site-dev', 'vhost_casper-site', 'casperdev.home.casperlefantom.net', '127.0.0.1' ] diff --git a/roles/proxy/tasks/config.yml b/roles/proxy/tasks/config.yml index 32590bc..38096b5 100644 --- a/roles/proxy/tasks/config.yml +++ b/roles/proxy/tasks/config.yml @@ -22,19 +22,64 @@ # aux services impactés (get file non-fatal) - name: Installation des fichiers certificat copy: - src: "certs/{{ item }}" + src: "certs/{{ maindomain }}.{{ crtversion }}.crt" dest: /etc/pki/tls/certs/ owner: root group: root mode: 0644 - with_items: - - "casperlefantom.{{ crtversion }}.crt" - - dhparam-4096.pem + register: crtupdate + +- name: Installation du fichier dhparam + copy: + src: "certs/dhparam-4096.{{ crtversion }}.pem" + dest: /etc/pki/tls/certs/ + owner: root + group: root + mode: 0644 + register: dhupdate - name: Installation des fichiers clé copy: - src: "certs/casperlefantom.{{ crtversion }}.key" + src: "certs/{{ maindomain }}.{{ crtversion }}.key" dest: /etc/pki/tls/private/ owner: 0990 group: root mode: 0440 + register: keyupdate + +# Assurer la compabilité avec les anciens services +- name: Suppression ancien certificat + file: + path: /etc/pki/tls/certs/casperlefantom.1.crt + state: absent + when: crtupdate is changed + +- name: Lien avec les anciens noms de certificat + file: + src: "/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt" + dest: /etc/pki/tls/certs/casperlefantom.1.crt + state: link + +- name: Suppression ancien dhparam + file: + path: /etc/pki/tls/certs/dhparam-4096.pem + state: absent + when: dhupdate is changed + +- name: Lien avec les anciens noms de dhparam + file: + src: "/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem" + dest: /etc/pki/tls/certs/dhparam-4096.pem + state: link + +- name: Suppression ancienne clé + file: + path: /etc/pki/tls/private/casperlefantom.1.key + state: absent + when: keyupdate is changed + +- name: Lien avec les anciens noms de clé + file: + src: "/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key" + dest: /etc/pki/tls/private/casperlefantom.1.key + state: link diff --git a/roles/proxy/templates/squid.conf.j2 b/roles/proxy/templates/squid.conf.j2 index d8591a5..7c293a9 100644 --- a/roles/proxy/templates/squid.conf.j2 +++ b/roles/proxy/templates/squid.conf.j2 @@ -15,8 +15,8 @@ http_port [::1]:{{ item }} accel ignore-cc {% for item in iface %} http_port {{ item }}:{{ revport }} accel ignore-cc https_port {{ item }}:{{ revports }} accel ignore-cc \ - cert=/etc/pki/tls/certs/casperlefantom.{{ crtversion }}.crt \ - key=/etc/pki/tls/private/casperlefantom.{{ crtversion }}.key \ + cert=/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt \ + key=/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key \ tls-dh=secp256k1:/etc/pki/tls/certs/dhparam-4096.pem \ crlfile=/etc/pki/tls/certs/crt-crl.pem \ cipher=HIGH:!aNULL:!MD5:!RC4 \ @@ -86,9 +86,9 @@ debug_options ALL,2 # infos admin cache_mgr {{ email }} {% if ansible_default_ipv4.network == localnet %} -visible_hostname {{ ansible_hostname }}.home.casperlefantom.net +visible_hostname {{ ansible_hostname }}.home.{{ maindomain }} {% else %} -visible_hostname {{ ansible_hostname }}.casperlefantom.net +visible_hostname {{ ansible_hostname }}.{{ maindomain }} {% endif %} httpd_suppress_version_string on |