From 0695eeca0ddca7ddbf13b6b2ea2045aa6490d2e4 Mon Sep 17 00:00:00 2001
From: Matthieu Saulnier <fantom@fedoraproject.org>
Date: Tue, 25 Dec 2018 20:23:03 +0100
Subject: Replace ssl certificate names with variables and add links for
 compatibilty

---
 roles/mtaserver/templates/main.cf.j2 |  4 +--
 roles/proxy/defaults/main.yml        |  1 +
 roles/proxy/tasks/config.yml         | 55 ++++++++++++++++++++++++++++++++----
 roles/proxy/templates/squid.conf.j2  |  8 +++---
 4 files changed, 57 insertions(+), 11 deletions(-)

diff --git a/roles/mtaserver/templates/main.cf.j2 b/roles/mtaserver/templates/main.cf.j2
index 90850f6..379dc47 100644
--- a/roles/mtaserver/templates/main.cf.j2
+++ b/roles/mtaserver/templates/main.cf.j2
@@ -741,8 +741,8 @@ readme_directory = /usr/share/doc/postfix/README_FILES
 
 {% if mtadomain is defined %}
 smtpd_tls_auth_only = yes
-smtpd_tls_key_file = /etc/pki/tls/private/casperlefantom.{{ crtversion }}.key
-smtpd_tls_cert_file = /etc/pki/tls/certs/casperlefantom.{{ crtversion }}.crt
+smtpd_tls_key_file = /etc/pki/tls/private/{{ mtadomain.0 }}.{{ crtversion }}.key
+smtpd_tls_cert_file = /etc/pki/tls/certs/{{ mtadomain.0 }}.{{ crtversion }}.crt
 smtpd_tls_security_level = may
 smtpd_tls_ciphers = high
 
diff --git a/roles/proxy/defaults/main.yml b/roles/proxy/defaults/main.yml
index b30fbfe..7b73d68 100644
--- a/roles/proxy/defaults/main.yml
+++ b/roles/proxy/defaults/main.yml
@@ -3,6 +3,7 @@ fwdport: 8200
 revport: 80
 revports: 443
 crtversion: 1
+maindomain: casperlefantom.net
 peers:
   - [ '9090', 'cockpit', 'vhost_cockpit', 'localhost', '127.0.0.1' ]
   - [ '8101', 'casper-site-dev', 'vhost_casper-site', 'casperdev.home.casperlefantom.net', '127.0.0.1' ]
diff --git a/roles/proxy/tasks/config.yml b/roles/proxy/tasks/config.yml
index 32590bc..38096b5 100644
--- a/roles/proxy/tasks/config.yml
+++ b/roles/proxy/tasks/config.yml
@@ -22,19 +22,64 @@
 # aux services impactés (get file non-fatal)
 - name: Installation des fichiers certificat
   copy:
-    src: "certs/{{ item }}"
+    src: "certs/{{ maindomain }}.{{ crtversion }}.crt"
     dest: /etc/pki/tls/certs/
     owner: root
     group: root
     mode: 0644
-  with_items:
-    - "casperlefantom.{{ crtversion }}.crt"
-    - dhparam-4096.pem
+  register: crtupdate
+
+- name: Installation du fichier dhparam
+  copy:
+    src: "certs/dhparam-4096.{{ crtversion }}.pem"
+    dest: /etc/pki/tls/certs/
+    owner: root
+    group: root
+    mode: 0644
+  register: dhupdate
 
 - name: Installation des fichiers clé
   copy:
-    src: "certs/casperlefantom.{{ crtversion }}.key"
+    src: "certs/{{ maindomain }}.{{ crtversion }}.key"
     dest: /etc/pki/tls/private/
     owner: 0990
     group: root
     mode: 0440
+  register: keyupdate
+
+# Assurer la compabilité avec les anciens services
+- name: Suppression ancien certificat
+  file:
+    path: /etc/pki/tls/certs/casperlefantom.1.crt
+    state: absent
+  when: crtupdate is changed
+
+- name: Lien avec les anciens noms de certificat
+  file:
+    src: "/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt"
+    dest: /etc/pki/tls/certs/casperlefantom.1.crt
+    state: link
+
+- name: Suppression ancien dhparam
+  file:
+    path: /etc/pki/tls/certs/dhparam-4096.pem
+    state: absent
+  when: dhupdate is changed
+
+- name: Lien avec les anciens noms de dhparam
+  file:
+    src: "/etc/pki/tls/certs/dhparam-4096.{{ crtversion }}.pem"
+    dest: /etc/pki/tls/certs/dhparam-4096.pem
+    state: link
+
+- name: Suppression ancienne clé
+  file:
+    path: /etc/pki/tls/private/casperlefantom.1.key
+    state: absent
+  when: keyupdate is changed
+
+- name: Lien avec les anciens noms de clé
+  file:
+    src: "/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key"
+    dest: /etc/pki/tls/private/casperlefantom.1.key
+    state: link
diff --git a/roles/proxy/templates/squid.conf.j2 b/roles/proxy/templates/squid.conf.j2
index d8591a5..7c293a9 100644
--- a/roles/proxy/templates/squid.conf.j2
+++ b/roles/proxy/templates/squid.conf.j2
@@ -15,8 +15,8 @@ http_port [::1]:{{ item }} accel ignore-cc
 {% for item in iface %}
 http_port {{ item }}:{{ revport }} accel ignore-cc
 https_port {{ item }}:{{ revports }} accel ignore-cc  \
-           cert=/etc/pki/tls/certs/casperlefantom.{{ crtversion }}.crt   \
-           key=/etc/pki/tls/private/casperlefantom.{{ crtversion }}.key  \
+           cert=/etc/pki/tls/certs/{{ maindomain }}.{{ crtversion }}.crt   \
+           key=/etc/pki/tls/private/{{ maindomain }}.{{ crtversion }}.key  \
            tls-dh=secp256k1:/etc/pki/tls/certs/dhparam-4096.pem  \
            crlfile=/etc/pki/tls/certs/crt-crl.pem         \
            cipher=HIGH:!aNULL:!MD5:!RC4                   \
@@ -86,9 +86,9 @@ debug_options ALL,2
 # infos admin
 cache_mgr {{ email }}
 {% if ansible_default_ipv4.network == localnet %}
-visible_hostname {{ ansible_hostname }}.home.casperlefantom.net
+visible_hostname {{ ansible_hostname }}.home.{{ maindomain }}
 {% else %}
-visible_hostname {{ ansible_hostname }}.casperlefantom.net
+visible_hostname {{ ansible_hostname }}.{{ maindomain }}
 {% endif %}
 httpd_suppress_version_string on
 
-- 
cgit