final touches

2019-01-31 14:29:02 -05:00 · 2019-01-31 14:29:02 -05:00 · 79007dcf4b
parent 8d7c7f0c23
commit 79007dcf4b
5 changed files with 35 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -4,6 +4,8 @@ The current provisioning setup uses [Ansible](https://www.ansible.com/resources/

 ## Pre-requisites 
 Before attempting to deploy, ensure you have done the following:
+1. git checkout https://github.com/EbookFoundation/regluit-provisioning
+1. create `certs` and `decrypted` directories in `private`
 1. Install `ansible` on your local machine
 1. Obtain the `ansible-vault` password and save it to a file
 1. Set the path to the `ansible-vault` file via environment variable e.g. `export NSIBLE_VAULT_PASSWORD_FILE=[path]`
@ -17,7 +19,7 @@ Before attempting to deploy, ensure you have done the following:

 ## Deploy
 Deploying is as simple as running the `setup-prod` ansible playbook.  
-Navigate to the `provisioning/` directory and run the following:  
+Navigate to the `regluit-provisioning/` directory and run the following:  
 ```
 $ ansible-playbook -i hosts setup-prod.yml
 ```   
@ -27,7 +29,7 @@ If you successfully completed all the pre-requisite steps, the playbook should b
 ## Additional Configuration

 ### Variables and Secrets
-The necessary variables are pulled from `provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`.  
+The necessary variables are pulled from `regluit-provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`.  
 The variables are split into two files to still allow for searching references in playbook tasks.
 To add or view secret values, you must decrypt the file first: `$ ansible-vault decrypt vault.yml` however **always remember to encrypt secret files before pushing to git**.   This is done in a similar manner: `$ ansible-vault encrypt vault.yml`.   

--- a/group_vars/batterup/vars.yml
+++ b/group_vars/batterup/vars.yml
@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv"
 wsgi_python_path: "/opt/regluit/venv/bin/python"
 git_repo: "https://github.com/Gluejar/regluit.git"
 git_branch: "production"
+le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory

 ### Variables in settings.prod.py ###
 mysql_db_name: "{{ vault_mysql_db_name }}"
--- a/group_vars/ondeck/vars.yml
+++ b/group_vars/ondeck/vars.yml
@ -12,6 +12,9 @@ wsgi_home: "/opt/regluit/venv"
 wsgi_python_path: "/opt/regluit/venv/bin/python"
 git_repo: "https://github.com/Gluejar/regluit.git"
 git_branch: "master"
+le_endpoint: https://acme-v02.api.letsencrypt.org/directory
+#le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory
+

 ### Variables in settings.prod.py ###
 mysql_db_name: "{{ vault_mysql_db_name }}"
--- a/group_vars/production/vars.yml
+++ b/group_vars/production/vars.yml
@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv"
 wsgi_python_path: "/opt/regluit/venv/bin/python"
 git_repo: "https://github.com/Gluejar/regluit.git"
 git_branch: "production"
+le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory

 ### Variables in settings.prod.py ###
 mysql_db_name: "{{ vault_mysql_db_name }}"
--- a/roles/regluit_prod/tasks/certs.yml
+++ b/roles/regluit_prod/tasks/certs.yml
@ -8,10 +8,22 @@
 #
 # create a code signing request by hand on ansible host with (for example)
 # openssl req -new -sha256 -key private/{{ server_name }}.key -out {{ server_name }}.csr -subj /CN=m.unglue.it
+# 
+# make sure you have private/decrypted/ and private/certs/
+
+
+- name: Decrypt files
+  copy:
+    src: private/{{ item }}
+    dest:  private/decrypted/{{ item }}
+  with_items:
+    - 'letsencrypt_account.key'
+    - '{{ server_name }}.csr'    
+  delegate_to: 127.0.0.1

 - name: Make sure account exists and has given contacts. We agree to TOS.
  acme_account:
-    account_key_src: private/letsencrypt_account.key
+    account_key_src: private/decrypted/letsencrypt_account.key
    acme_directory: "{{ le_endpoint }}"
    acme_version: 2
    state: present
@ -35,12 +47,12 @@

 - name: Create a challenge for server_name using a account key file.
  acme_certificate:
-    account_key_src: private/letsencrypt_account.key
+    account_key_src: private/decrypted/letsencrypt_account.key
    acme_directory: "{{ le_endpoint }}"
    acme_version: 2
    remaining_days: 45
    select_crypto_backend: openssl
-    csr: "csrs/{{ server_name }}.csr"
+    csr: "private/decrypted/{{ server_name }}.csr"
    dest: private/certs/{{ server_name }}.crt
    fullchain_dest: private/certs/{{ server_name }}.ca-bundle
  delegate_to: 127.0.0.1
@ -72,12 +84,12 @@

 - name: Create a challenge for server_name using a account key file.
  acme_certificate:
-    account_key_src: private/letsencrypt_account.key
+    account_key_src: private/decrypted/letsencrypt_account.key
    acme_directory: "{{ le_endpoint }}"
    acme_version: 2
    remaining_days: 45
    select_crypto_backend: openssl
-    csr: "csrs/{{ server_name }}.csr"
+    csr: "private/decrypted/{{ server_name }}.csr"
    dest: private/certs/{{ server_name }}.crt
    fullchain_dest: private/certs/{{ server_name }}.ca-bundle
    data: "{{ acme_challenge }}"
@ -111,3 +123,12 @@
    - restart apache
  tags:
    - certs
+
+- name:  delete decrypted files
+  file:
+    path: private/decrypted/{{ item }}
+    state: absent
+  with_items:
+    - 'letsencrypt_account.key'
+    - '{{ server_name }}.csr'    
+  delegate_to: 127.0.0.1