From 79007dcf4be0740724f678b40c28428b7b29393e Mon Sep 17 00:00:00 2001 From: eric Date: Thu, 31 Jan 2019 14:29:02 -0500 Subject: [PATCH] final touches --- README.md | 6 ++++-- group_vars/batterup/vars.yml | 1 + group_vars/ondeck/vars.yml | 3 +++ group_vars/production/vars.yml | 1 + roles/regluit_prod/tasks/certs.yml | 31 +++++++++++++++++++++++++----- 5 files changed, 35 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 72aff03..9ebd4ad 100644 --- a/README.md +++ b/README.md @@ -4,6 +4,8 @@ The current provisioning setup uses [Ansible](https://www.ansible.com/resources/ ## Pre-requisites Before attempting to deploy, ensure you have done the following: +1. git checkout https://github.com/EbookFoundation/regluit-provisioning +1. create `certs` and `decrypted` directories in `private` 1. Install `ansible` on your local machine 1. Obtain the `ansible-vault` password and save it to a file 1. Set the path to the `ansible-vault` file via environment variable e.g. `export NSIBLE_VAULT_PASSWORD_FILE=[path]` @@ -17,7 +19,7 @@ Before attempting to deploy, ensure you have done the following: ## Deploy Deploying is as simple as running the `setup-prod` ansible playbook. -Navigate to the `provisioning/` directory and run the following: +Navigate to the `regluit-provisioning/` directory and run the following: ``` $ ansible-playbook -i hosts setup-prod.yml ``` @@ -27,7 +29,7 @@ If you successfully completed all the pre-requisite steps, the playbook should b ## Additional Configuration ### Variables and Secrets -The necessary variables are pulled from `provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`. +The necessary variables are pulled from `regluit-provisioning/group_vars/production/vars.yml` which in turn pulls certain secret values from `vault.yml`. The variables are split into two files to still allow for searching references in playbook tasks. To add or view secret values, you must decrypt the file first: `$ ansible-vault decrypt vault.yml` however **always remember to encrypt secret files before pushing to git**. This is done in a similar manner: `$ ansible-vault encrypt vault.yml`. diff --git a/group_vars/batterup/vars.yml b/group_vars/batterup/vars.yml index 058ccf6..d512e67 100644 --- a/group_vars/batterup/vars.yml +++ b/group_vars/batterup/vars.yml @@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv" wsgi_python_path: "/opt/regluit/venv/bin/python" git_repo: "https://github.com/Gluejar/regluit.git" git_branch: "production" +le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory ### Variables in settings.prod.py ### mysql_db_name: "{{ vault_mysql_db_name }}" diff --git a/group_vars/ondeck/vars.yml b/group_vars/ondeck/vars.yml index 47ef8d1..058d334 100644 --- a/group_vars/ondeck/vars.yml +++ b/group_vars/ondeck/vars.yml @@ -12,6 +12,9 @@ wsgi_home: "/opt/regluit/venv" wsgi_python_path: "/opt/regluit/venv/bin/python" git_repo: "https://github.com/Gluejar/regluit.git" git_branch: "master" +le_endpoint: https://acme-v02.api.letsencrypt.org/directory +#le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory + ### Variables in settings.prod.py ### mysql_db_name: "{{ vault_mysql_db_name }}" diff --git a/group_vars/production/vars.yml b/group_vars/production/vars.yml index 058ccf6..d512e67 100644 --- a/group_vars/production/vars.yml +++ b/group_vars/production/vars.yml @@ -12,6 +12,7 @@ wsgi_home: "/opt/regluit/venv" wsgi_python_path: "/opt/regluit/venv/bin/python" git_repo: "https://github.com/Gluejar/regluit.git" git_branch: "production" +le_endpoint: https://acme-staging-v02.api.letsencrypt.org/directory ### Variables in settings.prod.py ### mysql_db_name: "{{ vault_mysql_db_name }}" diff --git a/roles/regluit_prod/tasks/certs.yml b/roles/regluit_prod/tasks/certs.yml index 26f8964..f5c471f 100644 --- a/roles/regluit_prod/tasks/certs.yml +++ b/roles/regluit_prod/tasks/certs.yml @@ -8,10 +8,22 @@ # # create a code signing request by hand on ansible host with (for example) # openssl req -new -sha256 -key private/{{ server_name }}.key -out {{ server_name }}.csr -subj /CN=m.unglue.it +# +# make sure you have private/decrypted/ and private/certs/ + + +- name: Decrypt files + copy: + src: private/{{ item }} + dest: private/decrypted/{{ item }} + with_items: + - 'letsencrypt_account.key' + - '{{ server_name }}.csr' + delegate_to: 127.0.0.1 - name: Make sure account exists and has given contacts. We agree to TOS. acme_account: - account_key_src: private/letsencrypt_account.key + account_key_src: private/decrypted/letsencrypt_account.key acme_directory: "{{ le_endpoint }}" acme_version: 2 state: present @@ -35,12 +47,12 @@ - name: Create a challenge for server_name using a account key file. acme_certificate: - account_key_src: private/letsencrypt_account.key + account_key_src: private/decrypted/letsencrypt_account.key acme_directory: "{{ le_endpoint }}" acme_version: 2 remaining_days: 45 select_crypto_backend: openssl - csr: "csrs/{{ server_name }}.csr" + csr: "private/decrypted/{{ server_name }}.csr" dest: private/certs/{{ server_name }}.crt fullchain_dest: private/certs/{{ server_name }}.ca-bundle delegate_to: 127.0.0.1 @@ -72,12 +84,12 @@ - name: Create a challenge for server_name using a account key file. acme_certificate: - account_key_src: private/letsencrypt_account.key + account_key_src: private/decrypted/letsencrypt_account.key acme_directory: "{{ le_endpoint }}" acme_version: 2 remaining_days: 45 select_crypto_backend: openssl - csr: "csrs/{{ server_name }}.csr" + csr: "private/decrypted/{{ server_name }}.csr" dest: private/certs/{{ server_name }}.crt fullchain_dest: private/certs/{{ server_name }}.ca-bundle data: "{{ acme_challenge }}" @@ -111,3 +123,12 @@ - restart apache tags: - certs + +- name: delete decrypted files + file: + path: private/decrypted/{{ item }} + state: absent + with_items: + - 'letsencrypt_account.key' + - '{{ server_name }}.csr' + delegate_to: 127.0.0.1