playbooks/devops.yaml


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150

- name: DevOps setup
  hosts: hollyhock
  become: true
  tasks:
    - name: Install cockpit
      ansible.builtin.apt:
        name: cockpit
        default_release: "{{ ansible_facts['distribution_release'] }}-backports"
        state: present
        update_cache: true

    - name: Enable cockpit
      ansible.builtin.systemd:
        name: cockpit
        state: started
        enabled: true

    - name: Copy network configuration
      ansible.builtin.copy:
        src: cockpit/network-config.conf
        dest: /etc/NetworkManager/conf.d/10-globally-managed-devices.conf
        mode: "0644"

    - name: Create dummy network connection
      community.general.nmcli:
        conn_name: fake
        type: dummy
        ifname: fake0
        ip4: 1.2.3.4/24
        gw4: 1.2.3.1
        state: present
      notify: Restart network

    - name: Ensure mtls directory exists on server
      ansible.builtin.file:
        path: "{{ mtls.ca.dir }}"
        state: directory
        owner: root
        group: root
        mode: "0700"

    - name: Generate ca private key
      community.crypto.openssl_privatekey:
        path: "{{ mtls.ca.dir }}/ca.key"
        size: 4096
        mode: "0600"

    - name: Generate ca ssr
      community.crypto.openssl_csr:
        path: "{{ mtls.ca.dir }}/ca.csr"
        privatekey_path: "{{ mtls.ca.dir }}/ca.key"
        common_name: "{{ mtls.ca.cn }}"
        basic_constraints:
          - "CA:TRUE"
        basic_constraints_critical: true
        key_usage:
          - keyCertSign
          - cRLSign
        key_usage_critical: true

    - name: Generate self-signed ca certificate
      community.crypto.x509_certificate:
        path: "{{ mtls.ca.dir }}/ca.crt"
        privatekey_path: "{{ mtls.ca.dir }}/ca.key"
        csr_path: "{{ mtls.ca.dir }}/ca.csr"
        provider: selfsigned
        selfsigned_not_after: "+{{ mtls.ca.days }}d"
        mode: "0644"

    - name: Generate client private key
      community.crypto.openssl_privatekey:
        path: "{{ mtls.ca.dir }}/client.key"
        size: 2048
        mode: "0600"

    - name: Generate client csr
      community.crypto.openssl_csr:
        path: "{{ mtls.ca.dir }}/client.csr"
        privatekey_path: "{{ mtls.ca.dir }}/client.key"
        common_name: "{{ mtls.client.cn }}"
        extended_key_usage:
          - clientAuth

    - name: Sign client certificate with ca
      community.crypto.x509_certificate:
        path: "{{ mtls.ca.dir }}/client.crt"
        csr_path: "{{ mtls.ca.dir }}/client.csr"
        provider: ownca
        ownca_path: "{{ mtls.ca.dir }}/ca.crt"
        ownca_privatekey_path: "{{ mtls.ca.dir }}/ca.key"
        ownca_not_after: "+{{ mtls.client.days }}d"
        mode: "0600"

    - name: Bundle client cert + key into pkcs#12
      community.crypto.openssl_pkcs12:
        action: export
        path: "{{ mtls.ca.dir }}/client.p12"
        friendly_name: "{{ mtls.client.cn }}"
        privatekey_path: "{{ mtls.ca.dir }}/client.key"
        certificate_path: "{{ mtls.ca.dir }}/client.crt"
        other_certificates:
          - "{{ mtls.ca.dir }}/ca.crt"
        passphrase: "{{ mtls_p12_password }}"
        encryption_level: compatibility2022
        mode: "0600"

    - name: Fetch client bundle to local machine
      ansible.builtin.fetch:
        src: "{{ mtls.ca.dir }}/client.p12"
        dest: "{{ tmp_dir }}/hollyhock.p12"
        flat: true

    - name: Save ca cert in tmp/
      ansible.builtin.fetch:
        src: "{{ mtls.ca.dir }}/ca.crt"
        dest: "{{ tmp_dir }}/hollyhock_ca.crt"
        flat: true

    - name: Copy nginx config
      ansible.builtin.template:
        src: nginx/hollyhock.conf.j2
        dest: "/etc/nginx/sites-available/hollyhock"
        mode: "0644"

    - name: Disable http and https nginx sites
      ansible.builtin.file:
        path: "{{ item }}"
        state: absent
      loop:
        - /etc/nginx/sites-enabled/hollyhock-http
        - /etc/nginx/sites-enabled/hollyhock-https

    - name: Enable nginx config
      ansible.builtin.file:
        src: /etc/nginx/sites-available/hollyhock
        dest: /etc/nginx/sites-enabled/hollyhock
        state: link
        owner: "{{ nginx_user }}"
        group: "{{ nginx_group }}"
      notify:
        - Test and restart nginx

  handlers:
    - name: Test and restart nginx
      ansible.builtin.include_tasks: tasks/test_and_restart_nginx.yaml

    - name: Restart network
      ansible.builtin.systemd:
        name: NetworkManager
        state: restarted