viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

ri keyserver ansible [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2025-11-29 19:22:26 +00:00
parent 5d979ed5d2
commit 4f73aa3d6f
No known key found for this signature in database
GPG key ID: 4056458DBDBF8863
1 changed files with 0 additions and 155 deletions
Download patch file Download diff file Expand all files Collapse all files

155
modules/kubernetes/keyserver/deploy_keyserver.yaml
View file

@ -1,155 +0,0 @@
# @nocommit: job to periodically update the certs
---
- name: Deploy Nginx-based key server for TrueNAS unlock
hosts: keyserver
become: true
vars:
server_name: "keyserver.viktorbarzin.me"
key_filename: "truenas.key"
htpasswd_user: "truenas"
htpasswd_password: "EcDZgBnUtGM09qiUXts81HjHybM" # replace with vault
ssl_cert_path: "/etc/ssl/certs/keyserver.crt"
ssl_key_path: "/etc/ssl/private/keyserver.key"
local_ssl_cert: "../../../secrets/fullchain.pem" # LOCAL path
local_ssl_key: "../../../secrets/privkey.pem" # LOCAL path
tasks:
- name: Install packages
apt:
name:
- nginx
- apache2-utils
- python3-passlib
state: present
update_cache: yes
- name: Create basic-auth file
community.general.htpasswd:
path: /etc/nginx/.htpasswd
name: "{{ htpasswd_user }}"
password: "{{ htpasswd_password }}"
crypt_scheme: bcrypt
- name: Create key directory
file:
path: /srv/keys
state: directory
owner: root
group: root
mode: '0755'
- name: Create key file if it doesn't exist
command: "head -c 128 /dev/urandom > /srv/keys/{{ key_filename }}"
args:
creates: "/srv/keys/{{ key_filename }}"
- name: Set key file permissions
file:
path: "/srv/keys/{{ key_filename }}"
owner: www-data
group: www-data
mode: '0640'
- name: Enable info logging in nginx.conf
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^(\s*)error_log'
line: ' error_log /var/log/nginx/error.log info;'
insertafter: 'http {'
notify: reload nginx
- name: Ensure rate limit config exists
copy:
dest: /etc/nginx/conf.d/ratelimit.conf
content: |
limit_req_zone $binary_remote_addr zone=authfail:10m rate=5r/m;
notify: reload nginx
- name: Deploy keyserver nginx site
copy:
dest: /etc/nginx/sites-available/keyserver.conf
content: |
server {
listen 443 ssl;
server_name {{ server_name }};
ssl_certificate {{ ssl_cert_path }};
ssl_certificate_key {{ ssl_key_path }};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
limit_req zone=authfail burst=2 nodelay;
location /keys/ {
alias /srv/keys/;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
autoindex off;
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
}
}
notify: reload nginx
- name: Enable keyserver site
file:
src: /etc/nginx/sites-available/keyserver.conf
dest: /etc/nginx/sites-enabled/keyserver.conf
state: link
notify: reload nginx
- name: Remove default site
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: reload nginx
- name: Copy SSL certificate to server
copy:
src: "{{ local_ssl_cert }}"
dest: "{{ ssl_cert_path }}"
owner: root
group: root
mode: '0644'
notify: reload nginx
- name: Copy SSL private key to server
copy:
src: "{{ local_ssl_key }}"
dest: "{{ ssl_key_path }}"
owner: root
group: root
mode: '0644'
notify: reload nginx
# - name: Create self-signed SSL certificate if missing
# command: >
# openssl req -x509 -newkey rsa:2048 -nodes
# -keyout {{ ssl_key_path }}
# -out {{ ssl_cert_path }}
# -days 365
# -subj "/CN={{ server_name }}"
# args:
# creates: "{{ ssl_cert_path }}"
notify: reload nginx
- name: Test nginx config
command: nginx -t
register: nginx_test
failed_when: "'successful' not in nginx_test.stderr"
- name: Ensure nginx is running
service:
name: nginx
state: started
enabled: true
handlers:
- name: reload nginx
service:
name: nginx
state: reloaded