diff --git a/modules/kubernetes/keyserver/deploy_keyserver.yaml b/modules/kubernetes/keyserver/deploy_keyserver.yaml deleted file mode 100644 index fe721bc0..00000000 --- a/modules/kubernetes/keyserver/deploy_keyserver.yaml +++ /dev/null @@ -1,155 +0,0 @@ -# @nocommit: job to periodically update the certs ---- -- name: Deploy Nginx-based key server for TrueNAS unlock - hosts: keyserver - become: true - vars: - server_name: "keyserver.viktorbarzin.me" - key_filename: "truenas.key" - htpasswd_user: "truenas" - htpasswd_password: "EcDZgBnUtGM09qiUXts81HjHybM" # replace with vault - ssl_cert_path: "/etc/ssl/certs/keyserver.crt" - ssl_key_path: "/etc/ssl/private/keyserver.key" - local_ssl_cert: "../../../secrets/fullchain.pem" # LOCAL path - local_ssl_key: "../../../secrets/privkey.pem" # LOCAL path - - tasks: - - - name: Install packages - apt: - name: - - nginx - - apache2-utils - - python3-passlib - state: present - update_cache: yes - - - name: Create basic-auth file - community.general.htpasswd: - path: /etc/nginx/.htpasswd - name: "{{ htpasswd_user }}" - password: "{{ htpasswd_password }}" - crypt_scheme: bcrypt - - - name: Create key directory - file: - path: /srv/keys - state: directory - owner: root - group: root - mode: '0755' - - - name: Create key file if it doesn't exist - command: "head -c 128 /dev/urandom > /srv/keys/{{ key_filename }}" - args: - creates: "/srv/keys/{{ key_filename }}" - - - name: Set key file permissions - file: - path: "/srv/keys/{{ key_filename }}" - owner: www-data - group: www-data - mode: '0640' - - - name: Enable info logging in nginx.conf - lineinfile: - path: /etc/nginx/nginx.conf - regexp: '^(\s*)error_log' - line: ' error_log /var/log/nginx/error.log info;' - insertafter: 'http {' - notify: reload nginx - - - name: Ensure rate limit config exists - copy: - dest: /etc/nginx/conf.d/ratelimit.conf - content: | - limit_req_zone $binary_remote_addr zone=authfail:10m rate=5r/m; - notify: reload nginx - - - name: Deploy keyserver nginx site - copy: - dest: /etc/nginx/sites-available/keyserver.conf - content: | - server { - listen 443 ssl; - server_name {{ server_name }}; - - ssl_certificate {{ ssl_cert_path }}; - ssl_certificate_key {{ ssl_key_path }}; - - ssl_protocols TLSv1.2 TLSv1.3; - ssl_prefer_server_ciphers on; - - limit_req zone=authfail burst=2 nodelay; - - location /keys/ { - alias /srv/keys/; - - auth_basic "Restricted"; - auth_basic_user_file /etc/nginx/.htpasswd; - - autoindex off; - - add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; - } - } - notify: reload nginx - - - name: Enable keyserver site - file: - src: /etc/nginx/sites-available/keyserver.conf - dest: /etc/nginx/sites-enabled/keyserver.conf - state: link - notify: reload nginx - - - name: Remove default site - file: - path: /etc/nginx/sites-enabled/default - state: absent - notify: reload nginx - - - name: Copy SSL certificate to server - copy: - src: "{{ local_ssl_cert }}" - dest: "{{ ssl_cert_path }}" - owner: root - group: root - mode: '0644' - notify: reload nginx - - - name: Copy SSL private key to server - copy: - src: "{{ local_ssl_key }}" - dest: "{{ ssl_key_path }}" - owner: root - group: root - mode: '0644' - notify: reload nginx - - # - name: Create self-signed SSL certificate if missing - # command: > - # openssl req -x509 -newkey rsa:2048 -nodes - # -keyout {{ ssl_key_path }} - # -out {{ ssl_cert_path }} - # -days 365 - # -subj "/CN={{ server_name }}" - # args: - # creates: "{{ ssl_cert_path }}" - notify: reload nginx - - - name: Test nginx config - command: nginx -t - register: nginx_test - failed_when: "'successful' not in nginx_test.stderr" - - - name: Ensure nginx is running - service: - name: nginx - state: started - enabled: true - - handlers: - - name: reload nginx - service: - name: nginx - state: reloaded