firstval
4/12/2016 - 2:34 AM

Deploying SSL keys securely with Ansible (code)

Deploying SSL keys securely with Ansible (code)

vars
content_copyfile_download
---
ssl_virtual_hosts:
  - hostname: secure.example.com
    port: 3000
    certificate: /etc/ssl/certs/secure.example.com.pem
    key: /etc/ssl/private/secure.example.com.key
ssl.yml
content_copyfile_download
---
- name: ssl-certs group
  group: name=ssl-cert state=present
  sudo: yes
  tags: ssl

- name: Make sure nginx user is in ssl-cert
  user: name=nginx groups=www-data,ssl-cert
  sudo: yes
  tags: nginx

- name: ssl certs dir
  file: path=/etc/ssl/certs mode=755 state=directory owner=root
  sudo: yes
  tags: ssl

- name: ssl private dir
  file: path=/etc/ssl/private mode=700 state=directory owner=root
  sudo: yes
  tags: ssl

- name: copy the certificate
  copy: src={{item.certificate_src}} dest={{item.certificate_dest}} mode=644 group=ssl-cert
  with_items: ssl_certificates
  sudo: yes
  tags: ssl
  notify: restart nginx

- name: copy the key
  copy: src={{item.key_src}} dest={{item.key_dest}} mode=640 group=ssl-cert
  with_items: ssl_certificates
  sudo: yes
  tags: ssl

- name: strip ssl keys
  command: openssl rsa -in {{item.key_dest}} -out {{item.key_stripped}} -passin pass:{{item.key_password}} creates={{item.key_stripped}}
  sudo: yes
  with_items: ssl_certificates
  tags: ssl
  notify: restart nginx
playbook.yml
content_copyfile_download
---
- hosts: webservers
  user: "{{user}}"
  roles:
    - role: https
  vars_prompt:
    - name: ssl_passphrase
      prompt: "Enter SSL Certificate Passphrase"
      private: false
nginx.yml
content_copyfile_download
---
- name: Add SSL virtual hosts
  template: src=nginx-ssl-vhost.conf dest=/etc/nginx/sites-available/{{item.hostname}}_ssl
  with_items: ssl_virtual_hosts
  sudo: yes
  notify: restart nginx
  tags: nginx

- name: Enable SSL virtual hosts
  file: state=link
        src=/etc/nginx/sites-available/{{item.hostname}}_ssl
        path=/etc/nginx/sites-enabled/{{item.hostname}}_ssl
        owner=nginx
  with_items: ssl_virtual_hosts
  sudo: yes
  notify: restart nginx
  tags: nginx
nginx-template.conf
content_copyfile_download
server {
  listen 443;
  server_name {{item.hostname}};

  ssl on;
  ssl_certificate {{item.certificate}};
  ssl_certificate_key {{item.key}};

  location / {
    proxy_pass http://127.0.0.1:{{item.port}};
    proxy_set_header X-Real-IP $remote_addr;
  }
}
group_vars
content_copyfile_download
---
ssl_certificates:
  - certificate_src: secure.example.com.pem
    certificate_dest: /etc/ssl/certs/secure.example.com.pem
    key_src: secure.example.com.protected.key
    key_dest: /etc/ssl/private/secure.example.com.protected.key
    key_stripped: /etc/ssl/private/secure_example.com.key
    key_password: "{{ssl_passphrase}}"