From 5cf883cc14f272a688eba507a1cc8aa05fe288f9 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 15:23:41 +0200 Subject: [PATCH 001/108] added ansible boilerplate --- ansible.cfg | 6 ++++++ inventory.ini | 7 +++++++ 2 files changed, 13 insertions(+) create mode 100644 ansible.cfg create mode 100644 inventory.ini diff --git a/ansible.cfg b/ansible.cfg new file mode 100644 index 0000000..a66fde3 --- /dev/null +++ b/ansible.cfg @@ -0,0 +1,6 @@ +[defaults] +roles_path = /home/vagrant/roles +inventory = /home/vagrant/inventory.ini +forks = 10 +remote_user = vagrant +become = False diff --git a/inventory.ini b/inventory.ini new file mode 100644 index 0000000..e79d277 --- /dev/null +++ b/inventory.ini @@ -0,0 +1,7 @@ +[haproxy] +192.168.0.2 +192.168.0.3 + +[webserver] +192.168.0.4 +192.168.0.5 \ No newline at end of file From 81a9803a3a85b3c6e013d54f087d06c6dbcc23bc Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 13:26:54 +0000 Subject: [PATCH 002/108] feat(haproxy): added haproxy role --- roles/haproxy/.travis.yml | 29 ++++++++++++++++++ roles/haproxy/README.md | 38 ++++++++++++++++++++++++ roles/haproxy/defaults/main.yml | 2 ++ roles/haproxy/handlers/main.yml | 2 ++ roles/haproxy/meta/main.yml | 52 +++++++++++++++++++++++++++++++++ roles/haproxy/tasks/main.yml | 2 ++ roles/haproxy/tests/inventory | 2 ++ roles/haproxy/tests/test.yml | 5 ++++ roles/haproxy/vars/main.yml | 2 ++ 9 files changed, 134 insertions(+) create mode 100644 roles/haproxy/.travis.yml create mode 100644 roles/haproxy/README.md create mode 100644 roles/haproxy/defaults/main.yml create mode 100644 roles/haproxy/handlers/main.yml create mode 100644 roles/haproxy/meta/main.yml create mode 100644 roles/haproxy/tasks/main.yml create mode 100644 roles/haproxy/tests/inventory create mode 100644 roles/haproxy/tests/test.yml create mode 100644 roles/haproxy/vars/main.yml diff --git a/roles/haproxy/.travis.yml b/roles/haproxy/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/haproxy/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/haproxy/README.md b/roles/haproxy/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/haproxy/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml new file mode 100644 index 0000000..0b165ce --- /dev/null +++ b/roles/haproxy/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for haproxy diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml new file mode 100644 index 0000000..5ba1b00 --- /dev/null +++ b/roles/haproxy/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for haproxy diff --git a/roles/haproxy/meta/main.yml b/roles/haproxy/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/haproxy/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml new file mode 100644 index 0000000..d7e38d3 --- /dev/null +++ b/roles/haproxy/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for haproxy diff --git a/roles/haproxy/tests/inventory b/roles/haproxy/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/haproxy/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/haproxy/tests/test.yml b/roles/haproxy/tests/test.yml new file mode 100644 index 0000000..ede91ec --- /dev/null +++ b/roles/haproxy/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - haproxy diff --git a/roles/haproxy/vars/main.yml b/roles/haproxy/vars/main.yml new file mode 100644 index 0000000..9cf5464 --- /dev/null +++ b/roles/haproxy/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for haproxy From f89d381811a5ad4fd06107b37e8c2a2f32b753fd Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 15:44:22 +0200 Subject: [PATCH 003/108] bla --- .gitignore | 1 + playbook.yml | 9 ++++++ roles/haproxy/handlers/main.yml | 5 +++- roles/haproxy/tasks/main.yml | 16 ++++++++++- roles/haproxy/templates/haproxy.conf.j2 | 37 +++++++++++++++++++++++++ 5 files changed, 66 insertions(+), 2 deletions(-) create mode 100644 .gitignore create mode 100644 playbook.yml create mode 100644 roles/haproxy/templates/haproxy.conf.j2 diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..a3062be --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.vscode/* diff --git a/playbook.yml b/playbook.yml new file mode 100644 index 0000000..1d215de --- /dev/null +++ b/playbook.yml @@ -0,0 +1,9 @@ +- name: Configure Task + hosts: all + become: true + gather_facts: true + tasks: + - name: Import haproxy Role + import_role: + name: "haproxy" + when: "'webservers' in group_names" \ No newline at end of file diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml index 5ba1b00..074b38d 100644 --- a/roles/haproxy/handlers/main.yml +++ b/roles/haproxy/handlers/main.yml @@ -1,2 +1,5 @@ --- -# handlers file for haproxy +- name: Restat HAProxy + service: + name: haproxy + state: restarted \ No newline at end of file diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index d7e38d3..f411c1f 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -1,2 +1,16 @@ --- -# tasks file for haproxy +- name: Ensure HAProxy is installed. + dnf: + name: haproxy + state: present + +- name: Call Certificate Role + include_role: + name: "certificates" + +- name: Generate HAProxy configuration + template: + src: haproxy.conf.j2 + dest: /etc/haproxy/haproxy.conf + notify: + - Restat HAProxy \ No newline at end of file diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 new file mode 100644 index 0000000..d404562 --- /dev/null +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -0,0 +1,37 @@ +global + log 127.0.0.1 local2 + user haproxy + group haproxy + daemon + maxconn 4000 + ca-base /etc/ssl/certs + +defaults + log global + mode http + option httplog + option dontlognull + timeout connect 5000 + timeout client 50000 + timeout server 50000 + +frontend ha-front-ssl + bind *:443 ssl crt /etc/ssl/private/server.pem + mode http + option forwardfor + default_backend be_roundrobin + {% for server in group['webservers'] %} + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) hostvars[server].ansible_fqdn } + {% endfor %} + +# Backend Configuration +backend be_roundrobin + balance roundrobin + {% for server in group['webservers'] %} + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt + {% endfor %} + +{% for server in group['webservers'] %} +backend be_{{ hostvars[server].ansible_nodename }} + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt +{% endfor %} \ No newline at end of file From 713637b2814ea0c1c4258665fa4de051053f66a2 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 16:18:56 +0200 Subject: [PATCH 004/108] feat(keepalived): added keepalived functionality --- inventory.ini | 4 +-- roles/haproxy/defaults/main.yml | 2 ++ roles/haproxy/handlers/main.yml | 5 ++++ roles/haproxy/tasks/keepalived.yml | 11 ++++++++ roles/haproxy/tasks/main.yml | 6 +++- roles/haproxy/templates/keepalived.conf.j2 | 32 ++++++++++++++++++++++ 6 files changed, 57 insertions(+), 3 deletions(-) create mode 100644 roles/haproxy/tasks/keepalived.yml create mode 100644 roles/haproxy/templates/keepalived.conf.j2 diff --git a/inventory.ini b/inventory.ini index e79d277..7b0a7ae 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,6 +1,6 @@ [haproxy] -192.168.0.2 -192.168.0.3 +192.168.0.2 keepalived_state=MASTER keepalived_priority=101 +192.168.0.3 keepalived_state=BACKUP keepalived_priority=99 [webserver] 192.168.0.4 diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index 0b165ce..b762fc5 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -1,2 +1,4 @@ --- # defaults file for haproxy +keepalived_ip: 192.168.0.6 +keepalived_subnet: 29 \ No newline at end of file diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml index 074b38d..f3ccf96 100644 --- a/roles/haproxy/handlers/main.yml +++ b/roles/haproxy/handlers/main.yml @@ -2,4 +2,9 @@ - name: Restat HAProxy service: name: haproxy + state: restarted + +- name: Retart keepalived + service: + name: keepalived state: restarted \ No newline at end of file diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml new file mode 100644 index 0000000..8fe6105 --- /dev/null +++ b/roles/haproxy/tasks/keepalived.yml @@ -0,0 +1,11 @@ +- name: Ensure HAProxy is installed. + dnf: + name: keepalived + state: present + +- name: Generate HAProxy configuration + template: + src: keepalived.conf.j2 + dest: /etc/keepalived/keepalived.conf + notify: + - Restat keepalived \ No newline at end of file diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index f411c1f..29ca269 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -13,4 +13,8 @@ src: haproxy.conf.j2 dest: /etc/haproxy/haproxy.conf notify: - - Restat HAProxy \ No newline at end of file + - Restat HAProxy + +- name: Generate keepalived + import_tasks: + name: "keepalived" \ No newline at end of file diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 new file mode 100644 index 0000000..78df543 --- /dev/null +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -0,0 +1,32 @@ +vrrp_script chk_haproxy { + script "killall -0 haproxy" + interval 2 # check every 2 seconds + weight 2 # add 2 points of prio if OK +} + +vrrp_instance VI_1 { + state {{ keepalived_state }} + interface eth1 + virtual_router_id 51 + priority {{ keepalived_priority }} + authentication { + auth_type PASS + auth_pass 1111 + } + virtual_ipaddress { + {{ keepalived_ip }}/{{ keepalived_subnet }} + } + unicast_src_ip {{ inventory_hostname }} # this node IP + + unicast_peer { + {% for server in group['webservers'] %} + {% if hostvars[server].inventory_hostname != inventory_hostname %} + {{ hostvars[server].inventory_hostname }} + {% endif %} + {% endfor %} + } + + track_script { + chk_haproxy + } +} \ No newline at end of file From 13fb643dddf3e6e2d30e6d0f78e1fda23294df3d Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 14:26:10 +0000 Subject: [PATCH 005/108] fixes --- ansible.cfg | 4 ++-- playbook.yml | 2 +- roles/haproxy/tasks/main.yml | 6 +----- 3 files changed, 4 insertions(+), 8 deletions(-) diff --git a/ansible.cfg b/ansible.cfg index a66fde3..520b772 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -1,6 +1,6 @@ [defaults] -roles_path = /home/vagrant/roles -inventory = /home/vagrant/inventory.ini +roles_path = $HOME/ITtoolsTask/roles +inventory = $HOME/ITtoolsTask/inventory.ini forks = 10 remote_user = vagrant become = False diff --git a/playbook.yml b/playbook.yml index 1d215de..28ac04c 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,4 +6,4 @@ - name: Import haproxy Role import_role: name: "haproxy" - when: "'webservers' in group_names" \ No newline at end of file + when: "'webserver' in group_names" diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 29ca269..54502e7 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -4,10 +4,6 @@ name: haproxy state: present -- name: Call Certificate Role - include_role: - name: "certificates" - - name: Generate HAProxy configuration template: src: haproxy.conf.j2 @@ -17,4 +13,4 @@ - name: Generate keepalived import_tasks: - name: "keepalived" \ No newline at end of file + file: keepalived.yml From 9eb9b4b4a55a1eb22ffc7c4e63eb59d14201792f Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 16:26:50 +0200 Subject: [PATCH 006/108] fix --- roles/haproxy/templates/haproxy.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index d404562..5411ec9 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -20,18 +20,18 @@ frontend ha-front-ssl mode http option forwardfor default_backend be_roundrobin - {% for server in group['webservers'] %} + {% for server in groups['webserver'] %} use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) hostvars[server].ansible_fqdn } {% endfor %} # Backend Configuration backend be_roundrobin balance roundrobin - {% for server in group['webservers'] %} + {% for server in groups['webserver'] %} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt {% endfor %} -{% for server in group['webservers'] %} +{% for server in groups['webserver'] %} backend be_{{ hostvars[server].ansible_nodename }} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt {% endfor %} \ No newline at end of file From 634c62c93eaee520aa67e8cb166c91968c3e7c21 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 16:28:44 +0200 Subject: [PATCH 007/108] bla --- playbook.yml | 2 +- roles/haproxy/templates/haproxy.conf.j2 | 6 +++--- roles/haproxy/templates/keepalived.conf.j2 | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) diff --git a/playbook.yml b/playbook.yml index 28ac04c..9d7bcf9 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,4 +6,4 @@ - name: Import haproxy Role import_role: name: "haproxy" - when: "'webserver' in group_names" + when: "'haproxy' in group_names" diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 5411ec9..eef63a5 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -20,18 +20,18 @@ frontend ha-front-ssl mode http option forwardfor default_backend be_roundrobin - {% for server in groups['webserver'] %} + {% for server in groups['haproxy'] %} use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) hostvars[server].ansible_fqdn } {% endfor %} # Backend Configuration backend be_roundrobin balance roundrobin - {% for server in groups['webserver'] %} + {% for server in groups['haproxy'] %} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt {% endfor %} -{% for server in groups['webserver'] %} +{% for server in groups['haproxy'] %} backend be_{{ hostvars[server].ansible_nodename }} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt {% endfor %} \ No newline at end of file diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index 78df543..4963b82 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -19,7 +19,7 @@ vrrp_instance VI_1 { unicast_src_ip {{ inventory_hostname }} # this node IP unicast_peer { - {% for server in group['webservers'] %} + {% for server in group['haproxy'] %} {% if hostvars[server].inventory_hostname != inventory_hostname %} {{ hostvars[server].inventory_hostname }} {% endif %} From 9cf9aa5fa0887b4bca83a14bc750675bb61f7185 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 16:29:52 +0200 Subject: [PATCH 008/108] bla --- roles/haproxy/templates/keepalived.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index 4963b82..f2ec96e 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -19,7 +19,7 @@ vrrp_instance VI_1 { unicast_src_ip {{ inventory_hostname }} # this node IP unicast_peer { - {% for server in group['haproxy'] %} + {% for server in groups['haproxy'] %} {% if hostvars[server].inventory_hostname != inventory_hostname %} {{ hostvars[server].inventory_hostname }} {% endif %} From 9b0b878978965dbdf237ccdb3f451057f93a91cc Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 16:30:50 +0200 Subject: [PATCH 009/108] bla --- roles/haproxy/handlers/main.yml | 4 ++-- roles/haproxy/tasks/keepalived.yml | 2 +- roles/haproxy/tasks/main.yml | 2 +- 3 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml index f3ccf96..367a88d 100644 --- a/roles/haproxy/handlers/main.yml +++ b/roles/haproxy/handlers/main.yml @@ -1,10 +1,10 @@ --- -- name: Restat HAProxy +- name: Restart HAProxy service: name: haproxy state: restarted -- name: Retart keepalived +- name: Restart keepalived service: name: keepalived state: restarted \ No newline at end of file diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index 8fe6105..3591548 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -8,4 +8,4 @@ src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf notify: - - Restat keepalived \ No newline at end of file + - Restart HAProxy \ No newline at end of file diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 54502e7..bfb08cc 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -9,7 +9,7 @@ src: haproxy.conf.j2 dest: /etc/haproxy/haproxy.conf notify: - - Restat HAProxy + - Restart HAProxy - name: Generate keepalived import_tasks: From 7151433ba9ca44cebcd735b4af94ecd0e12c599b Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 16:41:23 +0200 Subject: [PATCH 010/108] fixed --- roles/haproxy/tasks/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index bfb08cc..d52756a 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -8,6 +8,7 @@ template: src: haproxy.conf.j2 dest: /etc/haproxy/haproxy.conf + validate: haproxy -c -f /etc/haproxy/haproxy.conf notify: - Restart HAProxy From 21c3df544f3773bcaf38aeeed9bf338399beb378 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 14:42:27 +0000 Subject: [PATCH 011/108] added boilerplate --- roles/apache/.travis.yml | 29 ++++++++++++++++ roles/apache/README.md | 38 ++++++++++++++++++++ roles/apache/defaults/main.yml | 2 ++ roles/apache/handlers/main.yml | 2 ++ roles/apache/meta/main.yml | 52 ++++++++++++++++++++++++++++ roles/apache/tasks/main.yml | 2 ++ roles/apache/tests/inventory | 2 ++ roles/apache/tests/test.yml | 5 +++ roles/apache/vars/main.yml | 2 ++ roles/certificates/.travis.yml | 29 ++++++++++++++++ roles/certificates/README.md | 38 ++++++++++++++++++++ roles/certificates/defaults/main.yml | 2 ++ roles/certificates/handlers/main.yml | 2 ++ roles/certificates/meta/main.yml | 52 ++++++++++++++++++++++++++++ roles/certificates/tasks/main.yml | 2 ++ roles/certificates/tests/inventory | 2 ++ roles/certificates/tests/test.yml | 5 +++ roles/certificates/vars/main.yml | 2 ++ 18 files changed, 268 insertions(+) create mode 100644 roles/apache/.travis.yml create mode 100644 roles/apache/README.md create mode 100644 roles/apache/defaults/main.yml create mode 100644 roles/apache/handlers/main.yml create mode 100644 roles/apache/meta/main.yml create mode 100644 roles/apache/tasks/main.yml create mode 100644 roles/apache/tests/inventory create mode 100644 roles/apache/tests/test.yml create mode 100644 roles/apache/vars/main.yml create mode 100644 roles/certificates/.travis.yml create mode 100644 roles/certificates/README.md create mode 100644 roles/certificates/defaults/main.yml create mode 100644 roles/certificates/handlers/main.yml create mode 100644 roles/certificates/meta/main.yml create mode 100644 roles/certificates/tasks/main.yml create mode 100644 roles/certificates/tests/inventory create mode 100644 roles/certificates/tests/test.yml create mode 100644 roles/certificates/vars/main.yml diff --git a/roles/apache/.travis.yml b/roles/apache/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/apache/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/apache/README.md b/roles/apache/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/apache/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml new file mode 100644 index 0000000..f5299ef --- /dev/null +++ b/roles/apache/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for apache diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml new file mode 100644 index 0000000..f41c6b0 --- /dev/null +++ b/roles/apache/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for apache diff --git a/roles/apache/meta/main.yml b/roles/apache/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/apache/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml new file mode 100644 index 0000000..b6d4b1b --- /dev/null +++ b/roles/apache/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for apache diff --git a/roles/apache/tests/inventory b/roles/apache/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/apache/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/apache/tests/test.yml b/roles/apache/tests/test.yml new file mode 100644 index 0000000..191e731 --- /dev/null +++ b/roles/apache/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - apache diff --git a/roles/apache/vars/main.yml b/roles/apache/vars/main.yml new file mode 100644 index 0000000..2aa5032 --- /dev/null +++ b/roles/apache/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for apache diff --git a/roles/certificates/.travis.yml b/roles/certificates/.travis.yml new file mode 100644 index 0000000..36bbf62 --- /dev/null +++ b/roles/certificates/.travis.yml @@ -0,0 +1,29 @@ +--- +language: python +python: "2.7" + +# Use the new container infrastructure +sudo: false + +# Install ansible +addons: + apt: + packages: + - python-pip + +install: + # Install ansible + - pip install ansible + + # Check ansible version + - ansible --version + + # Create ansible.cfg with correct roles_path + - printf '[defaults]\nroles_path=../' >ansible.cfg + +script: + # Basic role syntax check + - ansible-playbook tests/test.yml -i tests/inventory --syntax-check + +notifications: + webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/certificates/README.md b/roles/certificates/README.md new file mode 100644 index 0000000..225dd44 --- /dev/null +++ b/roles/certificates/README.md @@ -0,0 +1,38 @@ +Role Name +========= + +A brief description of the role goes here. + +Requirements +------------ + +Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. + +Role Variables +-------------- + +A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. + +Dependencies +------------ + +A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. + +Example Playbook +---------------- + +Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: + + - hosts: servers + roles: + - { role: username.rolename, x: 42 } + +License +------- + +BSD + +Author Information +------------------ + +An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/certificates/defaults/main.yml b/roles/certificates/defaults/main.yml new file mode 100644 index 0000000..fb71ddc --- /dev/null +++ b/roles/certificates/defaults/main.yml @@ -0,0 +1,2 @@ +--- +# defaults file for certificates diff --git a/roles/certificates/handlers/main.yml b/roles/certificates/handlers/main.yml new file mode 100644 index 0000000..df5e99f --- /dev/null +++ b/roles/certificates/handlers/main.yml @@ -0,0 +1,2 @@ +--- +# handlers file for certificates diff --git a/roles/certificates/meta/main.yml b/roles/certificates/meta/main.yml new file mode 100644 index 0000000..c572acc --- /dev/null +++ b/roles/certificates/meta/main.yml @@ -0,0 +1,52 @@ +galaxy_info: + author: your name + description: your role description + company: your company (optional) + + # If the issue tracker for your role is not on github, uncomment the + # next line and provide a value + # issue_tracker_url: http://example.com/issue/tracker + + # Choose a valid license ID from https://spdx.org - some suggested licenses: + # - BSD-3-Clause (default) + # - MIT + # - GPL-2.0-or-later + # - GPL-3.0-only + # - Apache-2.0 + # - CC-BY-4.0 + license: license (GPL-2.0-or-later, MIT, etc) + + min_ansible_version: 2.1 + + # If this a Container Enabled role, provide the minimum Ansible Container version. + # min_ansible_container_version: + + # + # Provide a list of supported platforms, and for each platform a list of versions. + # If you don't wish to enumerate all versions for a particular platform, use 'all'. + # To view available platforms and versions (or releases), visit: + # https://galaxy.ansible.com/api/v1/platforms/ + # + # platforms: + # - name: Fedora + # versions: + # - all + # - 25 + # - name: SomePlatform + # versions: + # - all + # - 1.0 + # - 7 + # - 99.99 + + galaxy_tags: [] + # List tags for your role here, one per line. A tag is a keyword that describes + # and categorizes the role. Users find roles by searching for tags. Be sure to + # remove the '[]' above, if you add tags to this list. + # + # NOTE: A tag is limited to a single word comprised of alphanumeric characters. + # Maximum 20 tags per role. + +dependencies: [] + # List your role dependencies here, one per line. Be sure to remove the '[]' above, + # if you add dependencies to this list. diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml new file mode 100644 index 0000000..9173425 --- /dev/null +++ b/roles/certificates/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# tasks file for certificates diff --git a/roles/certificates/tests/inventory b/roles/certificates/tests/inventory new file mode 100644 index 0000000..878877b --- /dev/null +++ b/roles/certificates/tests/inventory @@ -0,0 +1,2 @@ +localhost + diff --git a/roles/certificates/tests/test.yml b/roles/certificates/tests/test.yml new file mode 100644 index 0000000..f24402c --- /dev/null +++ b/roles/certificates/tests/test.yml @@ -0,0 +1,5 @@ +--- +- hosts: localhost + remote_user: root + roles: + - certificates diff --git a/roles/certificates/vars/main.yml b/roles/certificates/vars/main.yml new file mode 100644 index 0000000..ba85bf4 --- /dev/null +++ b/roles/certificates/vars/main.yml @@ -0,0 +1,2 @@ +--- +# vars file for certificates From df4b400f90dfdce8d72cf15cff90ad1341f804a3 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:13:34 +0200 Subject: [PATCH 012/108] fixed --- roles/certificates/tasks/main.yml | 30 +++++++++++++++++++++++++++++- roles/haproxy/tasks/main.yml | 4 ++++ 2 files changed, 33 insertions(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 9173425..f09a564 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,2 +1,30 @@ --- -# tasks file for certificates +- name: Generate private key + community.crypto.openssl_privatekey_pipe: + passphrase: "{{ host_passphrase }}" + register: host_private_key + +- name: Generate CSR + community.crypto.openssl_csr_pipe: + privatekey_passphrase: "{{ host_passphrase }}" + privatekey_content: "{{ host_private_key.privatekey }}" + common_name: "{{ ansible_fqdn }}" + organization_name: "My Organization" + locality_name: "Tel Aviv" + country_name: "IL" + register: host_csr + +- name: Sign the CSR using the CA + community.crypto.x509_certificate_pipe: + csr_content: "{{ host_csr.csr }}" + ownca_path: /etc/ca/ca.crt + ownca_privatekey_path: /etc/ca/private/ca.key + ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}" + provider: ownca + delegate_to: localhost + register: host_crt + +- name: Copy the CRT to the servers + copy: + content: "{{ host_crt.certificate }}" + dest: /etc/ssl/certs/server.crt \ No newline at end of file diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index d52756a..6a5ee33 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -1,4 +1,8 @@ --- +- name: Call Certificate Role + include_role: + name: "certificates" + - name: Ensure HAProxy is installed. dnf: name: haproxy From 609bfc5b966ef5a2314b23fa950066ee016a9a11 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:14:53 +0200 Subject: [PATCH 013/108] fixe --- roles/certificates/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index f09a564..50c2bda 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Generate private key community.crypto.openssl_privatekey_pipe: - passphrase: "{{ host_passphrase }}" + passphrase: "" register: host_private_key - name: Generate CSR community.crypto.openssl_csr_pipe: - privatekey_passphrase: "{{ host_passphrase }}" + privatekey_passphrase: "" privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" organization_name: "My Organization" @@ -19,7 +19,7 @@ csr_content: "{{ host_csr.csr }}" ownca_path: /etc/ca/ca.crt ownca_privatekey_path: /etc/ca/private/ca.key - ownca_privatekey_passphrase: "{{ secret_ca_passphrase }}" + ownca_privatekey_passphrase: "" provider: ownca delegate_to: localhost register: host_crt From 4814336fed5c8d5bbb98dbf4968bb0220470cca2 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:31:52 +0200 Subject: [PATCH 014/108] fix --- roles/apache/handlers/main.yml | 4 ++ roles/apache/tasks/main.yml | 17 +++++- roles/apache/templates/httpd.conf.j2 | 79 ++++++++++++++++++++++++++++ roles/haproxy/tasks/main.yml | 2 +- 4 files changed, 100 insertions(+), 2 deletions(-) create mode 100644 roles/apache/templates/httpd.conf.j2 diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml index f41c6b0..3c912cb 100644 --- a/roles/apache/handlers/main.yml +++ b/roles/apache/handlers/main.yml @@ -1,2 +1,6 @@ --- # handlers file for apache +- name: Restart Httpd + service: + name: httpd + state: restarted \ No newline at end of file diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index b6d4b1b..ef08ccb 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -1,2 +1,17 @@ --- -# tasks file for apache +- name: Call Certificate Role + include_role: + name: "certificates" + +- name: Ensure httpd is installed. + dnf: + name: httpd + state: present + +- name: Generate httpd configuration + template: + src: httpd.conf.j2 + dest: /etc/httpd/conf/httpd.conf + validate: httpd -t -f %s + notify: + - Restart Httpd diff --git a/roles/apache/templates/httpd.conf.j2 b/roles/apache/templates/httpd.conf.j2 new file mode 100644 index 0000000..08e934d --- /dev/null +++ b/roles/apache/templates/httpd.conf.j2 @@ -0,0 +1,79 @@ +ServerRoot "/etc/httpd" +ServerName {{ ansible_fqdn }} +Listen 443 + +Include conf.modules.d/*.conf + +User apache +Group apache + + + AllowOverride none + Require all denied + + +DocumentRoot "/var/www/html" + +#Further relax access to the default document root: + + Options Indexes FollowSymLinks + AllowOverride None + Require all granted + + + + SSLEngine on + SSLCertificateKeyFile /etc/ssl/private/server.pem + SSLCertificateFile /etc/ssl/private/server.pem + SSLProtocol all -SSLv2 -SSLv3 + + + + DirectoryIndex index.html + + + + Require all denied + + +ErrorLog "logs/error_log" + +LogLevel warn + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" combined + LogFormat "%h %l %u %t \"%r\" %>s %b" common + + + LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\" %I %O" combinedio + + + CustomLog "logs/access_log" combined + + + + ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" + + + + AllowOverride None + Options None + Require all granted + + + + TypesConfig /etc/mime.types + AddType application/x-compress .Z + AddType application/x-gzip .gz .tgz + AddType text/html .shtml + AddOutputFilter INCLUDES .shtml + + +AddDefaultCharset UTF-8 + + + MIMEMagicFile conf/magic + + +EnableSendfile on +IncludeOptional conf.d/*.conf \ No newline at end of file diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 6a5ee33..0352742 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -12,7 +12,7 @@ template: src: haproxy.conf.j2 dest: /etc/haproxy/haproxy.conf - validate: haproxy -c -f /etc/haproxy/haproxy.conf + validate: haproxy -c -f %s notify: - Restart HAProxy From 063dea8f717391495996a434480f6b4857dec759 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:34:40 +0200 Subject: [PATCH 015/108] bl --- inventory.ini | 8 ++++---- roles/certificates/tasks/main.yml | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/inventory.ini b/inventory.ini index 7b0a7ae..960458c 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,7 +1,7 @@ [haproxy] -192.168.0.2 keepalived_state=MASTER keepalived_priority=101 -192.168.0.3 keepalived_state=BACKUP keepalived_priority=99 +192.168.0.2 host_passphrase="ammonia unrigged crafty versus" keepalived_state=MASTER keepalived_priority=101 +192.168.0.3 host_passphrase="erratic latrine awoke pushchair" keepalived_state=BACKUP keepalived_priority=99 [webserver] -192.168.0.4 -192.168.0.5 \ No newline at end of file +192.168.0.4 host_passphrase="level stoplight frantic unsliced" +192.168.0.5 host_passphrase="conducive imagines numerate upstart" \ No newline at end of file diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 50c2bda..2639407 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,12 +1,12 @@ --- - name: Generate private key community.crypto.openssl_privatekey_pipe: - passphrase: "" + passphrase: "{{ host_passphrase }}" register: host_private_key - name: Generate CSR community.crypto.openssl_csr_pipe: - privatekey_passphrase: "" + privatekey_passphrase: "{{ host_passphrase }}" privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" organization_name: "My Organization" From 36bbdd1472c13b0f97f9059b92559173b2774906 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:37:11 +0200 Subject: [PATCH 016/108] bl --- inventory.ini | 8 ++++---- roles/certificates/tasks/main.yml | 2 -- 2 files changed, 4 insertions(+), 6 deletions(-) diff --git a/inventory.ini b/inventory.ini index 960458c..7b0a7ae 100644 --- a/inventory.ini +++ b/inventory.ini @@ -1,7 +1,7 @@ [haproxy] -192.168.0.2 host_passphrase="ammonia unrigged crafty versus" keepalived_state=MASTER keepalived_priority=101 -192.168.0.3 host_passphrase="erratic latrine awoke pushchair" keepalived_state=BACKUP keepalived_priority=99 +192.168.0.2 keepalived_state=MASTER keepalived_priority=101 +192.168.0.3 keepalived_state=BACKUP keepalived_priority=99 [webserver] -192.168.0.4 host_passphrase="level stoplight frantic unsliced" -192.168.0.5 host_passphrase="conducive imagines numerate upstart" \ No newline at end of file +192.168.0.4 +192.168.0.5 \ No newline at end of file diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 2639407..f75fbc0 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,12 +1,10 @@ --- - name: Generate private key community.crypto.openssl_privatekey_pipe: - passphrase: "{{ host_passphrase }}" register: host_private_key - name: Generate CSR community.crypto.openssl_csr_pipe: - privatekey_passphrase: "{{ host_passphrase }}" privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" organization_name: "My Organization" From 1ede2e9f16be22fbca39ee6098fe057a67c7cb52 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:39:02 +0200 Subject: [PATCH 017/108] bla --- roles/certificates/tasks/main.yml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index f75fbc0..e7e24ac 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,4 +1,7 @@ --- +- name: Ensure Required Packages Installed + pip: + name: cryptography - name: Generate private key community.crypto.openssl_privatekey_pipe: register: host_private_key From 3f277f0c3482167dd801cc40a0f1234d361325f3 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:40:28 +0200 Subject: [PATCH 018/108] b --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index e7e24ac..514b6fc 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Ensure Required Packages Installed pip: - name: cryptography + name: cryptography>=1.2.3 - name: Generate private key community.crypto.openssl_privatekey_pipe: register: host_private_key From 8d5d7c6f736674c30cb2e6501a7a4e25dd294f01 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:41:04 +0200 Subject: [PATCH 019/108] b --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 514b6fc..3be3040 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,7 +1,7 @@ --- - name: Ensure Required Packages Installed pip: - name: cryptography>=1.2.3 + name: cryptography>=1.6 - name: Generate private key community.crypto.openssl_privatekey_pipe: register: host_private_key From 84a57e85f654fd77fbcd88e64343021556681ca2 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:42:57 +0200 Subject: [PATCH 020/108] bl --- ansible.cfg | 1 + 1 file changed, 1 insertion(+) diff --git a/ansible.cfg b/ansible.cfg index 520b772..be6c458 100644 --- a/ansible.cfg +++ b/ansible.cfg @@ -4,3 +4,4 @@ inventory = $HOME/ITtoolsTask/inventory.ini forks = 10 remote_user = vagrant become = False +ansible_python_interpreter = /usr/bin/python3.8 \ No newline at end of file From efd8fae9575cde07ac5199c619b6e78a07579434 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:44:08 +0200 Subject: [PATCH 021/108] bla --- roles/certificates/tasks/main.yml | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 3be3040..193cd25 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,7 +1,8 @@ --- -- name: Ensure Required Packages Installed +- name: Ensure cryptography Packages Installed pip: name: cryptography>=1.6 + state: present - name: Generate private key community.crypto.openssl_privatekey_pipe: register: host_private_key From 92f3c253e18e20c2984f8b1de09107cf28063a76 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:49:26 +0200 Subject: [PATCH 022/108] br --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 193cd25..2081eb3 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -3,6 +3,7 @@ pip: name: cryptography>=1.6 state: present + - name: Generate private key community.crypto.openssl_privatekey_pipe: register: host_private_key @@ -21,7 +22,6 @@ csr_content: "{{ host_csr.csr }}" ownca_path: /etc/ca/ca.crt ownca_privatekey_path: /etc/ca/private/ca.key - ownca_privatekey_passphrase: "" provider: ownca delegate_to: localhost register: host_crt From 9b7f066f0ca797b2d3249c64541c8610c928f979 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:51:06 +0200 Subject: [PATCH 023/108] bla --- playbook.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index 9d7bcf9..ad6362f 100644 --- a/playbook.yml +++ b/playbook.yml @@ -3,7 +3,11 @@ become: true gather_facts: true tasks: + - name: Import apache Role + import_role: + name: "apache" + when: "'haproxy' in group_names" - name: Import haproxy Role import_role: name: "haproxy" - when: "'haproxy' in group_names" + when: "'haproxy' in group_names" \ No newline at end of file From 8c3eaac35c09645eb0226e032ff3707d792a6c1e Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 17:58:26 +0200 Subject: [PATCH 024/108] bl --- roles/certificates/tasks/main.yml | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 2081eb3..e3d93cc 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -26,7 +26,7 @@ delegate_to: localhost register: host_crt -- name: Copy the CRT to the servers +- name: Assemble private key and certificate into PEM file copy: - content: "{{ host_crt.certificate }}" - dest: /etc/ssl/certs/server.crt \ No newline at end of file + content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" + dest: /etc/ssl/certs/private/server.pem \ No newline at end of file From 77bce733b6f3063e500ae81e7e0a03c75bdcc833 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 18:01:08 +0200 Subject: [PATCH 025/108] s --- roles/certificates/tasks/main.yml | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index e3d93cc..b51c9a8 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -26,7 +26,13 @@ delegate_to: localhost register: host_crt +- name: Ensure /etc/ssl/private/server.pem directory exists + file: /etc/ssl/private/ + state: directory + mode: '0755' + + - name: Assemble private key and certificate into PEM file copy: content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" - dest: /etc/ssl/certs/private/server.pem \ No newline at end of file + dest: /etc/ssl/private/server.pem \ No newline at end of file From d7fc486a512829dcb942370940a2bd95b4a6b546 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 18:27:46 +0200 Subject: [PATCH 026/108] bla --- roles/certificates/tasks/main.yml | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index b51c9a8..76fe231 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -27,9 +27,10 @@ register: host_crt - name: Ensure /etc/ssl/private/server.pem directory exists - file: /etc/ssl/private/ - state: directory - mode: '0755' + file: + path: /etc/ssl/private/ + state: directory + mode: '0755' - name: Assemble private key and certificate into PEM file From a5dfd3eaa5d2358f7a03dec62a64517bb74da977 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 18:35:22 +0200 Subject: [PATCH 027/108] b --- roles/apache/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index ef08ccb..4a2d01d 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -12,6 +12,5 @@ template: src: httpd.conf.j2 dest: /etc/httpd/conf/httpd.conf - validate: httpd -t -f %s notify: - Restart Httpd From 332fa1133154674feb229f0aefea63122a5e77d5 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 18:45:35 +0200 Subject: [PATCH 028/108] bl --- playbook.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index ad6362f..c3a5706 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,7 +6,7 @@ - name: Import apache Role import_role: name: "apache" - when: "'haproxy' in group_names" + when: "'webservers' in group_names" - name: Import haproxy Role import_role: name: "haproxy" From bd8394356c8ad93f0d7ade840f942870e9a542aa Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 18:48:22 +0200 Subject: [PATCH 029/108] bls --- playbook.yml | 2 +- roles/apache/tasks/main.yml | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index c3a5706..c491f0d 100644 --- a/playbook.yml +++ b/playbook.yml @@ -6,7 +6,7 @@ - name: Import apache Role import_role: name: "apache" - when: "'webservers' in group_names" + when: "'webserver' in group_names" - name: Import haproxy Role import_role: name: "haproxy" diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 4a2d01d..ef08ccb 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -12,5 +12,6 @@ template: src: httpd.conf.j2 dest: /etc/httpd/conf/httpd.conf + validate: httpd -t -f %s notify: - Restart Httpd From 3bba01f1cf931d79960e68b8358fb71dedc7913d Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 19:17:43 +0200 Subject: [PATCH 030/108] b --- roles/certificates/tasks/main.yml | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 76fe231..57e8be9 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -26,7 +26,7 @@ delegate_to: localhost register: host_crt -- name: Ensure /etc/ssl/private/server.pem directory exists +- name: Ensure /etc/ssl/private directory exists file: path: /etc/ssl/private/ state: directory @@ -36,4 +36,13 @@ - name: Assemble private key and certificate into PEM file copy: content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" - dest: /etc/ssl/private/server.pem \ No newline at end of file + dest: /etc/ssl/private/server.pem + +- name: Copy certificate to trusted anchors directory + copy: + content: "{{ host_crt.certificate }}" + dest: /etc/pki/ca-trust/source/anchors/server.crt + mode: '0644' + +- name: Update CA trust on the host + command: update-ca-trust \ No newline at end of file From 100cf3e0f1f159afeb149e59ade8e3376e8ea58f Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 19:23:47 +0200 Subject: [PATCH 031/108] d --- roles/certificates/tasks/main.yml | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 57e8be9..4036a4c 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -40,9 +40,8 @@ - name: Copy certificate to trusted anchors directory copy: - content: "{{ host_crt.certificate }}" - dest: /etc/pki/ca-trust/source/anchors/server.crt - mode: '0644' + src: /etc/ssl/private/server.pem + dest: /etc/pki/ca-trust/source/anchors/server.pem - name: Update CA trust on the host command: update-ca-trust \ No newline at end of file From 8ce39c8145dbd19c982da9d36f100902dc0627a6 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Wed, 13 Nov 2024 19:26:21 +0200 Subject: [PATCH 032/108] b --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 4036a4c..5972da1 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -40,7 +40,7 @@ - name: Copy certificate to trusted anchors directory copy: - src: /etc/ssl/private/server.pem + remote_src: /etc/ssl/private/server.pem dest: /etc/pki/ca-trust/source/anchors/server.pem - name: Update CA trust on the host From be79ce5ab8ca02af41c81d8f7ed35e2668e260c3 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 09:40:51 +0200 Subject: [PATCH 033/108] adsadf --- playbook.yml | 2 +- roles/apache/.travis.yml | 29 -------------- roles/apache/README.md | 38 ------------------- roles/apache/defaults/main.yml | 2 - roles/apache/handlers/main.yml | 2 +- roles/apache/meta/main.yml | 55 +++++---------------------- roles/apache/tasks/main.yml | 18 ++++++++- roles/apache/templates/index.html.j2 | 7 ++++ roles/apache/tests/inventory | 2 - roles/apache/tests/test.yml | 5 --- roles/apache/vars/main.yml | 2 - roles/certificates/.travis.yml | 29 -------------- roles/certificates/README.md | 38 ------------------- roles/certificates/defaults/main.yml | 7 +++- roles/certificates/handlers/main.yml | 2 - roles/certificates/meta/main.yml | 54 ++++----------------------- roles/certificates/tasks/main.yml | 24 ++++++------ roles/certificates/tests/inventory | 2 - roles/certificates/tests/test.yml | 5 --- roles/certificates/vars/main.yml | 2 - roles/haproxy/.travis.yml | 29 -------------- roles/haproxy/README.md | 38 ------------------- roles/haproxy/defaults/main.yml | 2 +- roles/haproxy/handlers/main.yml | 4 +- roles/haproxy/meta/main.yml | 56 +++++----------------------- roles/haproxy/tasks/keepalived.yml | 19 +++++++--- roles/haproxy/tasks/main.yml | 15 ++++++-- roles/haproxy/tests/inventory | 2 - roles/haproxy/tests/test.yml | 5 --- roles/haproxy/vars/main.yml | 2 - 30 files changed, 99 insertions(+), 398 deletions(-) delete mode 100644 roles/apache/.travis.yml delete mode 100644 roles/apache/README.md delete mode 100644 roles/apache/defaults/main.yml create mode 100644 roles/apache/templates/index.html.j2 delete mode 100644 roles/apache/tests/inventory delete mode 100644 roles/apache/tests/test.yml delete mode 100644 roles/apache/vars/main.yml delete mode 100644 roles/certificates/.travis.yml delete mode 100644 roles/certificates/README.md delete mode 100644 roles/certificates/handlers/main.yml delete mode 100644 roles/certificates/tests/inventory delete mode 100644 roles/certificates/tests/test.yml delete mode 100644 roles/certificates/vars/main.yml delete mode 100644 roles/haproxy/.travis.yml delete mode 100644 roles/haproxy/README.md delete mode 100644 roles/haproxy/tests/inventory delete mode 100644 roles/haproxy/tests/test.yml delete mode 100644 roles/haproxy/vars/main.yml diff --git a/playbook.yml b/playbook.yml index c491f0d..deaa737 100644 --- a/playbook.yml +++ b/playbook.yml @@ -10,4 +10,4 @@ - name: Import haproxy Role import_role: name: "haproxy" - when: "'haproxy' in group_names" \ No newline at end of file + when: "'haproxy' in group_names" diff --git a/roles/apache/.travis.yml b/roles/apache/.travis.yml deleted file mode 100644 index 36bbf62..0000000 --- a/roles/apache/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -language: python -python: "2.7" - -# Use the new container infrastructure -sudo: false - -# Install ansible -addons: - apt: - packages: - - python-pip - -install: - # Install ansible - - pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - -script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/apache/README.md b/roles/apache/README.md deleted file mode 100644 index 225dd44..0000000 --- a/roles/apache/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Role Name -========= - -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/apache/defaults/main.yml b/roles/apache/defaults/main.yml deleted file mode 100644 index f5299ef..0000000 --- a/roles/apache/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# defaults file for apache diff --git a/roles/apache/handlers/main.yml b/roles/apache/handlers/main.yml index 3c912cb..68db532 100644 --- a/roles/apache/handlers/main.yml +++ b/roles/apache/handlers/main.yml @@ -3,4 +3,4 @@ - name: Restart Httpd service: name: httpd - state: restarted \ No newline at end of file + state: restarted diff --git a/roles/apache/meta/main.yml b/roles/apache/meta/main.yml index c572acc..3db7c05 100644 --- a/roles/apache/meta/main.yml +++ b/roles/apache/meta/main.yml @@ -1,52 +1,15 @@ galaxy_info: - author: your name - description: your role description - company: your company (optional) + role_name: apache + author: Yoav Katz + description: Creating httpd configuration with default index.html inside it + platforms: + - name: Centos8 + versions: + - all - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) + license: MIT min_ansible_version: 2.1 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. +dependencies: ['certificates'] -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index ef08ccb..c574849 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -4,7 +4,7 @@ name: "certificates" - name: Ensure httpd is installed. - dnf: + dnf: name: httpd state: present @@ -13,5 +13,21 @@ src: httpd.conf.j2 dest: /etc/httpd/conf/httpd.conf validate: httpd -t -f %s + mode: 0644 + owner: apache + group: apache notify: - Restart Httpd + +- name: Generate apache html + template: + src: index.html.j2 + dest: /var/www/html/index.html + mode: 0644 + owner: apache + group: apache + +- name: Ensure httpd is enabled + service: + name: httpd + enabled: true diff --git a/roles/apache/templates/index.html.j2 b/roles/apache/templates/index.html.j2 new file mode 100644 index 0000000..0cbc021 --- /dev/null +++ b/roles/apache/templates/index.html.j2 @@ -0,0 +1,7 @@ + + + + +

{{ ansible_nodename }}

+ + \ No newline at end of file diff --git a/roles/apache/tests/inventory b/roles/apache/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/roles/apache/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/roles/apache/tests/test.yml b/roles/apache/tests/test.yml deleted file mode 100644 index 191e731..0000000 --- a/roles/apache/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - apache diff --git a/roles/apache/vars/main.yml b/roles/apache/vars/main.yml deleted file mode 100644 index 2aa5032..0000000 --- a/roles/apache/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for apache diff --git a/roles/certificates/.travis.yml b/roles/certificates/.travis.yml deleted file mode 100644 index 36bbf62..0000000 --- a/roles/certificates/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -language: python -python: "2.7" - -# Use the new container infrastructure -sudo: false - -# Install ansible -addons: - apt: - packages: - - python-pip - -install: - # Install ansible - - pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - -script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/certificates/README.md b/roles/certificates/README.md deleted file mode 100644 index 225dd44..0000000 --- a/roles/certificates/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Role Name -========= - -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/certificates/defaults/main.yml b/roles/certificates/defaults/main.yml index fb71ddc..c09e299 100644 --- a/roles/certificates/defaults/main.yml +++ b/roles/certificates/defaults/main.yml @@ -1,2 +1,7 @@ --- -# defaults file for certificates +ca_content: "" +ca_privatekey_content: "" +organization_details: + name: "My Organization" + locality: "Tel Aviv" + country: "IL" diff --git a/roles/certificates/handlers/main.yml b/roles/certificates/handlers/main.yml deleted file mode 100644 index df5e99f..0000000 --- a/roles/certificates/handlers/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# handlers file for certificates diff --git a/roles/certificates/meta/main.yml b/roles/certificates/meta/main.yml index c572acc..0dcc0ce 100644 --- a/roles/certificates/meta/main.yml +++ b/roles/certificates/meta/main.yml @@ -1,52 +1,14 @@ galaxy_info: - author: your name - description: your role description - company: your company (optional) + role_name: certificates + author: Yoav Katz + description: Creating certificates to using a CA given as a variable + platforms: + - name: Centos8 + versions: + - all - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) + license: MIT min_ansible_version: 2.1 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 5972da1..b1ea769 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -12,36 +12,38 @@ community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" - organization_name: "My Organization" - locality_name: "Tel Aviv" - country_name: "IL" + organization_name: "{{ organization_details.name }}" + locality_name: "{{ organization_details.locality }}" + country_name: "{{ organization_details.country }}" register: host_csr - name: Sign the CSR using the CA community.crypto.x509_certificate_pipe: csr_content: "{{ host_csr.csr }}" - ownca_path: /etc/ca/ca.crt - ownca_privatekey_path: /etc/ca/private/ca.key + ownca_content: "{{ ca_content }}" + ownca_privatekey_content: "{{ ca_privatekey_content }}" provider: ownca - delegate_to: localhost register: host_crt - name: Ensure /etc/ssl/private directory exists - file: + file: path: /etc/ssl/private/ state: directory - mode: '0755' + mode: 0700 - name: Assemble private key and certificate into PEM file copy: content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" dest: /etc/ssl/private/server.pem + mode: 0600 - name: Copy certificate to trusted anchors directory copy: - remote_src: /etc/ssl/private/server.pem - dest: /etc/pki/ca-trust/source/anchors/server.pem + content: "{{ ca_content }}" + dest: /etc/pki/ca-trust/source/anchors/root-CA.cert + mode: 0644 - name: Update CA trust on the host - command: update-ca-trust \ No newline at end of file + command: update-ca-trust + creates: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt diff --git a/roles/certificates/tests/inventory b/roles/certificates/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/roles/certificates/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/roles/certificates/tests/test.yml b/roles/certificates/tests/test.yml deleted file mode 100644 index f24402c..0000000 --- a/roles/certificates/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - certificates diff --git a/roles/certificates/vars/main.yml b/roles/certificates/vars/main.yml deleted file mode 100644 index ba85bf4..0000000 --- a/roles/certificates/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for certificates diff --git a/roles/haproxy/.travis.yml b/roles/haproxy/.travis.yml deleted file mode 100644 index 36bbf62..0000000 --- a/roles/haproxy/.travis.yml +++ /dev/null @@ -1,29 +0,0 @@ ---- -language: python -python: "2.7" - -# Use the new container infrastructure -sudo: false - -# Install ansible -addons: - apt: - packages: - - python-pip - -install: - # Install ansible - - pip install ansible - - # Check ansible version - - ansible --version - - # Create ansible.cfg with correct roles_path - - printf '[defaults]\nroles_path=../' >ansible.cfg - -script: - # Basic role syntax check - - ansible-playbook tests/test.yml -i tests/inventory --syntax-check - -notifications: - webhooks: https://galaxy.ansible.com/api/v1/notifications/ \ No newline at end of file diff --git a/roles/haproxy/README.md b/roles/haproxy/README.md deleted file mode 100644 index 225dd44..0000000 --- a/roles/haproxy/README.md +++ /dev/null @@ -1,38 +0,0 @@ -Role Name -========= - -A brief description of the role goes here. - -Requirements ------------- - -Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required. - -Role Variables --------------- - -A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well. - -Dependencies ------------- - -A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles. - -Example Playbook ----------------- - -Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too: - - - hosts: servers - roles: - - { role: username.rolename, x: 42 } - -License -------- - -BSD - -Author Information ------------------- - -An optional section for the role authors to include contact information, or a website (HTML is not allowed). diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index b762fc5..1820658 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -1,4 +1,4 @@ --- # defaults file for haproxy keepalived_ip: 192.168.0.6 -keepalived_subnet: 29 \ No newline at end of file +keepalived_subnet: 29 diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml index 367a88d..99a7025 100644 --- a/roles/haproxy/handlers/main.yml +++ b/roles/haproxy/handlers/main.yml @@ -4,7 +4,7 @@ name: haproxy state: restarted -- name: Restart keepalived +- name: Restart Keepalived service: name: keepalived - state: restarted \ No newline at end of file + state: restarted diff --git a/roles/haproxy/meta/main.yml b/roles/haproxy/meta/main.yml index c572acc..671bee9 100644 --- a/roles/haproxy/meta/main.yml +++ b/roles/haproxy/meta/main.yml @@ -1,52 +1,14 @@ galaxy_info: - author: your name - description: your role description - company: your company (optional) + role_name: haproxy + author: Yoav Katz + description: Creating haproxy with keepalived configuration that passes requests to webserver host group + platforms: + - name: Centos8 + versions: + - all - # If the issue tracker for your role is not on github, uncomment the - # next line and provide a value - # issue_tracker_url: http://example.com/issue/tracker - - # Choose a valid license ID from https://spdx.org - some suggested licenses: - # - BSD-3-Clause (default) - # - MIT - # - GPL-2.0-or-later - # - GPL-3.0-only - # - Apache-2.0 - # - CC-BY-4.0 - license: license (GPL-2.0-or-later, MIT, etc) + license: MIT min_ansible_version: 2.1 - # If this a Container Enabled role, provide the minimum Ansible Container version. - # min_ansible_container_version: - - # - # Provide a list of supported platforms, and for each platform a list of versions. - # If you don't wish to enumerate all versions for a particular platform, use 'all'. - # To view available platforms and versions (or releases), visit: - # https://galaxy.ansible.com/api/v1/platforms/ - # - # platforms: - # - name: Fedora - # versions: - # - all - # - 25 - # - name: SomePlatform - # versions: - # - all - # - 1.0 - # - 7 - # - 99.99 - - galaxy_tags: [] - # List tags for your role here, one per line. A tag is a keyword that describes - # and categorizes the role. Users find roles by searching for tags. Be sure to - # remove the '[]' above, if you add tags to this list. - # - # NOTE: A tag is limited to a single word comprised of alphanumeric characters. - # Maximum 20 tags per role. - -dependencies: [] - # List your role dependencies here, one per line. Be sure to remove the '[]' above, - # if you add dependencies to this list. +dependencies: ['certificates'] diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index 3591548..a4c27a9 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -1,11 +1,20 @@ -- name: Ensure HAProxy is installed. - dnf: +- name: Ensure Keepalived is installed. + dnf: name: keepalived state: present -- name: Generate HAProxy configuration + +- name: Generate Keepalived configuration template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf - notify: - - Restart HAProxy \ No newline at end of file + validate: keepalived -t -f %s + mode: 0644 + owner: haproxy + group: haproxy + notify: Restart Keepalived + +- name: Ensure Keepalive service is enabled + service: + name: keepalived + enabled: true diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 0352742..6168483 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -4,8 +4,8 @@ name: "certificates" - name: Ensure HAProxy is installed. - dnf: - name: haproxy + dnf: + name: haproxy state: present - name: Generate HAProxy configuration @@ -13,8 +13,15 @@ src: haproxy.conf.j2 dest: /etc/haproxy/haproxy.conf validate: haproxy -c -f %s - notify: - - Restart HAProxy + mode: 0644 + owner: haproxy + group: haproxy + notify: Restart HAProxy + +- name: Ensure HAProxy service is enabled + service: + name: haproxy + enabled: true - name: Generate keepalived import_tasks: diff --git a/roles/haproxy/tests/inventory b/roles/haproxy/tests/inventory deleted file mode 100644 index 878877b..0000000 --- a/roles/haproxy/tests/inventory +++ /dev/null @@ -1,2 +0,0 @@ -localhost - diff --git a/roles/haproxy/tests/test.yml b/roles/haproxy/tests/test.yml deleted file mode 100644 index ede91ec..0000000 --- a/roles/haproxy/tests/test.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: localhost - remote_user: root - roles: - - haproxy diff --git a/roles/haproxy/vars/main.yml b/roles/haproxy/vars/main.yml deleted file mode 100644 index 9cf5464..0000000 --- a/roles/haproxy/vars/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -# vars file for haproxy From 2f80391585f13fa930a18dc7e8bf59c038c7a2a6 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 09:42:10 +0200 Subject: [PATCH 034/108] fix --- roles/certificates/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index b1ea769..26265ab 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -46,4 +46,3 @@ - name: Update CA trust on the host command: update-ca-trust - creates: /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt From 5ad0ff86d52188aa19d5c01b2adfa6ceac64659c Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 11:13:18 +0200 Subject: [PATCH 035/108] bfaads --- roles/apache/meta/main.yml | 1 - roles/apache/tasks/main.yml | 3 +- roles/haproxy/defaults/main.yml | 1 + roles/haproxy/tasks/keepalived.yml | 9 +- roles/haproxy/tasks/main.yml | 1 + roles/haproxy/templates/keepalived.conf.j2 | 2 +- vault | 162 +++++++++++++++++++++ 7 files changed, 175 insertions(+), 4 deletions(-) create mode 100644 vault diff --git a/roles/apache/meta/main.yml b/roles/apache/meta/main.yml index 3db7c05..bd77fbc 100644 --- a/roles/apache/meta/main.yml +++ b/roles/apache/meta/main.yml @@ -12,4 +12,3 @@ galaxy_info: min_ansible_version: 2.1 dependencies: ['certificates'] - diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index c574849..e2d01c6 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -27,7 +27,8 @@ owner: apache group: apache -- name: Ensure httpd is enabled +- name: Ensure httpd service is enabled service: name: httpd + state: started enabled: true diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index 1820658..2b16fab 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -2,3 +2,4 @@ # defaults file for haproxy keepalived_ip: 192.168.0.6 keepalived_subnet: 29 +keepalived_auth_pass: "1111" diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index a4c27a9..d60e6ce 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -1,9 +1,15 @@ +- name: Validate all keepalived host vars exists + assert: + that: + - keepalived_state in ['MASTER', 'BACKUP'] + - keepalived_priority is number + fail_msg: "to configure Keepalived all hosts hosting it needs: keepalived_state and keepalived_priority" + - name: Ensure Keepalived is installed. dnf: name: keepalived state: present - - name: Generate Keepalived configuration template: src: keepalived.conf.j2 @@ -17,4 +23,5 @@ - name: Ensure Keepalive service is enabled service: name: keepalived + state: started enabled: true diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 6168483..cd6f7df 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -21,6 +21,7 @@ - name: Ensure HAProxy service is enabled service: name: haproxy + state: started enabled: true - name: Generate keepalived diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index f2ec96e..8c963df 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -11,7 +11,7 @@ vrrp_instance VI_1 { priority {{ keepalived_priority }} authentication { auth_type PASS - auth_pass 1111 + auth_pass {{ keepalived_auth_pass }} } virtual_ipaddress { {{ keepalived_ip }}/{{ keepalived_subnet }} diff --git a/vault b/vault new file mode 100644 index 0000000..9e90d58 --- /dev/null +++ b/vault @@ -0,0 +1,162 @@ +$ANSIBLE_VAULT;1.1;AES256 +66326562323765346266353762396266653338343339383131373262373534356535633930303833 +3138346536636432363035613733336336316339313665660a313935653561613062616533643735 +30653833396165663131386232306235626461626330656339643234363165663663613337623163 +3830333938646361330a363535326263616436623961656130396437643632666537313066393038 +33626438663335396562663362616230383164383038323531316330626166326665353331643663 +37636138623033623533626164386535393330613165323538653437623837633536393366633638 +62326238633730313866663665376561376332366538343937653137303539323939353631383937 +36383133306331323065333463376432383333626230313936653365643434633930643639363531 +35336438383461386664346265663762633664316664336539316533373165393439346139623066 +32666237643138376563666364393966366266653865373237343766313437386230646662663961 +35333534346339353637343630383465626533613036376536316264306436636131366661346631 +65643930323633393761343165643331313133343632643937363136383134343466343337373030 +38323237353637653238376162613537646566396432343131343731663436613632663462613666 +62613866363339643862623266396139653034363735396136663538633439633365646135383632 +38313230323337383934383562636439643436373835363938663766626366333231636337316339 +65616563643162396464313734323539343231393032616230323863303831643563336363633134 +38313231393935363462316131623031656661646536626536396331376661343735633234666231 +31313963376536316263663130653830613466636464653664353961366332616362393362616164 +37663434393863353661353766363736373937646335356434323636333265636432313339643634 +39633431386438396537623833346361313634326464323833333262373062393530643935626362 +33633539626264373438353939623231306664326138306464393462353363373338303035646362 +31656436663865373236313465386337356232393534326230396533396661376366383531323134 +39343163313465623032393462653365336331306462326565323238393362633166316366383862 +64333233613035313265623961663261613662353632643866373438353039396262653863303830 +61393738636163623033333833626534643738656265353233316630356233363163633637643165 +34663631313137376564363532353632313665333534653830633133303231636665323135323531 +63333566313034366465613163323936303233313062336638373934393733656264336161383934 +61626261343339383831643266646130353963396364336635636333646330316263626665656235 +32613238356436636636323033633733633336333362346662666464316533613436343538356462 +39316533306261636538313166393139353736356665333063643363666664623237363231306138 +30666530343630316637633061386461303434666635663062323632353232373065623737343935 +38373539303730376264333232353736373966333737366462656165306239636631343430316632 +37376166373561333533373036336336306164363331613732373930336332616136643963656231 +37643432316466376432373062306635383836623364626530313231313538623461333538363363 +61323137643632623131363331646134346561383135656232636539643030636566626161336539 +33313337366230343532353064376533393033653533343265663339353165376237353438336630 +33643862363437373165333363643839303764366166346662623033623031663739323562313161 +39613261373730663435383963353137623836363933303832356336303933656236363239643431 +38656561656535336261623237653634653062383966323161646664353239663635363563666363 +61656661396639656662663938353166616366353462306634373830666661303431343434373264 +36653231386439653535613437633936653538656166303735643163623138636335343865623530 +61646663623339616564386338633165346264623439303861323465343665313630343331613338 +66646230626562393833303438363665626135383861643939336537656565393233623839653964 +35303936393461663933636365623266636363393561366135616632396533373833306330653333 +35333562363562646663396265303862386630363161316264613036393263326433383031626661 +63363537323232346339373830393433393965336163623064666437393939653331313762643464 +63383064616234363937613237646263666439343063383430383663376562363039633139343865 +32396262663330393338333762653865373062313133343063613466653030643165303462666633 +33626630386363353765623561326239626365626433653466386262306638356161616164666665 +31303033366131373036646637633462333336656434303031643232363566643330346233326339 +33336163663164613866333632343631643631313531323366373465653063333166306664613363 +33353633633539653366636332333135316565623438306530636563393337356362313837303835 +31363732613864386538306562333861643666633263353763363063623965663031653838346134 +61383533376361326139323933333865353162313661623465363630336237313862363535313632 +32346132313631656232366437613633376639353033393234393465666534623633656238643837 +31363162303039663661396235333061666462366436666566323738313961663434653730663139 +32303637393333626533333866613463353334613536663132646362363836356531323063396664 +34646130386365346330346130383936626265663132303561333565383731653137643665633235 +65373266313734626666666332626361613537316439623832643361623431623836346362323961 +64626234623865326562333430656466636235373932653033303464643565363432343965356238 +66383135663363616133326463396464363534316439356235303536316562386136656165353336 +31326665376236333633393131633433653431346534323635333263373038326137346432373063 +35343463393235636437643661396230653866323563393061303763373530623633636465636662 +31343932666135656265393135343264316639623035386363306336323539333961616164306536 +64396234633337313634376263643565373238313362666233616164313035623534346364663336 +37343234663565326263306531336337653861323339623331643739303733383337366338633161 +63656537626364633864343535343534366432346434396230356338313835326635623337663737 +33393762316539363639316461613735656131336232626563373433663338336661386234656464 +34613833303635353562613131303030656339323533653436643032633864313934386166393037 +65663032373664666563616637386438633363343062373866316666303933623730646661323862 +61643530316563636635393761313532353734633062323665623366383530303333363836393338 +34633564633830656635356265633363613437363035383534663235373261383062353435313733 +38663337643936613231323837343862313165626531356565636265393461633062376661393362 +33333661383335653437316135656433626532393566636366386437316562666162383265343938 +31326562373232353635363334643131383537376133373430333832386336373261646231643564 +36643663383833366361653439343061323139363631633861623338653238346661663333663564 +34326632323139396138326534643230383265646463323634626462623431633733323664633234 +31666338653564653634326235323065393766353030653634303230353337393932323134633065 +31343531346631333535393634613439636439366334633065336266386138303165326261303263 +31373838613466316365656436393339373661303238303231393636353663626239316665353261 +39336139343066383430393737373331366533303432376436613462316664643330626364643163 +36633930323332666636393363643033373834363533626535626432303539383239396634346135 +63633738633037386637653665363633643164666266663138306464656132666265396539393864 +64386532353035343734653962303134613935636637376236363538353836363533626263353732 +32353035326436646232613438316162326263346439616631666533356130383361623839366363 +39313063323866623936646634613561356262356436653730666463383636396137303833313930 +36383665636462366438336266333566636538373232366139633732623138643538623062323139 +36363365303633303131623232653062643436656563373862653861373438653335376333393965 +37653637313839646134623862316637666333383632366330303837656436633334383432633464 +61613562646536343265646335666631666137316637666439666232343565656431623639353337 +65323232333232373061643065303162346462313532356233646466303966653939346533633733 +34653064333261343237613863356434636463316636316636306539623438376462353562623033 +32383063383162303138326535613735303633356463306264646435663565616464643466323537 +66656538353765336365383031623337393665363062326631353764643366353438353033643065 +35353131646466303731366130616539366363636238616433393230656534646232336233316530 +63333933633264396465363338336264633437343432346239363362323362663436313431623233 +30646164326636336639633963646231643430643037636532333837323462636434653936616462 +30393465366263396462383933326261333562346631306332326663363039643433633035326666 +36313433323831383566306435393961636366333636336438353634373939663363626432333631 +33303630626431323762633534376339303930613431636136633064393065346337303336313432 +38363138353331656134356163346262333530643438333366373232346138313562666132303361 +38316430343634653135613233636166633835326235343265353662333762303933643261326236 +34643535313061643430653936353031393731383066336633616564353764386461613262313832 +35333565346238663831303335346637653738623866336438346136393234666362383730343865 +31306536333630323766333866376464383061373139336139643339316630313236356139366330 +35633931313364353236393663313636376435633336336232663934653563376132326238663531 +36313138376134383263623333343662616133346264646166323765353430343931666231353133 +36613039326363383865393337383837356436663561353639653435646661613738343865656461 +64636237616465663135316130633839386332643766323032303662383035376361326164613766 +32653337626162373465656663346632656664336364393062366236343365356439616637613366 +33343365383265323835303730383731323632623536623165653236643539343963626630323866 +66353361343638366632366330336432336264356264323763646630623031383531623262343666 +36346636383633343064646338613461626230373864663337613961363462663235346234616263 +31326438626161323562386234343464616630643231363533353062396332333339366164643364 +32343538346262663064333431666239633632376430313833633564303331303638363063633562 +36386234313165346339336233316538336561306162343334616630646431346339663966616137 +39326534633661623039393235366632306233326336336336363966323631636139313733316135 +39643062643331386534646435396437346633626432613930373963373937633065623139303635 +32613262326438613139643663386331393737313266666232616137323333353365353765396163 +65653930613931396564623865323664393961396239356362653533316264653033376137303063 +39663132643764366335303466346466626261353331366338373238303565626139343466643439 +34626662353664353733646561666261643062326235303966326465306264376331393136393763 +64383032646263363439393137343538313161393864313836663836613862653839366462343335 +31343262346536613737306633326531633662643039373336343362393532356634643238626138 +62313834383234633933396633376533356431323061333437383937663366326433393139396437 +64386639303537336263653638336531336331656230373433373165656433353764306339316662 +36363836663361333730336333333664613462663536386237343231343064623162643835653131 +65636566396564316537633033663363323466333638383761343033646566346561346536376563 +66353331623565633735663635626363623636343132303932386336373839626362386664653864 +63396334323962336461666133303835383534393631353333343634313533643664626135643637 +30336632626639396463343838383462333730313632366634363962393766663363616435663338 +31363462346132366635333738653063643166663366323934643432666137316562343437643962 +36326336616135373366303164393235363932613362656166306363326466636463376563313432 +32346661336364626164313761633733353736616132356137316130396232623333363535663966 +35616564363132643234343461373961393735383333303533303533393434323432376135653166 +63316637616431306564366464323239303137663931616430633633613830326336623130303734 +65373434616631366638656135373461306262666266623566363335356539383966626333376264 +65323965626434363435626466353430633932363535346631623539396335646530353438643262 +63373831303932396666643861353162663664643761613531363139633262393261366162373538 +33656164373937336437666564383765653364666435623465666366643937653534333332333132 +35636563653030316465623265393663323035623936643031643830376139313133633965323930 +34346238326136383333313562316162666364323637646635613339393064316534363562343233 +61383333303264323731646238353665373161316338653036323230643763346565616662313333 +36313730353833346333613633333239343766663432636263393961393735653961333134336662 +66343233653834633330303639303434313737313030366362346239393330326431313261346332 +65363530663431626563613033626364613463303763663365356566373165356463306465626537 +65646133653934636631653139633039366533346531656436316537343132336430313061643338 +35393166323266653038636138623038643436346565343766353831363134643366333237613863 +63626530626333653234373865653764383031396363656434663962656463643061646237336332 +37666162623061636263633061663366303637383637396631376531353232353734636163643066 +36643834636365373939373037323234386535303130366663336133373631623030323963363333 +66656138353737396532396534633232623736326262333539386137336631343936396438653732 +39323731643364363230623736626335323436326166633064613737343962316333623233343536 +31393432313532663938343562356231363465313765636330613435373465656463326435366236 +34333965376433623263613366373136633131356435366636323930353361323430613461626630 +66373732366665656437633265353835366430643463656564663063643834303565363038626164 +35316137326130393265336535616162393166653837326461633632306334303333366661323733 +30333631363730353734303437626164666231336161636363316662643437353034303536643831 +31613238333531653038386539303461356338333339653661633961346431303231666537333033 +32643663613463366430376635396338653164373037626437366435353462663537336336633961 +6438 From c0e2f087a66fd42b11d781d7ffad1f9dcaa79c84 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 11:19:17 +0200 Subject: [PATCH 036/108] asdfasddfsadf --- playbook.yml | 2 ++ vault => vault.yml | 0 2 files changed, 2 insertions(+) rename vault => vault.yml (100%) diff --git a/playbook.yml b/playbook.yml index deaa737..119d73f 100644 --- a/playbook.yml +++ b/playbook.yml @@ -2,6 +2,8 @@ hosts: all become: true gather_facts: true + vars_files: + - vault.yml tasks: - name: Import apache Role import_role: diff --git a/vault b/vault.yml similarity index 100% rename from vault rename to vault.yml From 3238ff9e8343829c4e1e3331a61731ccb1af20a0 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 11:22:22 +0200 Subject: [PATCH 037/108] dfgdfg --- playbook.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbook.yml b/playbook.yml index 119d73f..1e45b95 100644 --- a/playbook.yml +++ b/playbook.yml @@ -2,8 +2,8 @@ hosts: all become: true gather_facts: true - vars_files: - - vault.yml + vars_files: + - vault.yml tasks: - name: Import apache Role import_role: From 00f93be5cc75edc90c0a358deea1363ef993dbc7 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 11:24:56 +0200 Subject: [PATCH 038/108] sfdasddf --- roles/certificates/tasks/main.yml | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 26265ab..9c27def 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -17,6 +17,14 @@ country_name: "{{ organization_details.country }}" register: host_csr +- name: Ca_content + debug: + msg: "{{ ca_content }}" + +- name: Ca_key + debug: + msg: "{{ ca_privatekey_content }}" + - name: Sign the CSR using the CA community.crypto.x509_certificate_pipe: csr_content: "{{ host_csr.csr }}" From 6af5ced7d94fde25857a76b8169fc4bbf3741ebf Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 11:36:20 +0200 Subject: [PATCH 039/108] adfasdf --- roles/certificates/defaults/main.yml | 2 - roles/certificates/tasks/main.yml | 17 +-- vault.yml | 166 +-------------------------- 3 files changed, 10 insertions(+), 175 deletions(-) diff --git a/roles/certificates/defaults/main.yml b/roles/certificates/defaults/main.yml index c09e299..abb70c2 100644 --- a/roles/certificates/defaults/main.yml +++ b/roles/certificates/defaults/main.yml @@ -1,6 +1,4 @@ --- -ca_content: "" -ca_privatekey_content: "" organization_details: name: "My Organization" locality: "Tel Aviv" diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 9c27def..dc69df6 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -17,21 +17,14 @@ country_name: "{{ organization_details.country }}" register: host_csr -- name: Ca_content - debug: - msg: "{{ ca_content }}" - -- name: Ca_key - debug: - msg: "{{ ca_privatekey_content }}" - - name: Sign the CSR using the CA community.crypto.x509_certificate_pipe: csr_content: "{{ host_csr.csr }}" - ownca_content: "{{ ca_content }}" - ownca_privatekey_content: "{{ ca_privatekey_content }}" + ownca_path: /etc/ca/ca.crt + ownca_privatekey_path: /etc/ca/private/ca.key provider: ownca register: host_crt + delegate_to: localhost - name: Ensure /etc/ssl/private directory exists file: @@ -48,8 +41,8 @@ - name: Copy certificate to trusted anchors directory copy: - content: "{{ ca_content }}" - dest: /etc/pki/ca-trust/source/anchors/root-CA.cert + src: /etc/ca/ca.crt + dest: /etc/pki/ca-trust/source/anchors/root-CA.crt mode: 0644 - name: Update CA trust on the host diff --git a/vault.yml b/vault.yml index 9e90d58..58e3cc2 100644 --- a/vault.yml +++ b/vault.yml @@ -1,162 +1,6 @@ $ANSIBLE_VAULT;1.1;AES256 -66326562323765346266353762396266653338343339383131373262373534356535633930303833 -3138346536636432363035613733336336316339313665660a313935653561613062616533643735 -30653833396165663131386232306235626461626330656339643234363165663663613337623163 -3830333938646361330a363535326263616436623961656130396437643632666537313066393038 -33626438663335396562663362616230383164383038323531316330626166326665353331643663 -37636138623033623533626164386535393330613165323538653437623837633536393366633638 -62326238633730313866663665376561376332366538343937653137303539323939353631383937 -36383133306331323065333463376432383333626230313936653365643434633930643639363531 -35336438383461386664346265663762633664316664336539316533373165393439346139623066 -32666237643138376563666364393966366266653865373237343766313437386230646662663961 -35333534346339353637343630383465626533613036376536316264306436636131366661346631 -65643930323633393761343165643331313133343632643937363136383134343466343337373030 -38323237353637653238376162613537646566396432343131343731663436613632663462613666 -62613866363339643862623266396139653034363735396136663538633439633365646135383632 -38313230323337383934383562636439643436373835363938663766626366333231636337316339 -65616563643162396464313734323539343231393032616230323863303831643563336363633134 -38313231393935363462316131623031656661646536626536396331376661343735633234666231 -31313963376536316263663130653830613466636464653664353961366332616362393362616164 -37663434393863353661353766363736373937646335356434323636333265636432313339643634 -39633431386438396537623833346361313634326464323833333262373062393530643935626362 -33633539626264373438353939623231306664326138306464393462353363373338303035646362 -31656436663865373236313465386337356232393534326230396533396661376366383531323134 -39343163313465623032393462653365336331306462326565323238393362633166316366383862 -64333233613035313265623961663261613662353632643866373438353039396262653863303830 -61393738636163623033333833626534643738656265353233316630356233363163633637643165 -34663631313137376564363532353632313665333534653830633133303231636665323135323531 -63333566313034366465613163323936303233313062336638373934393733656264336161383934 -61626261343339383831643266646130353963396364336635636333646330316263626665656235 -32613238356436636636323033633733633336333362346662666464316533613436343538356462 -39316533306261636538313166393139353736356665333063643363666664623237363231306138 -30666530343630316637633061386461303434666635663062323632353232373065623737343935 -38373539303730376264333232353736373966333737366462656165306239636631343430316632 -37376166373561333533373036336336306164363331613732373930336332616136643963656231 -37643432316466376432373062306635383836623364626530313231313538623461333538363363 -61323137643632623131363331646134346561383135656232636539643030636566626161336539 -33313337366230343532353064376533393033653533343265663339353165376237353438336630 -33643862363437373165333363643839303764366166346662623033623031663739323562313161 -39613261373730663435383963353137623836363933303832356336303933656236363239643431 -38656561656535336261623237653634653062383966323161646664353239663635363563666363 -61656661396639656662663938353166616366353462306634373830666661303431343434373264 -36653231386439653535613437633936653538656166303735643163623138636335343865623530 -61646663623339616564386338633165346264623439303861323465343665313630343331613338 -66646230626562393833303438363665626135383861643939336537656565393233623839653964 -35303936393461663933636365623266636363393561366135616632396533373833306330653333 -35333562363562646663396265303862386630363161316264613036393263326433383031626661 -63363537323232346339373830393433393965336163623064666437393939653331313762643464 -63383064616234363937613237646263666439343063383430383663376562363039633139343865 -32396262663330393338333762653865373062313133343063613466653030643165303462666633 -33626630386363353765623561326239626365626433653466386262306638356161616164666665 -31303033366131373036646637633462333336656434303031643232363566643330346233326339 -33336163663164613866333632343631643631313531323366373465653063333166306664613363 -33353633633539653366636332333135316565623438306530636563393337356362313837303835 -31363732613864386538306562333861643666633263353763363063623965663031653838346134 -61383533376361326139323933333865353162313661623465363630336237313862363535313632 -32346132313631656232366437613633376639353033393234393465666534623633656238643837 -31363162303039663661396235333061666462366436666566323738313961663434653730663139 -32303637393333626533333866613463353334613536663132646362363836356531323063396664 -34646130386365346330346130383936626265663132303561333565383731653137643665633235 -65373266313734626666666332626361613537316439623832643361623431623836346362323961 -64626234623865326562333430656466636235373932653033303464643565363432343965356238 -66383135663363616133326463396464363534316439356235303536316562386136656165353336 -31326665376236333633393131633433653431346534323635333263373038326137346432373063 -35343463393235636437643661396230653866323563393061303763373530623633636465636662 -31343932666135656265393135343264316639623035386363306336323539333961616164306536 -64396234633337313634376263643565373238313362666233616164313035623534346364663336 -37343234663565326263306531336337653861323339623331643739303733383337366338633161 -63656537626364633864343535343534366432346434396230356338313835326635623337663737 -33393762316539363639316461613735656131336232626563373433663338336661386234656464 -34613833303635353562613131303030656339323533653436643032633864313934386166393037 -65663032373664666563616637386438633363343062373866316666303933623730646661323862 -61643530316563636635393761313532353734633062323665623366383530303333363836393338 -34633564633830656635356265633363613437363035383534663235373261383062353435313733 -38663337643936613231323837343862313165626531356565636265393461633062376661393362 -33333661383335653437316135656433626532393566636366386437316562666162383265343938 -31326562373232353635363334643131383537376133373430333832386336373261646231643564 -36643663383833366361653439343061323139363631633861623338653238346661663333663564 -34326632323139396138326534643230383265646463323634626462623431633733323664633234 -31666338653564653634326235323065393766353030653634303230353337393932323134633065 -31343531346631333535393634613439636439366334633065336266386138303165326261303263 -31373838613466316365656436393339373661303238303231393636353663626239316665353261 -39336139343066383430393737373331366533303432376436613462316664643330626364643163 -36633930323332666636393363643033373834363533626535626432303539383239396634346135 -63633738633037386637653665363633643164666266663138306464656132666265396539393864 -64386532353035343734653962303134613935636637376236363538353836363533626263353732 -32353035326436646232613438316162326263346439616631666533356130383361623839366363 -39313063323866623936646634613561356262356436653730666463383636396137303833313930 -36383665636462366438336266333566636538373232366139633732623138643538623062323139 -36363365303633303131623232653062643436656563373862653861373438653335376333393965 -37653637313839646134623862316637666333383632366330303837656436633334383432633464 -61613562646536343265646335666631666137316637666439666232343565656431623639353337 -65323232333232373061643065303162346462313532356233646466303966653939346533633733 -34653064333261343237613863356434636463316636316636306539623438376462353562623033 -32383063383162303138326535613735303633356463306264646435663565616464643466323537 -66656538353765336365383031623337393665363062326631353764643366353438353033643065 -35353131646466303731366130616539366363636238616433393230656534646232336233316530 -63333933633264396465363338336264633437343432346239363362323362663436313431623233 -30646164326636336639633963646231643430643037636532333837323462636434653936616462 -30393465366263396462383933326261333562346631306332326663363039643433633035326666 -36313433323831383566306435393961636366333636336438353634373939663363626432333631 -33303630626431323762633534376339303930613431636136633064393065346337303336313432 -38363138353331656134356163346262333530643438333366373232346138313562666132303361 -38316430343634653135613233636166633835326235343265353662333762303933643261326236 -34643535313061643430653936353031393731383066336633616564353764386461613262313832 -35333565346238663831303335346637653738623866336438346136393234666362383730343865 -31306536333630323766333866376464383061373139336139643339316630313236356139366330 -35633931313364353236393663313636376435633336336232663934653563376132326238663531 -36313138376134383263623333343662616133346264646166323765353430343931666231353133 -36613039326363383865393337383837356436663561353639653435646661613738343865656461 -64636237616465663135316130633839386332643766323032303662383035376361326164613766 -32653337626162373465656663346632656664336364393062366236343365356439616637613366 -33343365383265323835303730383731323632623536623165653236643539343963626630323866 -66353361343638366632366330336432336264356264323763646630623031383531623262343666 -36346636383633343064646338613461626230373864663337613961363462663235346234616263 -31326438626161323562386234343464616630643231363533353062396332333339366164643364 -32343538346262663064333431666239633632376430313833633564303331303638363063633562 -36386234313165346339336233316538336561306162343334616630646431346339663966616137 -39326534633661623039393235366632306233326336336336363966323631636139313733316135 -39643062643331386534646435396437346633626432613930373963373937633065623139303635 -32613262326438613139643663386331393737313266666232616137323333353365353765396163 -65653930613931396564623865323664393961396239356362653533316264653033376137303063 -39663132643764366335303466346466626261353331366338373238303565626139343466643439 -34626662353664353733646561666261643062326235303966326465306264376331393136393763 -64383032646263363439393137343538313161393864313836663836613862653839366462343335 -31343262346536613737306633326531633662643039373336343362393532356634643238626138 -62313834383234633933396633376533356431323061333437383937663366326433393139396437 -64386639303537336263653638336531336331656230373433373165656433353764306339316662 -36363836663361333730336333333664613462663536386237343231343064623162643835653131 -65636566396564316537633033663363323466333638383761343033646566346561346536376563 -66353331623565633735663635626363623636343132303932386336373839626362386664653864 -63396334323962336461666133303835383534393631353333343634313533643664626135643637 -30336632626639396463343838383462333730313632366634363962393766663363616435663338 -31363462346132366635333738653063643166663366323934643432666137316562343437643962 -36326336616135373366303164393235363932613362656166306363326466636463376563313432 -32346661336364626164313761633733353736616132356137316130396232623333363535663966 -35616564363132643234343461373961393735383333303533303533393434323432376135653166 -63316637616431306564366464323239303137663931616430633633613830326336623130303734 -65373434616631366638656135373461306262666266623566363335356539383966626333376264 -65323965626434363435626466353430633932363535346631623539396335646530353438643262 -63373831303932396666643861353162663664643761613531363139633262393261366162373538 -33656164373937336437666564383765653364666435623465666366643937653534333332333132 -35636563653030316465623265393663323035623936643031643830376139313133633965323930 -34346238326136383333313562316162666364323637646635613339393064316534363562343233 -61383333303264323731646238353665373161316338653036323230643763346565616662313333 -36313730353833346333613633333239343766663432636263393961393735653961333134336662 -66343233653834633330303639303434313737313030366362346239393330326431313261346332 -65363530663431626563613033626364613463303763663365356566373165356463306465626537 -65646133653934636631653139633039366533346531656436316537343132336430313061643338 -35393166323266653038636138623038643436346565343766353831363134643366333237613863 -63626530626333653234373865653764383031396363656434663962656463643061646237336332 -37666162623061636263633061663366303637383637396631376531353232353734636163643066 -36643834636365373939373037323234386535303130366663336133373631623030323963363333 -66656138353737396532396534633232623736326262333539386137336631343936396438653732 -39323731643364363230623736626335323436326166633064613737343962316333623233343536 -31393432313532663938343562356231363465313765636330613435373465656463326435366236 -34333965376433623263613366373136633131356435366636323930353361323430613461626630 -66373732366665656437633265353835366430643463656564663063643834303565363038626164 -35316137326130393265336535616162393166653837326461633632306334303333366661323733 -30333631363730353734303437626164666231336161636363316662643437353034303536643831 -31613238333531653038386539303461356338333339653661633961346431303231666537333033 -32643663613463366430376635396338653164373037626437366435353462663537336336633961 -6438 +34646630653761303437653365353538343835623064363866343661616534613362653833613438 +3237373839613736356265376461353962656132396561620a323161376536316632656235623438 +39643030376464633262366636333861633931656536396633386665373233353330663865336335 +3365333632633230380a366534343634643235383437373732383933333761313565376332656164 +38643561336566393133626631393532333461656236613836626335373133386339 From e2d0fbb0a7fec8feb724241f523560a5600916ea Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 11:41:35 +0200 Subject: [PATCH 040/108] asgdsadg --- roles/haproxy/tasks/keepalived.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index d60e6ce..b006bd5 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -4,6 +4,7 @@ - keepalived_state in ['MASTER', 'BACKUP'] - keepalived_priority is number fail_msg: "to configure Keepalived all hosts hosting it needs: keepalived_state and keepalived_priority" + quiet: yes - name: Ensure Keepalived is installed. dnf: From 7d43e15d7b7180c8ca797815851f27ad1813436b Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 14:56:11 +0200 Subject: [PATCH 041/108] blasfasdsdfg --- playbook.yml | 6 ++++++ roles/apache/vars/main.yml | 1 + roles/certificates/defaults/main.yml | 1 + roles/certificates/tasks/main.yml | 3 +++ roles/haproxy/tasks/keepalived.yml | 1 - roles/haproxy/vars/main.yml | 1 + 6 files changed, 12 insertions(+), 1 deletion(-) create mode 100644 roles/apache/vars/main.yml create mode 100644 roles/haproxy/vars/main.yml diff --git a/playbook.yml b/playbook.yml index 1e45b95..d30b494 100644 --- a/playbook.yml +++ b/playbook.yml @@ -5,10 +5,16 @@ vars_files: - vault.yml tasks: + - name: Set subjet_critical_alt_name + set_fact: + subjet_critical_alt_name: "{{ groups['webservers'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }}" + when: "'haproxy' in group_names" + - name: Import apache Role import_role: name: "apache" when: "'webserver' in group_names" + - name: Import haproxy Role import_role: name: "haproxy" diff --git a/roles/apache/vars/main.yml b/roles/apache/vars/main.yml new file mode 100644 index 0000000..79a0247 --- /dev/null +++ b/roles/apache/vars/main.yml @@ -0,0 +1 @@ +handler_to_notify: 'Restart Httpd' diff --git a/roles/certificates/defaults/main.yml b/roles/certificates/defaults/main.yml index abb70c2..81defa4 100644 --- a/roles/certificates/defaults/main.yml +++ b/roles/certificates/defaults/main.yml @@ -1,4 +1,5 @@ --- +handler_to_notify: "" organization_details: name: "My Organization" locality: "Tel Aviv" diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index dc69df6..108cb19 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -12,6 +12,8 @@ community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" + subject_alt_name: "IP:{{ inventory_hostname }}" + subject_alt_name_critical: "{{ subjet_critical_alt_name }}" organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" country_name: "{{ organization_details.country }}" @@ -38,6 +40,7 @@ content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" dest: /etc/ssl/private/server.pem mode: 0600 + notify: "{{ handler_to_notify }}" - name: Copy certificate to trusted anchors directory copy: diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index b006bd5..d60e6ce 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -4,7 +4,6 @@ - keepalived_state in ['MASTER', 'BACKUP'] - keepalived_priority is number fail_msg: "to configure Keepalived all hosts hosting it needs: keepalived_state and keepalived_priority" - quiet: yes - name: Ensure Keepalived is installed. dnf: diff --git a/roles/haproxy/vars/main.yml b/roles/haproxy/vars/main.yml new file mode 100644 index 0000000..4b87240 --- /dev/null +++ b/roles/haproxy/vars/main.yml @@ -0,0 +1 @@ +handler_to_notify: 'Restart HAProxy,Restart Keepalived' From f64c51570daba69715ff6ae67aa359ed5ab97c93 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 14:58:54 +0200 Subject: [PATCH 042/108] asdfasdf --- playbook.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index d30b494..15c69b9 100644 --- a/playbook.yml +++ b/playbook.yml @@ -7,7 +7,7 @@ tasks: - name: Set subjet_critical_alt_name set_fact: - subjet_critical_alt_name: "{{ groups['webservers'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }}" + subjet_critical_alt_name: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }}" when: "'haproxy' in group_names" - name: Import apache Role From 8dd6b912293bb6d0b6d3ee20583413572d84fe21 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 15:01:27 +0200 Subject: [PATCH 043/108] sadfasdfdasg --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 108cb19..50531cd 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -13,7 +13,7 @@ privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" subject_alt_name: "IP:{{ inventory_hostname }}" - subject_alt_name_critical: "{{ subjet_critical_alt_name }}" + subject_alt_name_critical: "{{ subjet_critical_alt_name | default('') }}" organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" country_name: "{{ organization_details.country }}" From 097f6d75b91c1a9be31123f0954f31e6b61c4060 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 15:10:29 +0200 Subject: [PATCH 044/108] afdasdf --- roles/certificates/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 50531cd..f204ebc 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -12,8 +12,8 @@ community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" - subject_alt_name: "IP:{{ inventory_hostname }}" - subject_alt_name_critical: "{{ subjet_critical_alt_name | default('') }}" + subject_alt_name: "IP:{{ inventory_hostname }},{{ subjet_critical_alt_name | default('') }}" + subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" country_name: "{{ organization_details.country }}" From 36627947032e442f9816d68638ec651f0aee71b7 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 15:16:20 +0200 Subject: [PATCH 045/108] sdgasfd --- roles/certificates/defaults/main.yml | 1 - roles/certificates/tasks/main.yml | 4 ++++ roles/haproxy/vars/main.yml | 4 +++- 3 files changed, 7 insertions(+), 2 deletions(-) diff --git a/roles/certificates/defaults/main.yml b/roles/certificates/defaults/main.yml index 81defa4..abb70c2 100644 --- a/roles/certificates/defaults/main.yml +++ b/roles/certificates/defaults/main.yml @@ -1,5 +1,4 @@ --- -handler_to_notify: "" organization_details: name: "My Organization" locality: "Tel Aviv" diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index f204ebc..ade6d65 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -8,6 +8,10 @@ community.crypto.openssl_privatekey_pipe: register: host_private_key +- name: debug + debug: + msg: "IP:{{ inventory_hostname }},{{ subjet_critical_alt_name | default('') }}" + - name: Generate CSR community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" diff --git a/roles/haproxy/vars/main.yml b/roles/haproxy/vars/main.yml index 4b87240..6c3e2ff 100644 --- a/roles/haproxy/vars/main.yml +++ b/roles/haproxy/vars/main.yml @@ -1 +1,3 @@ -handler_to_notify: 'Restart HAProxy,Restart Keepalived' +handler_to_notify: + - "Restart HAProxy" + - "Restart Keepalived" From f9a344dfcaaa81a0097755a977fa03c39ca76c0a Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 15:21:04 +0200 Subject: [PATCH 046/108] adsfasdfa --- playbook.yml | 4 ++-- roles/certificates/tasks/main.yml | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/playbook.yml b/playbook.yml index 15c69b9..5aa567d 100644 --- a/playbook.yml +++ b/playbook.yml @@ -5,9 +5,9 @@ vars_files: - vault.yml tasks: - - name: Set subjet_critical_alt_name + - name: Set subjet_alt_names set_fact: - subjet_critical_alt_name: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }}" + subjet_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }}" when: "'haproxy' in group_names" - name: Import apache Role diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index ade6d65..e5ffce8 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -10,13 +10,13 @@ - name: debug debug: - msg: "IP:{{ inventory_hostname }},{{ subjet_critical_alt_name | default('') }}" + msg: "IP:{{ inventory_hostname }},{{ subjet_alt_names | default('') }}" - name: Generate CSR community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" - subject_alt_name: "IP:{{ inventory_hostname }},{{ subjet_critical_alt_name | default('') }}" + subject_alt_name: "IP:{{ inventory_hostname }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From 68871ac719a409307c7e73502226c07e7c3dca7a Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 15:22:11 +0200 Subject: [PATCH 047/108] adfasdfasf --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index e5ffce8..5257641 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -10,7 +10,7 @@ - name: debug debug: - msg: "IP:{{ inventory_hostname }},{{ subjet_alt_names | default('') }}" + msg: "IP:{{ inventory_hostname }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" - name: Generate CSR community.crypto.openssl_csr_pipe: From b66b7a5f7d5b05ab55eec7f894533d253297395e Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 15:26:52 +0200 Subject: [PATCH 048/108] ASDFasdf --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 5257641..9af2291 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -16,7 +16,7 @@ community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" - subject_alt_name: "IP:{{ inventory_hostname }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" + subject_alt_name: "IP:{{ inventory_hostname }},DNS:{{ ansible_fqdn }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From b197d98a43d813bc54e7843317f8310ade00cfda Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Thu, 14 Nov 2024 15:30:17 +0200 Subject: [PATCH 049/108] sadfasdffsddfs --- playbook.yml | 4 +++- roles/certificates/tasks/main.yml | 4 ---- 2 files changed, 3 insertions(+), 5 deletions(-) diff --git a/playbook.yml b/playbook.yml index 5aa567d..f7a2cf8 100644 --- a/playbook.yml +++ b/playbook.yml @@ -4,10 +4,12 @@ gather_facts: true vars_files: - vault.yml + vars: + keepalived_ip: 192.168.0.6 tasks: - name: Set subjet_alt_names set_fact: - subjet_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }}" + subjet_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}" when: "'haproxy' in group_names" - name: Import apache Role diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 9af2291..be9f211 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -8,10 +8,6 @@ community.crypto.openssl_privatekey_pipe: register: host_private_key -- name: debug - debug: - msg: "IP:{{ inventory_hostname }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" - - name: Generate CSR community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" From 350cc9ef678bb194be13a9a885c743da0d952282 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 13:23:03 +0200 Subject: [PATCH 050/108] asdfdass --- roles/certificates/tasks/main.yml | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index be9f211..79c4fa4 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,7 +1,9 @@ --- -- name: Ensure cryptography Packages Installed +- name: Ensure cryptography Package Installed pip: - name: cryptography>=1.6 + name: + - setuptools_rust + - cryptography>=1.6 state: present - name: Generate private key From 00ae3f35d3268e0b4c174f540cf60280ea81f96b Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 13:24:55 +0200 Subject: [PATCH 051/108] asdfda --- roles/certificates/tasks/main.yml | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 79c4fa4..74af796 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,9 +1,12 @@ --- +- name: Ensure setuptools_rust is installed + pip: + name: setuptools_rust + state: present + - name: Ensure cryptography Package Installed pip: - name: - - setuptools_rust - - cryptography>=1.6 + name: cryptography>=1.6 state: present - name: Generate private key From 45eae36c429d3949adb08bcc03ede7f41d1d7847 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 13:37:24 +0200 Subject: [PATCH 052/108] asdfasdf --- roles/certificates/tasks/main.yml | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 74af796..d5b5522 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -1,13 +1,9 @@ --- -- name: Ensure setuptools_rust is installed - pip: - name: setuptools_rust - state: present - - name: Ensure cryptography Package Installed pip: name: cryptography>=1.6 state: present + executable: /usr/bin/python3.8 -m pip - name: Generate private key community.crypto.openssl_privatekey_pipe: From 7a379a7b4273cdd1bdb98b9e5b9872bf7430b1f6 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 13:53:49 +0200 Subject: [PATCH 053/108] asdfda --- roles/apache/tasks/main.yml | 7 +++++-- roles/certificates/tasks/main.yml | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index e2d01c6..0a95b7a 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -3,9 +3,12 @@ include_role: name: "certificates" -- name: Ensure httpd is installed. +- name: Ensure httpd and his required packages ares installed. dnf: - name: httpd + name: + - httpd + - mod_ssl + - openssh state: present - name: Generate httpd configuration diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index d5b5522..5a67f20 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -3,7 +3,7 @@ pip: name: cryptography>=1.6 state: present - executable: /usr/bin/python3.8 -m pip + extra_args: "--only-binary :all:" - name: Generate private key community.crypto.openssl_privatekey_pipe: From a1d3ae1a4c2349f0699df726deaec60a4419de89 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 14:01:14 +0200 Subject: [PATCH 054/108] asdfsaf --- roles/apache/templates/httpd.conf.j2 | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/apache/templates/httpd.conf.j2 b/roles/apache/templates/httpd.conf.j2 index 08e934d..d09937a 100644 --- a/roles/apache/templates/httpd.conf.j2 +++ b/roles/apache/templates/httpd.conf.j2 @@ -1,6 +1,5 @@ ServerRoot "/etc/httpd" ServerName {{ ansible_fqdn }} -Listen 443 Include conf.modules.d/*.conf From 91246945d4614bb937b56b1fd6e921da825c062d Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 14:35:34 +0200 Subject: [PATCH 055/108] safafasdf --- roles/apache/templates/httpd.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/apache/templates/httpd.conf.j2 b/roles/apache/templates/httpd.conf.j2 index d09937a..08e934d 100644 --- a/roles/apache/templates/httpd.conf.j2 +++ b/roles/apache/templates/httpd.conf.j2 @@ -1,5 +1,6 @@ ServerRoot "/etc/httpd" ServerName {{ ansible_fqdn }} +Listen 443 Include conf.modules.d/*.conf From 715f5ec70f9c5281c70ea52148508ced6d1ddddb Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 14:46:40 +0200 Subject: [PATCH 056/108] asdfasfd --- roles/apache/tasks/main.yml | 1 + roles/apache/templates/httpd.conf.j2 | 1 - 2 files changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 0a95b7a..6b6a6ee 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -26,6 +26,7 @@ template: src: index.html.j2 dest: /var/www/html/index.html + validate: httpd -t -f %s mode: 0644 owner: apache group: apache diff --git a/roles/apache/templates/httpd.conf.j2 b/roles/apache/templates/httpd.conf.j2 index 08e934d..d09937a 100644 --- a/roles/apache/templates/httpd.conf.j2 +++ b/roles/apache/templates/httpd.conf.j2 @@ -1,6 +1,5 @@ ServerRoot "/etc/httpd" ServerName {{ ansible_fqdn }} -Listen 443 Include conf.modules.d/*.conf From e804c8cc0f321058f45d51c35c6184af3a0f9fff Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 15:13:30 +0200 Subject: [PATCH 057/108] asdfdsaf --- roles/haproxy/tasks/keepalived.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index d60e6ce..3e35668 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -14,7 +14,7 @@ template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf - validate: keepalived -t -f %s + mode: 0644 owner: haproxy group: haproxy From 57b35aef27e945dfddd20b17932dbc3608705f05 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 15:15:53 +0200 Subject: [PATCH 058/108] asdf --- roles/haproxy/tasks/keepalived.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index 3e35668..27d408b 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -14,7 +14,6 @@ template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf - mode: 0644 owner: haproxy group: haproxy From 9291d2bf57c020c0388885294a273e0ff8dbdcca Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 15:21:21 +0200 Subject: [PATCH 059/108] asdffasfd --- roles/haproxy/tasks/keepalived.yml | 1 + roles/haproxy/templates/keepalived.conf.j2 | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/haproxy/tasks/keepalived.yml b/roles/haproxy/tasks/keepalived.yml index 27d408b..d60e6ce 100644 --- a/roles/haproxy/tasks/keepalived.yml +++ b/roles/haproxy/tasks/keepalived.yml @@ -14,6 +14,7 @@ template: src: keepalived.conf.j2 dest: /etc/keepalived/keepalived.conf + validate: keepalived -t -f %s mode: 0644 owner: haproxy group: haproxy diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index 8c963df..9d548ca 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -1,5 +1,5 @@ vrrp_script chk_haproxy { - script "killall -0 haproxy" + script "pidof haproxy" interval 2 # check every 2 seconds weight 2 # add 2 points of prio if OK } From e3fe16d4882fd82788001a72fb5deb19a9a09020 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 15:23:39 +0200 Subject: [PATCH 060/108] asdf --- roles/haproxy/templates/keepalived.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index 9d548ca..3417061 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -1,5 +1,6 @@ vrrp_script chk_haproxy { script "pidof haproxy" + script_security 1 interval 2 # check every 2 seconds weight 2 # add 2 points of prio if OK } From a52bd62ccbd138a00b77047bdbc129673b6c5474 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 15:28:18 +0200 Subject: [PATCH 061/108] adfasdf --- roles/haproxy/templates/keepalived.conf.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index 3417061..c6a07a5 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -1,6 +1,9 @@ +global_defs { + enable_script_security +} + vrrp_script chk_haproxy { script "pidof haproxy" - script_security 1 interval 2 # check every 2 seconds weight 2 # add 2 points of prio if OK } From cbb896fcaf272b3cd25ec7fa6296bd684b8abc2b Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 15:35:46 +0200 Subject: [PATCH 062/108] asfdsa --- roles/haproxy/templates/keepalived.conf.j2 | 11 +++-------- 1 file changed, 3 insertions(+), 8 deletions(-) diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index c6a07a5..085c7e8 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -1,10 +1,5 @@ -global_defs { - enable_script_security -} - -vrrp_script chk_haproxy { - script "pidof haproxy" - interval 2 # check every 2 seconds +vrrp_track_process track_haproxy { + process haproxy weight 2 # add 2 points of prio if OK } @@ -31,6 +26,6 @@ vrrp_instance VI_1 { } track_script { - chk_haproxy + track_haproxy } } \ No newline at end of file From cf5d50778818436924e93ea7a67e3608a4685033 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 15:38:37 +0200 Subject: [PATCH 063/108] asdfd --- roles/haproxy/templates/keepalived.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/keepalived.conf.j2 b/roles/haproxy/templates/keepalived.conf.j2 index 085c7e8..c6d15e2 100644 --- a/roles/haproxy/templates/keepalived.conf.j2 +++ b/roles/haproxy/templates/keepalived.conf.j2 @@ -25,7 +25,7 @@ vrrp_instance VI_1 { {% endfor %} } - track_script { + track_process { track_haproxy } } \ No newline at end of file From 782f5f89c48f1ffa26b14ae06a56710849193bdb Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 16:05:28 +0200 Subject: [PATCH 064/108] adfsa --- roles/certificates/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 5a67f20..cd50d3e 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -9,6 +9,10 @@ community.crypto.openssl_privatekey_pipe: register: host_private_key +- name: Debug + debug: + msg: "IP:{{ inventory_hostname }},DNS:{{ ansible_fqdn }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" + - name: Generate CSR community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" From 7602e8e825ecf3fc0f168e0186461018dcffd2f4 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 16:55:49 +0200 Subject: [PATCH 065/108] asdfsadf --- roles/apache/tasks/main.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 6b6a6ee..0a95b7a 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -26,7 +26,6 @@ template: src: index.html.j2 dest: /var/www/html/index.html - validate: httpd -t -f %s mode: 0644 owner: apache group: apache From 684ade67adbaa7dd970715adbae6529e935be98d Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 17:41:48 +0200 Subject: [PATCH 066/108] sadffafdsa --- roles/haproxy/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index cd6f7df..f8164e0 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -11,7 +11,7 @@ - name: Generate HAProxy configuration template: src: haproxy.conf.j2 - dest: /etc/haproxy/haproxy.conf + dest: /etc/haproxy/haproxy.cnf validate: haproxy -c -f %s mode: 0644 owner: haproxy From c28e25cd3ab04961f0c67bb2e1530f1671f6628a Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 17:44:05 +0200 Subject: [PATCH 067/108] asdfsadF --- roles/haproxy/tasks/main.yml | 2 +- roles/haproxy/templates/haproxy.conf.j2 | 5 ++--- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index f8164e0..94e768c 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -11,7 +11,7 @@ - name: Generate HAProxy configuration template: src: haproxy.conf.j2 - dest: /etc/haproxy/haproxy.cnf + dest: /etc/haproxy/haproxy.cfg validate: haproxy -c -f %s mode: 0644 owner: haproxy diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index eef63a5..5d37eff 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -4,7 +4,6 @@ global group haproxy daemon maxconn 4000 - ca-base /etc/ssl/certs defaults log global @@ -28,10 +27,10 @@ frontend ha-front-ssl backend be_roundrobin balance roundrobin {% for server in groups['haproxy'] %} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem {% endfor %} {% for server in groups['haproxy'] %} backend be_{{ hostvars[server].ansible_nodename }} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file ca.crt + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem {% endfor %} \ No newline at end of file From 3aa49eff9435e426a64fa47bc32fa82881570c79 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 20:21:13 +0200 Subject: [PATCH 068/108] asdfsafd --- roles/certificates/tasks/main.yml | 4 ++-- roles/haproxy/templates/haproxy.conf.j2 | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index cd50d3e..b8019ac 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -37,14 +37,14 @@ file: path: /etc/ssl/private/ state: directory - mode: 0700 + mode: 0744 - name: Assemble private key and certificate into PEM file copy: content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" dest: /etc/ssl/private/server.pem - mode: 0600 + mode: 0644 notify: "{{ handler_to_notify }}" - name: Copy certificate to trusted anchors directory diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 5d37eff..8d1009b 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -20,14 +20,14 @@ frontend ha-front-ssl option forwardfor default_backend be_roundrobin {% for server in groups['haproxy'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) hostvars[server].ansible_fqdn } + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) hostvars[server].ansible_fqdn } {% endfor %} # Backend Configuration backend be_roundrobin balance roundrobin {% for server in groups['haproxy'] %} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem {% endfor %} {% for server in groups['haproxy'] %} From f7bb6523237c8133bd05a9bce61b316139ff73c3 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 20:25:55 +0200 Subject: [PATCH 069/108] a --- roles/haproxy/templates/haproxy.conf.j2 | 1 + 1 file changed, 1 insertion(+) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 8d1009b..348b863 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -4,6 +4,7 @@ global group haproxy daemon maxconn 4000 + tune.ssl.default-dh-param 1024 defaults log global From 6105c24208bc32cfe808e754597df020ed54cd4b Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 20:28:38 +0200 Subject: [PATCH 070/108] asdf --- roles/certificates/tasks/main.yml | 4 ---- 1 file changed, 4 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index b8019ac..512acda 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -9,10 +9,6 @@ community.crypto.openssl_privatekey_pipe: register: host_private_key -- name: Debug - debug: - msg: "IP:{{ inventory_hostname }},DNS:{{ ansible_fqdn }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" - - name: Generate CSR community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" From 70207df83328b29e2a3d2d41f2d628b59c40cf98 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 20:53:05 +0200 Subject: [PATCH 071/108] asdfasdf --- roles/haproxy/templates/haproxy.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 348b863..5496d82 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -21,7 +21,7 @@ frontend ha-front-ssl option forwardfor default_backend be_roundrobin {% for server in groups['haproxy'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) hostvars[server].ansible_fqdn } + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) {{ hostvars[server].ansible_fqdn }} } {% endfor %} # Backend Configuration From b28dd710bd3965e4be0034b5dbed9d0f7f60a427 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 21:20:29 +0200 Subject: [PATCH 072/108] asdfsaf --- roles/haproxy/templates/haproxy.conf.j2 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 5496d82..aedf28e 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -20,18 +20,18 @@ frontend ha-front-ssl mode http option forwardfor default_backend be_roundrobin - {% for server in groups['haproxy'] %} + {% for server in groups['webserver'] %} use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) {{ hostvars[server].ansible_fqdn }} } {% endfor %} # Backend Configuration backend be_roundrobin balance roundrobin - {% for server in groups['haproxy'] %} + {% for server in groups['webserver'] %} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem {% endfor %} -{% for server in groups['haproxy'] %} +{% for server in groups['webserver'] %} backend be_{{ hostvars[server].ansible_nodename }} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem {% endfor %} \ No newline at end of file From 5e7c989460543b93e04201e572854438597924c5 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 21:28:30 +0200 Subject: [PATCH 073/108] d --- roles/haproxy/templates/haproxy.conf.j2 | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index aedf28e..df0d712 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -28,10 +28,10 @@ frontend ha-front-ssl backend be_roundrobin balance roundrobin {% for server in groups['webserver'] %} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt {% endfor %} {% for server in groups['webserver'] %} backend be_{{ hostvars[server].ansible_nodename }} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/ssl/private/server.pem + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt {% endfor %} \ No newline at end of file From 948016901dd04bf2ea7dd7a11b01fee35a660361 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 21:42:21 +0200 Subject: [PATCH 074/108] adgadsf --- roles/haproxy/templates/haproxy.conf.j2 | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index df0d712..5a90c48 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -19,9 +19,10 @@ frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem mode http option forwardfor + option http-tunnel default_backend be_roundrobin {% for server in groups['webserver'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) {{ hostvars[server].ansible_fqdn }} } + use_backend be_{{ hostvars[server].ansible_nodename }} if { hdr(host) -i {{ hostvars[server].ansible_fqdn }} } {% endfor %} # Backend Configuration From 007ce92228e1e639215325cffa957c52ac0e0744 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 21:48:11 +0200 Subject: [PATCH 075/108] asdfsdf --- roles/haproxy/templates/haproxy.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 5a90c48..744ff06 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -4,7 +4,7 @@ global group haproxy daemon maxconn 4000 - tune.ssl.default-dh-param 1024 + tune.ssl.default-dh-param 2048 defaults log global From 44d188de928448502f8fd4dd7131498d431c8780 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 22:11:04 +0200 Subject: [PATCH 076/108] AFDsdf --- roles/haproxy/templates/haproxy.conf.j2 | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 744ff06..e8b6753 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -8,9 +8,7 @@ global defaults log global - mode http - option httplog - option dontlognull + mode tcp timeout connect 5000 timeout client 50000 timeout server 50000 @@ -19,20 +17,19 @@ frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem mode http option forwardfor - option http-tunnel default_backend be_roundrobin {% for server in groups['webserver'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { hdr(host) -i {{ hostvars[server].ansible_fqdn }} } + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn }} } {% endfor %} # Backend Configuration backend be_roundrobin balance roundrobin {% for server in groups['webserver'] %} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check {% endfor %} {% for server in groups['webserver'] %} backend be_{{ hostvars[server].ansible_nodename }} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 check ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check {% endfor %} \ No newline at end of file From a8849abfa6d5bab4e10ea8381aedb86719691ec1 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 22:14:23 +0200 Subject: [PATCH 077/108] adf --- roles/haproxy/templates/haproxy.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index e8b6753..aa61362 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -8,7 +8,7 @@ global defaults log global - mode tcp + mode http timeout connect 5000 timeout client 50000 timeout server 50000 From 9637e1aef974f6f1c9d9a0be297b9f603686a8e0 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 22:34:15 +0200 Subject: [PATCH 078/108] adgadffsf --- playbook.yml | 4 ++-- roles/certificates/tasks/main.yml | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/playbook.yml b/playbook.yml index f7a2cf8..1f26396 100644 --- a/playbook.yml +++ b/playbook.yml @@ -7,9 +7,9 @@ vars: keepalived_ip: 192.168.0.6 tasks: - - name: Set subjet_alt_names + - name: Set subjet_alt_name set_fact: - subjet_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}" + subjet_alt_name: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}" when: "'haproxy' in group_names" - name: Import apache Role diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 512acda..dc6b203 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -13,7 +13,7 @@ community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" - subject_alt_name: "IP:{{ inventory_hostname }},DNS:{{ ansible_fqdn }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" + subject_alt_name: "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From b996ee3c7f1888a8e3406dbf77334c883c1786d0 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 22:38:13 +0200 Subject: [PATCH 079/108] adsadf --- playbook.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index 1f26396..95d20db 100644 --- a/playbook.yml +++ b/playbook.yml @@ -9,7 +9,7 @@ tasks: - name: Set subjet_alt_name set_fact: - subjet_alt_name: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}" + subjet_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}" when: "'haproxy' in group_names" - name: Import apache Role From b5d7f772b9fc5cb7620dc52aa8ebdcb16d448afd Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 22:38:38 +0200 Subject: [PATCH 080/108] Asfd --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index dc6b203..ea39384 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -13,7 +13,7 @@ community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" - subject_alt_name: "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subjet_alt_names is defined }}{{ subjet_alt_names | default('') }}" + subject_alt_name: "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From 0d6e5b7e96c1c3bde9d382746865a79cd188c703 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 22:43:36 +0200 Subject: [PATCH 081/108] asdfsf --- roles/certificates/tasks/main.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index ea39384..047f029 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -9,6 +9,10 @@ community.crypto.openssl_privatekey_pipe: register: host_private_key +- name: debug + debug: + msg: "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" + - name: Generate CSR community.crypto.openssl_csr_pipe: privatekey_content: "{{ host_private_key.privatekey }}" From e493053e001a4b8ed87a2def6834eea19e18dc35 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:00:42 +0200 Subject: [PATCH 082/108] adsasdf --- playbook.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/playbook.yml b/playbook.yml index 95d20db..0fef617 100644 --- a/playbook.yml +++ b/playbook.yml @@ -7,9 +7,9 @@ vars: keepalived_ip: 192.168.0.6 tasks: - - name: Set subjet_alt_name + - name: Set subject_alt_names set_fact: - subjet_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}" + subject_alt_names: "{{ groups['webserver'] | map('extract', hostvars, 'ansible_fqdn') | map('regex_replace', '^(.*)$', 'DNS:\\1') | join(',') }},DNS:keepalived.com,IP:{{ keepalived_ip }}" when: "'haproxy' in group_names" - name: Import apache Role From 8a92679ce98c76d91d38afa9069f6f2356f051a6 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:08:52 +0200 Subject: [PATCH 083/108] asdfsF --- roles/haproxy/templates/haproxy.conf.j2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index aa61362..8031058 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -15,8 +15,7 @@ defaults frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem - mode http - option forwardfor + mode tcp default_backend be_roundrobin {% for server in groups['webserver'] %} use_backend be_{{ hostvars[server].ansible_nodename }} if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn }} } From e591ee598cbd5f39a413398c564fee0d17e61092 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:13:37 +0200 Subject: [PATCH 084/108] asdfs --- roles/haproxy/templates/haproxy.conf.j2 | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 8031058..166da03 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -16,9 +16,11 @@ defaults frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem mode tcp + option ssl-hello-chk default_backend be_roundrobin + tcp-request inspect-delay 5s # Allow time to inspect the SNI during the handshake {% for server in groups['webserver'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn }} } + tcp-request content accept if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn}} } {% endfor %} # Backend Configuration From 91a4971577f9d69de5ed66a5239b5a9c0847df22 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:16:10 +0200 Subject: [PATCH 085/108] asdfsaf --- roles/haproxy/templates/haproxy.conf.j2 | 9 ++------- 1 file changed, 2 insertions(+), 7 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 166da03..7e372f0 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -1,5 +1,5 @@ global - log 127.0.0.1 local2 + log /dev/log local0 debug user haproxy group haproxy daemon @@ -28,9 +28,4 @@ backend be_roundrobin balance roundrobin {% for server in groups['webserver'] %} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check - {% endfor %} - -{% for server in groups['webserver'] %} -backend be_{{ hostvars[server].ansible_nodename }} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check -{% endfor %} \ No newline at end of file + {% endfor %} \ No newline at end of file From cd2a057d988a21060fb3761a9a7fd9e174f30fd2 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:17:42 +0200 Subject: [PATCH 086/108] ASdfasf --- roles/haproxy/templates/haproxy.conf.j2 | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 7e372f0..aa61362 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -1,5 +1,5 @@ global - log /dev/log local0 debug + log 127.0.0.1 local2 user haproxy group haproxy daemon @@ -15,12 +15,11 @@ defaults frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem - mode tcp - option ssl-hello-chk + mode http + option forwardfor default_backend be_roundrobin - tcp-request inspect-delay 5s # Allow time to inspect the SNI during the handshake {% for server in groups['webserver'] %} - tcp-request content accept if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn}} } + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn }} } {% endfor %} # Backend Configuration @@ -28,4 +27,9 @@ backend be_roundrobin balance roundrobin {% for server in groups['webserver'] %} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check - {% endfor %} \ No newline at end of file + {% endfor %} + +{% for server in groups['webserver'] %} +backend be_{{ hostvars[server].ansible_nodename }} + server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check +{% endfor %} \ No newline at end of file From 00bb34799102aae967a623461bb59088da257763 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:21:59 +0200 Subject: [PATCH 087/108] sadfasdfsFD --- roles/haproxy/templates/haproxy.conf.j2 | 8 -------- 1 file changed, 8 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index aa61362..2d2300d 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -17,18 +17,10 @@ frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem mode http option forwardfor - default_backend be_roundrobin {% for server in groups['webserver'] %} use_backend be_{{ hostvars[server].ansible_nodename }} if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn }} } {% endfor %} -# Backend Configuration -backend be_roundrobin - balance roundrobin - {% for server in groups['webserver'] %} - server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check - {% endfor %} - {% for server in groups['webserver'] %} backend be_{{ hostvars[server].ansible_nodename }} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check From 5645e80802ff9e4531afad7de3d3bfc2d5d3ad0f Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:28:43 +0200 Subject: [PATCH 088/108] Asdfsaf --- roles/haproxy/templates/haproxy.conf.j2 | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 2d2300d..4e1d61b 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -1,5 +1,6 @@ global - log 127.0.0.1 local2 + log 127.0.0.1 local0 + log /dev/log local0 info user haproxy group haproxy daemon @@ -8,6 +9,8 @@ global defaults log global + option httplog + option dontlognull mode http timeout connect 5000 timeout client 50000 From 6b916d0b856d21a452d423200f9af7efdb441a0a Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:30:34 +0200 Subject: [PATCH 089/108] Asdfasfd --- roles/apache/tasks/main.yml | 4 ---- roles/haproxy/tasks/main.yml | 3 --- 2 files changed, 7 deletions(-) diff --git a/roles/apache/tasks/main.yml b/roles/apache/tasks/main.yml index 0a95b7a..4f6698c 100644 --- a/roles/apache/tasks/main.yml +++ b/roles/apache/tasks/main.yml @@ -1,8 +1,4 @@ --- -- name: Call Certificate Role - include_role: - name: "certificates" - - name: Ensure httpd and his required packages ares installed. dnf: name: diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 94e768c..61244a3 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -1,7 +1,4 @@ --- -- name: Call Certificate Role - include_role: - name: "certificates" - name: Ensure HAProxy is installed. dnf: From de4bfbc0c4fd9dbcbac1d95dcbd939686eabb7f8 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:46:55 +0200 Subject: [PATCH 090/108] Adfsaf --- roles/haproxy/templates/haproxy.conf.j2 | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 4e1d61b..1cc5408 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -1,6 +1,5 @@ global - log 127.0.0.1 local0 - log /dev/log local0 info + log 127.0.0.1 local0 info user haproxy group haproxy daemon @@ -21,7 +20,7 @@ frontend ha-front-ssl mode http option forwardfor {% for server in groups['webserver'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.ssl_sni -i {{ hostvars[server].ansible_fqdn }} } + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) -i {{ hostvars[server].ansible_fqdn }} } {% endfor %} {% for server in groups['webserver'] %} From 97184ff518d8a869764812045a501a909dff8884 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Mon, 18 Nov 2024 23:56:20 +0200 Subject: [PATCH 091/108] asdfsfd --- roles/haproxy/templates/haproxy.conf.j2 | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 1cc5408..5a7d3b9 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -1,5 +1,5 @@ global - log 127.0.0.1 local0 info + log /dev/log local0 info user haproxy group haproxy daemon @@ -8,7 +8,6 @@ global defaults log global - option httplog option dontlognull mode http timeout connect 5000 @@ -17,10 +16,10 @@ defaults frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem - mode http - option forwardfor + mode tcp + option tcplog {% for server in groups['webserver'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) -i {{ hostvars[server].ansible_fqdn }} } + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(hosgt) -i {{ hostvars[server].ansible_fqdn }} } {% endfor %} {% for server in groups['webserver'] %} From abd94e01d14b5cb1c2e49958a11331262f87adf7 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 00:01:13 +0200 Subject: [PATCH 092/108] asdfasfd --- roles/haproxy/templates/haproxy.conf.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 5a7d3b9..36e3e3c 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -19,7 +19,7 @@ frontend ha-front-ssl mode tcp option tcplog {% for server in groups['webserver'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(hosgt) -i {{ hostvars[server].ansible_fqdn }} } + use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) -i {{ hostvars[server].ansible_fqdn }} } {% endfor %} {% for server in groups['webserver'] %} From 346653ba9ac28b001635d51709c35403fe130734 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 00:05:29 +0200 Subject: [PATCH 093/108] asdfsadf --- roles/haproxy/tasks/main.yml | 1 - roles/haproxy/templates/haproxy.conf.j2 | 4 ++-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 61244a3..02788c0 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -1,5 +1,4 @@ --- - - name: Ensure HAProxy is installed. dnf: name: haproxy diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 36e3e3c..08cb672 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -19,10 +19,10 @@ frontend ha-front-ssl mode tcp option tcplog {% for server in groups['webserver'] %} - use_backend be_{{ hostvars[server].ansible_nodename }} if { req.hdr(host) -i {{ hostvars[server].ansible_fqdn }} } + use_backend %[req.hdr(host),lower] {% endfor %} {% for server in groups['webserver'] %} -backend be_{{ hostvars[server].ansible_nodename }} +backend {{ hostvars[server].ansible_fqdn }} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check {% endfor %} \ No newline at end of file From 3794860950cc23ff2d3250b6f214d5395f55e6f8 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 00:28:26 +0200 Subject: [PATCH 094/108] adsfsfd --- roles/haproxy/templates/haproxy.conf.j2 | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.conf.j2 index 08cb672..b031b6b 100644 --- a/roles/haproxy/templates/haproxy.conf.j2 +++ b/roles/haproxy/templates/haproxy.conf.j2 @@ -18,11 +18,15 @@ frontend ha-front-ssl bind *:443 ssl crt /etc/ssl/private/server.pem mode tcp option tcplog + http-request set-header X-Forwarded-For %[src] + http-request add-header X-Forwarded-Proto https + option http-server-close {% for server in groups['webserver'] %} - use_backend %[req.hdr(host),lower] + acl url_{{ hostvars[server].ansible_nodename }} hdr(host) -i {{ hostvars[server].ansible_fqdn }} + use_backend be_{{ hostvars[server].ansible_nodename }} if url_{{ hostvars[server].ansible_nodename }} {% endfor %} {% for server in groups['webserver'] %} -backend {{ hostvars[server].ansible_fqdn }} +backend be_{{ hostvars[server].ansible_nodename }} server {{ hostvars[server].ansible_nodename }} {{ hostvars[server].inventory_hostname }}:443 ssl verify required ca-file /etc/pki/ca-trust/source/anchors/root-CA.crt check {% endfor %} \ No newline at end of file From 1014e82da4c363170fda772158e5a63ff9264606 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 19:58:03 +0200 Subject: [PATCH 095/108] asdfsafd --- roles/haproxy/defaults/main.yml | 2 +- roles/haproxy/templates/{haproxy.conf.j2 => haproxy.cfg.j2} | 0 2 files changed, 1 insertion(+), 1 deletion(-) rename roles/haproxy/templates/{haproxy.conf.j2 => haproxy.cfg.j2} (100%) diff --git a/roles/haproxy/defaults/main.yml b/roles/haproxy/defaults/main.yml index 2b16fab..ce37408 100644 --- a/roles/haproxy/defaults/main.yml +++ b/roles/haproxy/defaults/main.yml @@ -1,5 +1,5 @@ --- # defaults file for haproxy keepalived_ip: 192.168.0.6 -keepalived_subnet: 29 +keepalived_subnet: 28 keepalived_auth_pass: "1111" diff --git a/roles/haproxy/templates/haproxy.conf.j2 b/roles/haproxy/templates/haproxy.cfg.j2 similarity index 100% rename from roles/haproxy/templates/haproxy.conf.j2 rename to roles/haproxy/templates/haproxy.cfg.j2 From abe0f36be54d5aa86beeb40ff99d128beb1d5010 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 20:08:25 +0200 Subject: [PATCH 096/108] SAdfsaf --- roles/haproxy/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 02788c0..adbb481 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -6,7 +6,7 @@ - name: Generate HAProxy configuration template: - src: haproxy.conf.j2 + src: haproxy.cfg.j2 dest: /etc/haproxy/haproxy.cfg validate: haproxy -c -f %s mode: 0644 From 3e382d3e33be72dab52499d5014c09a36e18e42a Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:03:41 +0200 Subject: [PATCH 097/108] ASdfsadf --- roles/certificates/defaults/main.yml | 2 +- roles/certificates/tasks/main.yml | 33 ++++++++++------------------ 2 files changed, 13 insertions(+), 22 deletions(-) diff --git a/roles/certificates/defaults/main.yml b/roles/certificates/defaults/main.yml index abb70c2..9b12cf3 100644 --- a/roles/certificates/defaults/main.yml +++ b/roles/certificates/defaults/main.yml @@ -1,5 +1,5 @@ --- organization_details: - name: "My Organization" + name: "Katz" locality: "Tel Aviv" country: "IL" diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 047f029..daf215b 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -6,18 +6,17 @@ extra_args: "--only-binary :all:" - name: Generate private key - community.crypto.openssl_privatekey_pipe: + community.crypto.openssl_privatekey: + path: /etc/ssl/private/server.key + size: 2048 register: host_private_key -- name: debug - debug: - msg: "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" - -- name: Generate CSR +- name: Create certificate signing request (CSR) for new certificate community.crypto.openssl_csr_pipe: - privatekey_content: "{{ host_private_key.privatekey }}" + privatekey_path: /etc/ssl/private/server.key common_name: "{{ ansible_fqdn }}" - subject_alt_name: "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" + subject_alt_name: >- + "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" @@ -27,9 +26,11 @@ - name: Sign the CSR using the CA community.crypto.x509_certificate_pipe: csr_content: "{{ host_csr.csr }}" - ownca_path: /etc/ca/ca.crt - ownca_privatekey_path: /etc/ca/private/ca.key provider: ownca + ownca_path: /etc/ca/ca.pem + ownca_privatekey_path: /etc/ca/private/ca.key + ownca_not_before: "-1d" + ownca_not_after: +365d register: host_crt delegate_to: localhost @@ -39,19 +40,9 @@ state: directory mode: 0744 - - name: Assemble private key and certificate into PEM file copy: - content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" + content: "{{ host_crt.certificate }}" dest: /etc/ssl/private/server.pem mode: 0644 notify: "{{ handler_to_notify }}" - -- name: Copy certificate to trusted anchors directory - copy: - src: /etc/ca/ca.crt - dest: /etc/pki/ca-trust/source/anchors/root-CA.crt - mode: 0644 - -- name: Update CA trust on the host - command: update-ca-trust From 258d14be736f12b854ef4ef2d4a41a1cdcbe0e79 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:07:10 +0200 Subject: [PATCH 098/108] sdfsf --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index daf215b..793fdb3 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -16,7 +16,7 @@ privatekey_path: /etc/ssl/private/server.key common_name: "{{ ansible_fqdn }}" subject_alt_name: >- - "IP:{{ inventory_hostname }},DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" + "DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From a5e7d9eac26bb9541e443a257e5554ad64f398c8 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:08:08 +0200 Subject: [PATCH 099/108] afdsdf --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 793fdb3..94d21ea 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -16,7 +16,7 @@ privatekey_path: /etc/ssl/private/server.key common_name: "{{ ansible_fqdn }}" subject_alt_name: >- - "DNS:localhost,DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" + "DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From 19c4affae7ed93218ec8d45f310595a667e3c2c8 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:29:34 +0200 Subject: [PATCH 100/108] asdfsAF --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 94d21ea..d156de5 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -16,7 +16,7 @@ privatekey_path: /etc/ssl/private/server.key common_name: "{{ ansible_fqdn }}" subject_alt_name: >- - "DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" + "DNS:localhost,IP:{{ inventory_hostname }},DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From f22dc91fe9b44f5fed62320a0b367b1559a2817a Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:34:28 +0200 Subject: [PATCH 101/108] SADFasf --- roles/certificates/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index d156de5..2b66461 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -15,8 +15,8 @@ community.crypto.openssl_csr_pipe: privatekey_path: /etc/ssl/private/server.key common_name: "{{ ansible_fqdn }}" - subject_alt_name: >- - "DNS:localhost,IP:{{ inventory_hostname }},DNS:{{ ansible_fqdn }}{{ ',' if subject_alt_names is defined }}{{ subject_alt_names | default('') }}" + subject_alt_name: + - "DNS:{{ ansible_fqdn }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From 4c060c2d9da306762bfc3a9bda838887aec908e7 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:37:23 +0200 Subject: [PATCH 102/108] AfdasDF --- roles/certificates/tasks/main.yml | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 2b66461..5ced0d3 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -15,7 +15,9 @@ community.crypto.openssl_csr_pipe: privatekey_path: /etc/ssl/private/server.key common_name: "{{ ansible_fqdn }}" - subject_alt_name: + subject_alt_name: + - "DNS:localhost" + - "IP:{{ inventory_hostname }}" - "DNS:{{ ansible_fqdn }}" subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" From 59b6bfcedb2bbb66b34fb3b8aaf5b90ad0682f8c Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:39:55 +0200 Subject: [PATCH 103/108] SadfasF --- roles/certificates/tasks/main.yml | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 5ced0d3..9b0fd72 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -15,10 +15,14 @@ community.crypto.openssl_csr_pipe: privatekey_path: /etc/ssl/private/server.key common_name: "{{ ansible_fqdn }}" - subject_alt_name: + subject_alt_name: > + {% if subject_alt_names is defined %} + {{ subject_alt_names.split(',') + ['DNS:localhost', 'IP:{{ inventory_hostname }}', 'DNS:{{ ansible_fqdn }}'] }} + {% else %} - "DNS:localhost" - "IP:{{ inventory_hostname }}" - "DNS:{{ ansible_fqdn }}" + {% endif %} subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From 76eb18ef0613f42a0a12cbd243ca92fb998569ea Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:47:06 +0200 Subject: [PATCH 104/108] ASDFasDF --- roles/certificates/tasks/main.yml | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 9b0fd72..d6f8b38 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -6,14 +6,13 @@ extra_args: "--only-binary :all:" - name: Generate private key - community.crypto.openssl_privatekey: - path: /etc/ssl/private/server.key + community.crypto.openssl_privatekey_pipe: size: 2048 register: host_private_key - name: Create certificate signing request (CSR) for new certificate community.crypto.openssl_csr_pipe: - privatekey_path: /etc/ssl/private/server.key + privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" subject_alt_name: > {% if subject_alt_names is defined %} @@ -33,7 +32,7 @@ community.crypto.x509_certificate_pipe: csr_content: "{{ host_csr.csr }}" provider: ownca - ownca_path: /etc/ca/ca.pem + ownca_path: /etc/ca/ca.crt ownca_privatekey_path: /etc/ca/private/ca.key ownca_not_before: "-1d" ownca_not_after: +365d @@ -48,7 +47,7 @@ - name: Assemble private key and certificate into PEM file copy: - content: "{{ host_crt.certificate }}" + content: "{{ host_private_key.privatekey }}{{ host_crt.certificate }}" dest: /etc/ssl/private/server.pem mode: 0644 notify: "{{ handler_to_notify }}" From e2c1e81fd4cb65d1f92a952d1caff9f662045981 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:48:16 +0200 Subject: [PATCH 105/108] ASdfasFD --- roles/certificates/tasks/main.yml | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index d6f8b38..0c13965 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -15,13 +15,10 @@ privatekey_content: "{{ host_private_key.privatekey }}" common_name: "{{ ansible_fqdn }}" subject_alt_name: > - {% if subject_alt_names is defined %} - {{ subject_alt_names.split(',') + ['DNS:localhost', 'IP:{{ inventory_hostname }}', 'DNS:{{ ansible_fqdn }}'] }} - {% else %} - - "DNS:localhost" - - "IP:{{ inventory_hostname }}" - - "DNS:{{ ansible_fqdn }}" - {% endif %} + {{ + (subject_alt_names | default('') | split(',') | list) + + ['DNS:localhost', 'IP:' + inventory_hostname, 'DNS:' + ansible_fqdn] + }} subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" locality_name: "{{ organization_details.locality }}" From 62c62d40b4a048804dc7148faa8175dc68346844 Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 22:54:12 +0200 Subject: [PATCH 106/108] sadfasdf --- roles/certificates/tasks/main.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 0c13965..5462841 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -16,7 +16,7 @@ common_name: "{{ ansible_fqdn }}" subject_alt_name: > {{ - (subject_alt_names | default('') | split(',') | list) + + (subject_alt_names | default([]) | split(',')) + ['DNS:localhost', 'IP:' + inventory_hostname, 'DNS:' + ansible_fqdn] }} subject_alt_name_critical: true From 64578e80714b4bb83a49303d58023555eb9488fb Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 23:12:18 +0200 Subject: [PATCH 107/108] sadfasF --- roles/certificates/tasks/main.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml index 5462841..74ce19c 100644 --- a/roles/certificates/tasks/main.yml +++ b/roles/certificates/tasks/main.yml @@ -16,8 +16,8 @@ common_name: "{{ ansible_fqdn }}" subject_alt_name: > {{ - (subject_alt_names | default([]) | split(',')) + - ['DNS:localhost', 'IP:' + inventory_hostname, 'DNS:' + ansible_fqdn] + [ 'DNS:localhost', 'IP:' + inventory_hostname, 'DNS:' + ansible_fqdn ] + + ( subject_alt_names | default('') | split(',') | select('match', '.+') ) }} subject_alt_name_critical: true organization_name: "{{ organization_details.name }}" From 555f47bed43310b823fa3c4a5bb60ee2564d97fe Mon Sep 17 00:00:00 2001 From: yoav-katz Date: Tue, 19 Nov 2024 23:32:26 +0200 Subject: [PATCH 108/108] The Choosen One --- playbook.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/playbook.yml b/playbook.yml index 0fef617..7de9a16 100644 --- a/playbook.yml +++ b/playbook.yml @@ -17,7 +17,7 @@ name: "apache" when: "'webserver' in group_names" - - name: Import haproxy Role + - name: Import haproxy Role import_role: name: "haproxy" when: "'haproxy' in group_names"