diff options
author | Micah Anderson <micah@riseup.net> | 2022-06-14 11:14:27 -0400 |
---|---|---|
committer | Micah Anderson <micah@riseup.net> | 2022-06-14 11:14:27 -0400 |
commit | 6d579242df315671252c38a183bce44551ee4cb5 (patch) | |
tree | 6288f4da4ebab1e9d5ffd3f199cadf6809db6592 | |
parent | bed631a538c5d41285f006b9d9b75e7098934865 (diff) |
Move menshen to be authenticated by the API CA.
-rw-r--r-- | config/roles/menshen-frontend/handlers/main.yml | 5 | ||||
-rw-r--r-- | config/roles/menshen-frontend/tasks/main.yml | 38 | ||||
-rw-r--r-- | config/roles/menshen-frontend/templates/menshen.conf.j2 | 26 | ||||
-rw-r--r-- | config/services.openvpn.yml | 2 | ||||
-rw-r--r-- | site.yml | 2 |
5 files changed, 72 insertions, 1 deletions
diff --git a/config/roles/menshen-frontend/handlers/main.yml b/config/roles/menshen-frontend/handlers/main.yml new file mode 100644 index 0000000..fd02663 --- /dev/null +++ b/config/roles/menshen-frontend/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- listen: reload NGINX + systemd: + name: nginx.service + state: restarted diff --git a/config/roles/menshen-frontend/tasks/main.yml b/config/roles/menshen-frontend/tasks/main.yml new file mode 100644 index 0000000..2010203 --- /dev/null +++ b/config/roles/menshen-frontend/tasks/main.yml @@ -0,0 +1,38 @@ +# use the sspki plugin to create a cert that is signed by the internal CA to +# authenticate menshen + +- include_role: + name: sspki + vars: + sspki: + name: menshen + SANs: + - "menshen.{{ domain_public[0] }}" + ca: "{{ credentials_dir }}/common/api_ca.crt" + ca_key: "{{ credentials_dir }}/common/api_ca.key" + +- name: Restart nginx because certificate has changed + systemd: + name: nginx.service + state: restarted + when: sspki_sign.changed + +- name: Add the nginx user to the menshen-sspki group + user: + name: nginx + groups: menshen-sspki + append: yes + +- name: Install menshen nginx configuration + template: + src: menshen.conf.j2 + dest: /etc/nginx/sites-available/menshen.conf + notify: reload NGINX + +- name: Enable menshen nginx configuration + file: + dest: /etc/nginx/sites-enabled/menshen.conf + src: ../sites-available/menshen.conf + state: link + notify: reload NGINX + diff --git a/config/roles/menshen-frontend/templates/menshen.conf.j2 b/config/roles/menshen-frontend/templates/menshen.conf.j2 new file mode 100644 index 0000000..6627b36 --- /dev/null +++ b/config/roles/menshen-frontend/templates/menshen.conf.j2 @@ -0,0 +1,26 @@ +upstream be_menshen { + server menshen.{{ domain }}:{{ services['menshen'].public_endpoints[0].port }}; +} + +server { + listen [::]:443 ssl http2; + + server_name menshen.{{ domain_public[0] }}; + include /etc/nginx/snippets/site-common.conf; + + ssl_protocols TLSv1 TLSv1.1 TLSv1.2; + ssl_ciphers HIGH:!aNULL:!MD5; + ssl_prefer_server_ciphers on; + ssl_session_cache shared:SSL:10m; + ssl_session_timeout 5m; + ssl_dhparam /etc/nginx/dhparam; + ssl_certificate /etc/credentials/sspki/menshen/fullchain.crt; + ssl_certificate_key /etc/credentials/sspki/menshen/private.key; + + location / { + include /etc/nginx/snippets/block.conf; + include /etc/nginx/snippets/proxy.conf; + proxy_pass http://be_menshen; + proxy_cache global; + } +} diff --git a/config/services.openvpn.yml b/config/services.openvpn.yml index 495b3c4..f8fcdf8 100644 --- a/config/services.openvpn.yml +++ b/config/services.openvpn.yml @@ -20,6 +20,8 @@ menshen: - name: menshen port: 9001 scheme: http + autoconfig: false + skip_acme: true openvpn: scheduling_group: openvpn @@ -13,4 +13,4 @@ - menshen - hosts: frontend - roles: [vpnweb-frontend] + roles: [vpnweb-frontend, menshen-frontend] |