remove certificate generation and add ipv4/ipv6 aliases for nodes
All checks were successful
continuous-integration/drone/push Build is passing
All checks were successful
continuous-integration/drone/push Build is passing
This commit is contained in:
parent
c853aa97e0
commit
31c8d3f3ab
GPG Key ID:
E9B4156C1659C079
@ -1,5 +0,0 @@
|
||||
[defaults]
|
||||
inventory=inventory.yml
|
||||
#strategy_plugins = /opt/mitogen-0.2.9/ansible_mitogen/plugins
|
||||
#strategy = mitogen_linear
|
||||
|
||||
16
certs.json
16
certs.json
@ -1,16 +0,0 @@
|
||||
[
|
||||
{
|
||||
"cert_name": "collector-dn42",
|
||||
"names": [
|
||||
"collector.dn42",
|
||||
"*.collector.dn42"
|
||||
]
|
||||
},
|
||||
{
|
||||
"cert_name": "burble-dn42",
|
||||
"names": [
|
||||
"burble.dn42",
|
||||
"*.burble.dn42"
|
||||
]
|
||||
}
|
||||
]
|
||||
15
deploy.yml
15
deploy.yml
@ -1,15 +0,0 @@
|
||||
---
|
||||
###########################################################################
|
||||
# Deploy certs
|
||||
###########################################################################
|
||||
|
||||
- hosts: rprox
|
||||
roles:
|
||||
- { role: rprox, tags: rprox }
|
||||
|
||||
- hosts: docker
|
||||
roles:
|
||||
- { role: docker, tags: docker }
|
||||
|
||||
###########################################################################
|
||||
# end of file
|
||||
@ -94,11 +94,13 @@ nodes.forEach(function(n) {
|
||||
// ipv4
|
||||
if (n[1] != 'undefined') {
|
||||
D_EXTEND(domain,A(n[0], n[1]));
|
||||
D_EXTEND(domain,A('ipv4.' + n[0], n[1]));
|
||||
}
|
||||
|
||||
// ipv6
|
||||
if (n[2] != 'undefined') {
|
||||
D_EXTEND(domain,AAAA(n[0], n[2]));
|
||||
D_EXTEND(domain,AAAA('ipv6.' + n[0], n[2]));
|
||||
}
|
||||
|
||||
// DN42 public node
|
||||
|
||||
@ -1,10 +0,0 @@
|
||||
---
|
||||
###########################################################################
|
||||
|
||||
# common connection vars
|
||||
ansible_user: sol
|
||||
ansible_become: yes
|
||||
ansible_python_interpreter: /usr/bin/python3
|
||||
|
||||
###########################################################################
|
||||
# end of file
|
||||
@ -1,23 +0,0 @@
|
||||
###########################################################################
|
||||
|
||||
all:
|
||||
children:
|
||||
|
||||
rprox:
|
||||
hosts:
|
||||
de-fra1.burble.com:
|
||||
ca-bhs2.burble.com:
|
||||
fr-rbx1.burble.com:
|
||||
us-lax1.burble.com:
|
||||
|
||||
docker:
|
||||
hosts:
|
||||
fr-rbx1.burble.com:
|
||||
fr-par1.burble.com:
|
||||
fr-par2.burble.com:
|
||||
ca-bhs2.burble.com:
|
||||
de-fra1.burble.com:
|
||||
ch-zur1.burble.com:
|
||||
|
||||
###########################################################################
|
||||
# end of file
|
||||
@ -1,10 +0,0 @@
|
||||
---
|
||||
########################################################################
|
||||
|
||||
- name: update traefik
|
||||
file:
|
||||
path: '{{ tpath }}/dynamic_conf/burble-dn42.yml'
|
||||
state: touch
|
||||
|
||||
########################################################################
|
||||
# end of file
|
||||
@ -1,22 +0,0 @@
|
||||
---
|
||||
########################################################################
|
||||
|
||||
# upload the certs
|
||||
|
||||
- copy:
|
||||
src: 'certificates/{{ d }}/{{ f }}'
|
||||
dest: '{{ tpath }}/certs/{{ f }}'
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0400
|
||||
vars:
|
||||
d: '{{ item.d }}'
|
||||
f: '{{ item.d }}.{{ item.s }}'
|
||||
loop:
|
||||
- { d: 'burble-dn42', s: 'crt' }
|
||||
- { d: 'burble-dn42', s: 'key' }
|
||||
notify: update traefik
|
||||
|
||||
########################################################################
|
||||
# end of file
|
||||
|
||||
@ -1,7 +0,0 @@
|
||||
---
|
||||
########################################################################
|
||||
|
||||
tpath: '/export/apps/docker/config/traefik'
|
||||
|
||||
########################################################################
|
||||
# end of file
|
||||
@ -1,23 +0,0 @@
|
||||
---
|
||||
########################################################################
|
||||
|
||||
# upload the certs
|
||||
|
||||
- copy:
|
||||
src: 'certificates/{{ d }}/{{ f }}'
|
||||
dest: '{{ npath }}/certs/{{ f }}'
|
||||
owner: '81001'
|
||||
group: '81001'
|
||||
mode: 0400
|
||||
vars:
|
||||
d: '{{ item.d }}'
|
||||
f: '{{ item.d }}.{{ item.s }}'
|
||||
loop:
|
||||
- { d: 'burble-dn42', s: 'crt' }
|
||||
- { d: 'burble-dn42', s: 'key' }
|
||||
- { d: 'collector-dn42', s: 'crt' }
|
||||
- { d: 'collector-dn42', s: 'key' }
|
||||
|
||||
########################################################################
|
||||
# end of file
|
||||
|
||||
@ -1,7 +0,0 @@
|
||||
---
|
||||
########################################################################
|
||||
|
||||
npath: '/export/apps/nginx'
|
||||
|
||||
########################################################################
|
||||
# end of file
|
||||
@ -1,99 +0,0 @@
|
||||
#!/bin/bash
|
||||
########################################################################
|
||||
|
||||
certs=(
|
||||
'burble-dn42'
|
||||
'collector-dn42'
|
||||
)
|
||||
|
||||
# hosts to push
|
||||
hosts=(
|
||||
'rsync.tier2.fr-rbx1.burble.dn42'
|
||||
'rsync.tier2.de-fra1.burble.dn42'
|
||||
'rsync.tier2.ca-bhs2.burble.dn42'
|
||||
)
|
||||
|
||||
dst="apps/nginx/certs"
|
||||
|
||||
########################################################################
|
||||
|
||||
# where am I ?
|
||||
SCRIPTPATH="$(cd "$(dirname "$0")" ; pwd -P)"
|
||||
CERTPATH="$(cd "${SCRIPTPATH}/../certificates/"; pwd -P)"
|
||||
echo "Certs are here: $CERTPATH"
|
||||
pushd "$CERTPATH"
|
||||
|
||||
# create a temp directory
|
||||
export TMPDIR="$XDG_RUNTIME_DIR"
|
||||
tmp=$(mktemp -d)
|
||||
if [ $? -ne 0 -o -z "$tmp"]
|
||||
then
|
||||
echo "Failed to create tmp directory"
|
||||
exit 1
|
||||
fi
|
||||
echo "Created tmp directory: $tmp"
|
||||
|
||||
function cleanup {
|
||||
if [ -d "$tmp" ]
|
||||
then
|
||||
echo "Cleaning tmp directory"
|
||||
rm -rf "$tmp" > /dev/null 2>&1
|
||||
fi
|
||||
}
|
||||
trap cleanup EXIT
|
||||
|
||||
export VAULT_ADDR='https://vault.burble.dn42'
|
||||
|
||||
########################################################################
|
||||
# generate one time key for deployment access
|
||||
|
||||
echo "Generating temporary rsync key"
|
||||
|
||||
sshkey="${tmp}/rsync_key"
|
||||
ssh-keygen -t ed25519 -a 100 -N '' -f "$sshkey"
|
||||
|
||||
vault write \
|
||||
-field=signed_key \
|
||||
burble.dn42/ssh/user/sign/rsync \
|
||||
public_key="@${sshkey}.pub" \
|
||||
> "${sshkey}-cert.pub"
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo "Failed to generate temporary rsync key"
|
||||
exit 1
|
||||
fi
|
||||
echo "Key is signed"
|
||||
|
||||
# fixup perms
|
||||
chmod 0600 "${tmp}"/*
|
||||
|
||||
########################################################################
|
||||
# create a list of files to push
|
||||
|
||||
declare -a flist
|
||||
|
||||
echo "Files to copy:"
|
||||
for cert in ${certs[@]}
|
||||
do
|
||||
crt="${cert}/${cert}.crt"
|
||||
key="${cert}/${cert}.key"
|
||||
echo " - $crt"
|
||||
echo " - $key"
|
||||
|
||||
flist+=( "$crt" "$key" )
|
||||
done
|
||||
|
||||
# and push to hosts
|
||||
|
||||
for host in ${hosts[@]}
|
||||
do
|
||||
echo "Syncing host: $host"
|
||||
rsync -avogp --delete -e "ssh -i '${sshkey}'" \
|
||||
--chown 81001:81001 --chmod=D2700,F600 \
|
||||
"${flist[@]}" \
|
||||
"root@${host}:${dst}/"
|
||||
done
|
||||
|
||||
popd
|
||||
########################################################################
|
||||
# end of file
|
||||
@ -1,7 +0,0 @@
|
||||
#!/bin/bash
|
||||
|
||||
dnscontrol get-certs \
|
||||
--acme https://acme-v2.acme.dn42/directory \
|
||||
--agreeTOS \
|
||||
--email "dn42@burble.com" \
|
||||
--renew 30
|
||||
Loading…
x
Reference in New Issue
Block a user