add new ssh and ssl CA

7 years ago · 14ddc33402
--- a/SETUP.md
+++ b/SETUP.md
@ -3,4 +3,4 @@ SETUP

 1. Copy `group_vars/all.yaml.example` to `group_vars/all.yaml`
 2. Fill `group_vars/all.yaml` with the gateway hostname, the content of the `user_ca_key`, the public ip you are using and the domain you use
 3. Add to the *inventory* the `gateway`, `reverse_proxy`, `ca` and `ca_request` entry. Follow the `inventory.example` format. These are the minimum entry that you neeed to make everything work in this playbook. 
 3. Add to the *inventory* the `gateway`, `reverse_proxy`, `authorities` and `authorities_request` entry. Follow the `inventory.example` format. These are the minimum entry that you neeed to make everything work in this playbook. 
--- a/doc/source/ssh_server.rst
+++ b/doc/source/ssh_server.rst
@ -25,7 +25,7 @@ This is accomplished using ssh as a mean of transport, the specific task for a s

        - name: start sign request
          raw: "{{ cert_request | to_json }}"
          delegate_to: ca_request
          delegate_to: authorities_request
          register: request_result
          failed_when: "( request_result.stdout | from_json ).failed"

--- a/files/test_ssh_ca.pub
+++ b/files/test_ssh_ca.pub
@ -1 +0,0 @@
 AAAAB3NzaC1yc2EAAAADAQABAAABAQDaL3nANYZgrEaMf5mfeuX+iblmjScUNQb7DRf+4PRlNZ5wjgW4omuErDy0khtD8d9ct/Ttj+jD16V3cK182q+Y8SENOonoOFDyv5YKjeC5Ot6x6yduBTWcvr9EI61AvjhBpOHrP0pKo1btRstGv3RDDQyGyaxgR90DsS1H896xjzttJecs/+JUiE7hKx5tOSqDGp/XU5bhZY2Ico3Y0faaD/HbJPq7OsuY9NkVYMaSUCWENCgZgLEZ5oPNmhdUaDnSZGmnFl/++jIfTXwO187PFw2//eqebpSwaGSbskVuADybGapb5DCLfwy/kXTowUaD/NXthxmNdY5Nwzj/Jb1n  root@ca
--- a/files/test_ssl_ca.crt
+++ b/files/test_ssl_ca.crt
@ -1,31 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIIFXTCCA0WgAwIBAgIJAPHh5hgjr+ZeMA0GCSqGSIb3DQEBCwUAMEUxCzAJBgNV
 BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX
 aWRnaXRzIFB0eSBMdGQwHhcNMTcwNDE3MTgxNTAyWhcNMTgwNDE3MTgxNTAyWjBF
 MQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50
 ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
 CgKCAgEAmRE/Rj7On3bKoLHwq07Xnb+Q6DHOiD0ij77IfVno/B/479ynaywLgsN/
 geZIUXXn0PHLgKhZ73kDX+nPbfjqB+HjCDIXPsLxfsSs27bOz1zfGB29DY9upt2d
 vLbUKxskTW+3olepEIuVP7E6fN/MJex4e9q1wLpojO8EWzlPENxuhjDWD17vOSzR
 oKQW/9tIlFo4eLieTGi3/0QSHDI0bzAF/H9KrC7AWN/GNsYZQZVbofUGVgfCxIJQ
 eZLDb/ogzYAzwygMGik1P92USB/21LzJyoEm1dTJfMkETTgKLJ9VxJx0UAfRzumr
 FPSrcUwliap/nXfo7jaCMgW88nDEkEJvOpMTRcDI7/hm6TZmzfmndz4oYgvlIu6l
 ik54/beGHLPrQGVns1QFYFaMMy4oKYJ1kITfuyOXiOUTkY+nHHEVnZLT2gdx+n1D
 7LMS33Ux+MoXU3JCDxRyQ9WcTzi5kT4hZ8B1yJs325kE92684pO6LyXX7gns1LPn
 tYTAcVSBpHC4wy3OyYh0bC5yxHRPRPC+31YMvpNlV/Xdre5kIJtpgfJzsOgmgVDV
 plB9KdIGYIIxLKo5WeLm4mu/Z2PP0WkUVDNs0dDiujZ+mST3YcGHOmgFRzYXXbQ8
 ZeZlHaUQpIce0QAXhMjj+EjfYUvn4Fi9PJTyOIdJ69tJqjBkRpcCAwEAAaNQME4w
 HQYDVR0OBBYEFGrqoPhOsppZAWiHzKmB+cRwsgshMB8GA1UdIwQYMBaAFGrqoPhO
 sppZAWiHzKmB+cRwsgshMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIB
 AHoV7vpQejN3mpeXh5ffm/P/kcF2Fx4x+mLYzQonarixCMJVZZZG/+AZ0ABeBU6I
 cQkm6GmvpcE0xFTeAteSQ5dj3QcDYKzn5hAoIE2Mo/vvNJ0hj11/gzY172FbWPrN
 UFn8JCXdQ/dW9AbsoJBT4Ns/Ezw0+KgZdJzeoPvlmlxcg2nKtLzWhA1hHzVcLKAF
 xFqTPCiytdJpHJIjXXodwFVhWCKs0RR95dh15LxMbCf8iiHmByaXoovHJfzKf1YL
 A9pYuzDiLs1JYsKV6ewVhb1tE5Kh6k6USkqo+FTN79LajDA5yE+aH4Zbl5ynD0Ug
 Toi3sThG3Voh8YCvBGkNw6a6SMUNGwRXfR6KuIXANxLyhaevrX5o+AYOUgupznjp
 TDqX/ymxry7uzhIVvL1lCNk0N/GMp+aUmlMJr0fCIq+HQyBfETUq3kC5dzgCJydQ
 554VxlD1i9pQvXPx4APWkh+bBe3Yuai9si5UTQxn0h9MRHQpYvMdnhkCGWoivSjn
 CFt8wUj+iEzoU2EaLnRje/pC17ENTbzGnmFif1MUAXX4qEKc39ip9GpYNQ7lkEgE
 xZPxrjf77xBESTIq07Mih6ygIQTDpM8qyZcJtzP7KwOZIp948C1RsMEeMPcRWUpn
 JyvUzpM83JoFox7L2/NSCthcYv61wjM1645STfh3ukTL
 -----END CERTIFICATE-----
--- a/+ 1
+++ b/+ 1
@ -6,6 +6,7 @@ emmett               ansible_host=10.150.40.5         ansible_user=root
 bakulilik            ansible_host=10.150.40.6         ansible_user=root
 mcfly                ansible_host=10.150.40.7         ansible_user=root
 authorities          ansible_host=10.150.40.8         ansible_user=root
 authorities_request  ansible_host=10.150.40.8         ansible_user=request

 ca                   ansible_host=10.150.42.11        ansible_user=root
 ca_request           ansible_host=10.150.42.11        ansible_user=request
--- a/roles/dovecot/tasks/main.yaml
+++ b/roles/dovecot/tasks/main.yaml
@ -119,7 +119,7 @@

 - name: lookup ssl ca key
  set_fact:
    ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"
    ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}"

 - name: Update ssl CA key
  copy:
@ -152,7 +152,7 @@
            keyData: "{{ pub_key.content| b64decode}}"

    - debug:
        var: ca_request
        var: authorities_request
        verbosity: 2

    - name: start sign request
@ -175,7 +175,7 @@
          requestID: '{{ request_output.requestID }}'

    - debug:
        var: ca_request
        var: authorities_request
        verbosity: 2

    - debug:
--- a/roles/exim4/tasks/main.yaml
+++ b/roles/exim4/tasks/main.yaml
@ -92,7 +92,7 @@

 - name: lookup ssl ca key
  set_fact:
    ssl_ca_key: "{{ lookup('file', 'test_ssl_ca.crt') }}"
    ssl_ca_key: "{{ lookup('file', 'lilik_ca_w1.pub') }}"

 - name: Update ssl CA key
  copy:
@ -125,7 +125,7 @@
            keyData: "{{ pub_key.content| b64decode}}"

    - debug:
        var: ca_request
        var: authorities_request
        verbosity: 2

    - name: start sign request
@ -148,7 +148,7 @@
          requestID: '{{ request_output.requestID }}'

    - debug:
        var: ca_request
        var: authorities_request
        verbosity: 2

    - debug:
--- a/roles/roundcube/tasks/main.yaml
+++ b/roles/roundcube/tasks/main.yaml
@ -27,10 +27,10 @@
      owner: root
      group: www-data

 - name: copy test_ssl_ca.crt
 - name: copy lilik_ca_w1.pub
  copy:
      src: "test_ssl_ca.crt"
      dest: "/usr/local/share/ca-certificates/test_ssl_ca.crt"
      src: "lilik_ca_w1.pub"
      dest: "/usr/local/share/ca-certificates/lilik_ca_w1.pub"
      mode: 0444
  notify: update-ca-certificates

--- a/roles/ssh_server/tasks/main.yaml
+++ b/roles/ssh_server/tasks/main.yaml
@ -8,11 +8,11 @@

 - name: lookup user ca key
  set_fact:
    user_ca_key: "{{ lookup('file', 'test_ssh_ca.pub') }}"
    user_ca_key: "{{ lookup('file', 'lilik_ca_s1.pub') }}"

 - name: Update container user CA key
  copy:
    content: "ssh-rsa {{ user_ca_key }}"
    content: "{{ user_ca_key }}"
    dest: "/etc/ssh/user_ca.pub"
  notify: restart ssh

@ -44,11 +44,11 @@
          type: 'sign_request'
          request:
            keyType: 'ssh_host'
            hostName: '{{ ansible_docker_extra_args | default(inventory_hostname) }}.lilik.it'
            hostName: '{{ ansible_docker_extra_args or inventory_hostname }}.lilik.it'
            keyData: "{{ vm_public_key['content'] | b64decode | replace('\n', '')}}"

    - debug:
        var: ca_request | to_json
        var: authorities_request | to_json
        verbosity: 2

    - name: start sign request
@ -74,7 +74,7 @@
          requestID: '{{ request_output.requestID }}'

    - debug:
        var: ca_request
        var: authorities_request
        verbosity: 2

    - debug:
--- a/tasks/ca-dialog.yaml
+++ b/tasks/ca-dialog.yaml
@ -1,5 +1,5 @@
 - raw: "{{ ca_request | to_json }}"
  delegate_to: ca_request
  delegate_to: authorities_request
  delegate_facts: True
  register: request_result
  failed_when: "( request_result.stdout | from_json ).failed"