aboutsummaryrefslogtreecommitdiffstats
path: root/roles/prosody_letsencrypt_proxy
diff options
context:
space:
mode:
authorStonewall Jackson <stonewall@sacredheartsc.com>2023-02-04 01:23:43 -0500
committerStonewall Jackson <stonewall@sacredheartsc.com>2023-02-04 01:52:13 -0500
commit0261e875679f1bf63c8d689da7fc7e014597885d (patch)
tree3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/prosody_letsencrypt_proxy
downloadselfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz
selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip
initial commit
Diffstat (limited to 'roles/prosody_letsencrypt_proxy')
-rw-r--r--roles/prosody_letsencrypt_proxy/defaults/main.yml2
-rw-r--r--roles/prosody_letsencrypt_proxy/handlers/main.yml4
-rw-r--r--roles/prosody_letsencrypt_proxy/tasks/main.yml1
-rw-r--r--roles/prosody_letsencrypt_proxy/tasks/master.yml47
-rw-r--r--roles/prosody_letsencrypt_proxy/tasks/slave.yml32
-rw-r--r--roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf7
-rw-r--r--roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j251
-rw-r--r--roles/prosody_letsencrypt_proxy/vars/main.yml9
8 files changed, 153 insertions, 0 deletions
diff --git a/roles/prosody_letsencrypt_proxy/defaults/main.yml b/roles/prosody_letsencrypt_proxy/defaults/main.yml
new file mode 100644
index 0000000..a59fa35
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/defaults/main.yml
@@ -0,0 +1,2 @@
+prosody_le_role: slave
+prosody_le_domains: '{{ prosody_vhosts }}'
diff --git a/roles/prosody_letsencrypt_proxy/handlers/main.yml b/roles/prosody_letsencrypt_proxy/handlers/main.yml
new file mode 100644
index 0000000..18c505e
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart sshd
+ systemd:
+ name: sshd
+ state: restarted
diff --git a/roles/prosody_letsencrypt_proxy/tasks/main.yml b/roles/prosody_letsencrypt_proxy/tasks/main.yml
new file mode 100644
index 0000000..95b108b
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/tasks/main.yml
@@ -0,0 +1 @@
+- import_tasks: '{{ prosody_le_role }}.yml'
diff --git a/roles/prosody_letsencrypt_proxy/tasks/master.yml b/roles/prosody_letsencrypt_proxy/tasks/master.yml
new file mode 100644
index 0000000..ab84669
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/tasks/master.yml
@@ -0,0 +1,47 @@
+- name: create user
+ user:
+ name: '{{ prosody_le_user }}'
+ home: '{{ prosody_le_home }}'
+ system: yes
+ create_home: no
+ shell: /sbin/nologin
+
+- name: create home directory
+ file:
+ path: '{{ prosody_le_home }}'
+ owner: root
+ group: '{{ prosody_le_user }}'
+ mode: 0750
+ state: directory
+
+- name: create ssh authorized_keys directory
+ file:
+ path: '{{ prosody_le_authorized_keys_dir }}'
+ mode: 0755
+ state: directory
+
+- name: copy ssh public key
+ copy:
+ content: '{{ prosody_le_ssh_pubkey }}'
+ dest: '{{ prosody_le_authorized_keys_dir }}/{{ prosody_le_user }}'
+ mode: 0640
+ owner: root
+ group: '{{ prosody_le_user }}'
+
+- name: generate sshd configuration
+ template:
+ src: etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
+ dest: /etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
+ notify: restart sshd
+
+- name: retrieve certificates
+ include_role:
+ name: certbot
+ vars:
+ certificate_sans: ['{{ item }}']
+ certificate_path: '{{ prosody_le_home }}/{{ item }}.crt'
+ certificate_key_path: '{{ prosody_le_home }}/{{ item }}.key'
+ certificate_owner: 'root:{{ prosody_le_user }}'
+ certificate_mode: 0640
+ certificate_use_apache: yes
+ loop: '{{ prosody_le_domains }}'
diff --git a/roles/prosody_letsencrypt_proxy/tasks/slave.yml b/roles/prosody_letsencrypt_proxy/tasks/slave.yml
new file mode 100644
index 0000000..1bcf67a
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/tasks/slave.yml
@@ -0,0 +1,32 @@
+- name: install packages
+ dnf:
+ name: '{{ prosody_le_slave_packages }}'
+ state: present
+
+- name: copy ssh privkey
+ copy:
+ content: '{{ prosody_le_ssh_privkey }}'
+ dest: '{{ prosody_le_ssh_privkey_path }}'
+ mode: 0600
+
+- name: generate script
+ template:
+ src: usr/local/sbin/prosody-letsencrypt-proxy.j2
+ dest: /usr/local/sbin/prosody-letsencrypt-proxy
+ mode: 0555
+
+- name: create systemd timer
+ include_role:
+ name: systemd_timer
+ vars:
+ timer_name: prosody-letsencrypt-proxy
+ timer_description: Check for updated prosody certificates
+ timer_after: network.target
+ timer_on_calendar: daily
+ timer_exec: /usr/local/sbin/prosody-letsencrypt-proxy
+
+- name: retrieve certificates
+ systemd:
+ name: prosody-letsencrypt-proxy.service
+ state: started
+ changed_when: no
diff --git a/roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf b/roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
new file mode 100644
index 0000000..7d6b9a2
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
@@ -0,0 +1,7 @@
+Match user {{ prosody_le_user }}
+ AuthorizedKeysFile {{ prosody_le_authorized_keys_dir }}/%u
+ ChrootDirectory %h
+ ForceCommand internal-sftp -R
+ AllowTcpForwarding no
+ X11Forwarding no
+ AuthenticationMethods publickey
diff --git a/roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j2 b/roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j2
new file mode 100644
index 0000000..601bef8
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j2
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright (c) 2023 stonewall@sacredheartsc.com
+# MIT License https://opensource.org/licenses/MIT
+#
+# Pulls certificate files from another host over sftp, and restarts prosody
+# if any certificate files were modified.
+
+set -Eeu -o pipefail
+
+shopt -s nullglob
+
+SSH_KEY={{ prosody_le_ssh_privkey_path | quote }}
+LETSENCRYPT_PROXY_USER={{ prosody_le_user | quote }}
+LETSENCRYPT_PROXY_HOST={{ prosody_le_proxy_host | quote }}
+CERT_DIR=/etc/prosody/certs
+
+CHECKSUM_FILE=certs.md5
+
+cd "${CERT_DIR}"
+
+if [ -f "$CHECKSUM_FILE" ]; then
+ md5_orig=$(<"$CHECKSUM_FILE")
+else
+ md5_orig=''
+fi
+
+sftp -i "$SSH_KEY" "${LETSENCRYPT_PROXY_USER}@${LETSENCRYPT_PROXY_HOST}" <<EOT
+get *.crt
+get *.key
+quit
+EOT
+
+chgrp prosody "${CERT_DIR}"/*.{crt,key}
+chmod 640 "${CERT_DIR}"/*.{crt,key}
+
+> "$CHECKSUM_FILE"
+for file in *.{crt,key} ; do
+ md5sum "$file" >> "$CHECKSUM_FILE"
+done
+
+md5_new=$(<"$CHECKSUM_FILE")
+
+if [ "$md5_orig" != "$md5_new" ]; then
+ echo 'found new certificates, reloading prosody.'
+ if systemctl is-active prosody > /dev/null; then
+ systemctl reload prosody
+ fi
+else
+ echo 'certificates unchanged.'
+fi
diff --git a/roles/prosody_letsencrypt_proxy/vars/main.yml b/roles/prosody_letsencrypt_proxy/vars/main.yml
new file mode 100644
index 0000000..a04092d
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/vars/main.yml
@@ -0,0 +1,9 @@
+prosody_le_user: prosody-le-proxy
+prosody_le_home: /var/spool/prosody
+prosody_le_authorized_keys_dir: /etc/ssh/authorized_keys
+prosody_le_cert_dir: '{{ prosody_le_home }}/certs'
+
+prosody_le_slave_packages:
+ - prosody
+
+prosody_le_ssh_privkey_path: /etc/prosody/id_prosody_le_proxy
generated by cgit (git 2.34.1) at 2024-09-18 22:11:50 -0400