From 0261e875679f1bf63c8d689da7fc7e014597885d Mon Sep 17 00:00:00 2001
From: Stonewall Jackson <stonewall@sacredheartsc.com>
Date: Sat, 4 Feb 2023 01:23:43 -0500
Subject: initial commit

---
 roles/prosody_letsencrypt_proxy/defaults/main.yml  |  2 +
 roles/prosody_letsencrypt_proxy/handlers/main.yml  |  4 ++
 roles/prosody_letsencrypt_proxy/tasks/main.yml     |  1 +
 roles/prosody_letsencrypt_proxy/tasks/master.yml   | 47 ++++++++++++++++++++
 roles/prosody_letsencrypt_proxy/tasks/slave.yml    | 32 ++++++++++++++
 .../etc/ssh/sshd_config.d/99-prosody-le-proxy.conf |  7 +++
 .../usr/local/sbin/prosody-letsencrypt-proxy.j2    | 51 ++++++++++++++++++++++
 roles/prosody_letsencrypt_proxy/vars/main.yml      |  9 ++++
 8 files changed, 153 insertions(+)
 create mode 100644 roles/prosody_letsencrypt_proxy/defaults/main.yml
 create mode 100644 roles/prosody_letsencrypt_proxy/handlers/main.yml
 create mode 100644 roles/prosody_letsencrypt_proxy/tasks/main.yml
 create mode 100644 roles/prosody_letsencrypt_proxy/tasks/master.yml
 create mode 100644 roles/prosody_letsencrypt_proxy/tasks/slave.yml
 create mode 100644 roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
 create mode 100644 roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j2
 create mode 100644 roles/prosody_letsencrypt_proxy/vars/main.yml

(limited to 'roles/prosody_letsencrypt_proxy')

diff --git a/roles/prosody_letsencrypt_proxy/defaults/main.yml b/roles/prosody_letsencrypt_proxy/defaults/main.yml
new file mode 100644
index 0000000..a59fa35
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/defaults/main.yml
@@ -0,0 +1,2 @@
+prosody_le_role: slave
+prosody_le_domains: '{{ prosody_vhosts }}'
diff --git a/roles/prosody_letsencrypt_proxy/handlers/main.yml b/roles/prosody_letsencrypt_proxy/handlers/main.yml
new file mode 100644
index 0000000..18c505e
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: restart sshd
+  systemd:
+    name: sshd
+    state: restarted
diff --git a/roles/prosody_letsencrypt_proxy/tasks/main.yml b/roles/prosody_letsencrypt_proxy/tasks/main.yml
new file mode 100644
index 0000000..95b108b
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/tasks/main.yml
@@ -0,0 +1 @@
+- import_tasks: '{{ prosody_le_role }}.yml'
diff --git a/roles/prosody_letsencrypt_proxy/tasks/master.yml b/roles/prosody_letsencrypt_proxy/tasks/master.yml
new file mode 100644
index 0000000..ab84669
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/tasks/master.yml
@@ -0,0 +1,47 @@
+- name: create user
+  user:
+    name: '{{ prosody_le_user }}'
+    home: '{{ prosody_le_home }}'
+    system: yes
+    create_home: no
+    shell: /sbin/nologin
+
+- name: create  home directory
+  file:
+    path: '{{ prosody_le_home }}'
+    owner: root
+    group: '{{ prosody_le_user }}'
+    mode: 0750
+    state: directory
+
+- name: create ssh authorized_keys directory
+  file:
+    path: '{{ prosody_le_authorized_keys_dir }}'
+    mode: 0755
+    state: directory
+
+- name: copy ssh public key
+  copy:
+    content: '{{ prosody_le_ssh_pubkey }}'
+    dest: '{{ prosody_le_authorized_keys_dir }}/{{ prosody_le_user }}'
+    mode: 0640
+    owner: root
+    group: '{{ prosody_le_user }}'
+
+- name: generate sshd configuration
+  template:
+    src: etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
+    dest: /etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
+  notify: restart sshd
+
+- name: retrieve certificates
+  include_role:
+    name: certbot
+  vars:
+    certificate_sans: ['{{ item }}']
+    certificate_path: '{{ prosody_le_home }}/{{ item }}.crt'
+    certificate_key_path: '{{ prosody_le_home }}/{{ item }}.key'
+    certificate_owner: 'root:{{ prosody_le_user }}'
+    certificate_mode: 0640
+    certificate_use_apache: yes
+  loop: '{{ prosody_le_domains }}'
diff --git a/roles/prosody_letsencrypt_proxy/tasks/slave.yml b/roles/prosody_letsencrypt_proxy/tasks/slave.yml
new file mode 100644
index 0000000..1bcf67a
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/tasks/slave.yml
@@ -0,0 +1,32 @@
+- name: install packages
+  dnf:
+    name: '{{ prosody_le_slave_packages }}'
+    state: present
+
+- name: copy ssh privkey
+  copy:
+    content: '{{ prosody_le_ssh_privkey }}'
+    dest: '{{ prosody_le_ssh_privkey_path }}'
+    mode: 0600
+
+- name: generate script
+  template:
+    src: usr/local/sbin/prosody-letsencrypt-proxy.j2
+    dest: /usr/local/sbin/prosody-letsencrypt-proxy
+    mode: 0555
+
+- name: create systemd timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: prosody-letsencrypt-proxy
+    timer_description: Check for updated prosody certificates
+    timer_after: network.target
+    timer_on_calendar: daily
+    timer_exec: /usr/local/sbin/prosody-letsencrypt-proxy
+
+- name: retrieve certificates
+  systemd:
+    name: prosody-letsencrypt-proxy.service
+    state: started
+  changed_when: no
diff --git a/roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf b/roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
new file mode 100644
index 0000000..7d6b9a2
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/templates/etc/ssh/sshd_config.d/99-prosody-le-proxy.conf
@@ -0,0 +1,7 @@
+Match user {{ prosody_le_user }}
+  AuthorizedKeysFile {{ prosody_le_authorized_keys_dir }}/%u
+  ChrootDirectory %h
+  ForceCommand internal-sftp -R
+  AllowTcpForwarding no
+  X11Forwarding no
+  AuthenticationMethods publickey
diff --git a/roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j2 b/roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j2
new file mode 100644
index 0000000..601bef8
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/templates/usr/local/sbin/prosody-letsencrypt-proxy.j2
@@ -0,0 +1,51 @@
+#!/bin/bash
+
+# Copyright (c) 2023 stonewall@sacredheartsc.com
+# MIT License https://opensource.org/licenses/MIT
+#
+# Pulls certificate files from another host over sftp, and restarts prosody
+# if any certificate files were modified.
+
+set -Eeu -o pipefail
+
+shopt -s nullglob
+
+SSH_KEY={{ prosody_le_ssh_privkey_path | quote }}
+LETSENCRYPT_PROXY_USER={{ prosody_le_user | quote }}
+LETSENCRYPT_PROXY_HOST={{ prosody_le_proxy_host | quote }}
+CERT_DIR=/etc/prosody/certs
+
+CHECKSUM_FILE=certs.md5
+
+cd "${CERT_DIR}"
+
+if [ -f "$CHECKSUM_FILE" ]; then
+  md5_orig=$(<"$CHECKSUM_FILE")
+else
+  md5_orig=''
+fi
+
+sftp -i "$SSH_KEY" "${LETSENCRYPT_PROXY_USER}@${LETSENCRYPT_PROXY_HOST}" <<EOT
+get *.crt
+get *.key
+quit
+EOT
+
+chgrp prosody "${CERT_DIR}"/*.{crt,key}
+chmod 640 "${CERT_DIR}"/*.{crt,key}
+
+> "$CHECKSUM_FILE"
+for file in *.{crt,key} ; do
+  md5sum "$file" >> "$CHECKSUM_FILE"
+done
+
+md5_new=$(<"$CHECKSUM_FILE")
+
+if [ "$md5_orig" != "$md5_new" ]; then
+  echo 'found new certificates, reloading prosody.'
+  if systemctl is-active prosody > /dev/null; then
+    systemctl reload prosody
+  fi
+else
+  echo 'certificates unchanged.'
+fi
diff --git a/roles/prosody_letsencrypt_proxy/vars/main.yml b/roles/prosody_letsencrypt_proxy/vars/main.yml
new file mode 100644
index 0000000..a04092d
--- /dev/null
+++ b/roles/prosody_letsencrypt_proxy/vars/main.yml
@@ -0,0 +1,9 @@
+prosody_le_user: prosody-le-proxy
+prosody_le_home: /var/spool/prosody
+prosody_le_authorized_keys_dir: /etc/ssh/authorized_keys
+prosody_le_cert_dir: '{{ prosody_le_home }}/certs'
+
+prosody_le_slave_packages:
+  - prosody
+
+prosody_le_ssh_privkey_path: /etc/prosody/id_prosody_le_proxy
-- 
cgit