diff --git a/.gitignore b/.gitignore index 3869f79..6a76e1a 100644 --- a/.gitignore +++ b/.gitignore @@ -7,4 +7,4 @@ **/*.gz **/*.pem **/*.log -**/*.keep \ No newline at end of file +**/*.keep diff --git a/roles/platform/defaults/main/webserver.yml b/roles/platform/defaults/main/webserver.yml index 54107f5..1f4da30 100644 --- a/roles/platform/defaults/main/webserver.yml +++ b/roles/platform/defaults/main/webserver.yml @@ -23,13 +23,13 @@ platform_webserver_https_enabled: false platform_webserver_https_port: 3443 # The path to the public key file used for HTTPS connections. -platform_webserver_https_key: /opt/itential/platform/server/keys/key.pem +platform_webserver_https_key: "{{ platform_tls_dir }}/private/server.key" # The passphrase for the private key used to enable TLS sessions. platform_webserver_https_passphrase: # The path to the certificate file used for HTTPS connections. -platform_webserver_https_cert: /opt/itential/platform/server/keys/cert.pem +platform_webserver_https_cert: "{{ platform_tls_dir }}/certs/server.crt" # The set of allowed SSL/TLS protocol versions. platform_webserver_https_secure_protocol: TLSv1_2_method diff --git a/roles/platform/tasks/copy-certs.yml b/roles/platform/tasks/copy-certs.yml index 839dc96..609c965 100644 --- a/roles/platform/tasks/copy-certs.yml +++ b/roles/platform/tasks/copy-certs.yml @@ -2,34 +2,45 @@ # GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) --- -# TODO: Do we want to continue to support copying the cert? -# Should the cert/key be copied to /etc/ssl? +- name: Ensure the private directory exists + ansible.builtin.file: + path: "{{ platform_tls_dir }}/private" + state: directory + owner: root + group: itential + mode: '0750' + +- name: Ensure the certs directory exists + ansible.builtin.file: + path: "{{ platform_tls_dir }}/certs" + state: directory + owner: root + group: root + mode: '0755' - name: Put the HTTPS key file in the correct location ansible.builtin.copy: - remote_src: true - src: "{{ platform_install_dir }}/keys/key.pem" - dest: "{{ platform_install_dir }}/keys/itential.key" - mode: "0400" - owner: "{{ platform_user }}" - group: "{{ platform_group }}" + src: "{{ platform_keyfile_source }}" + dest: "{{ platform_webserver_https_key }}" + mode: "0640" + owner: root + group: itential - name: Put the HTTPS cert file in the correct location ansible.builtin.copy: - remote_src: true - src: "{{ platform_install_dir }}/keys/cert.pem" - dest: "{{ platform_install_dir }}/keys/itential.cert" - mode: "0400" - owner: "{{ platform_user }}" - group: "{{ platform_group }}" + src: "{{ platform_certfile_source }}" + dest: "{{ platform_webserver_https_cert }}" + mode: "0644" + owner: root + group: root - name: Copy MongoDB root CA file to the appropriate location ansible.builtin.copy: src: "{{ platform_mongodb_root_ca_file_source }}" dest: "{{ platform_mongodb_root_ca_file_destination }}" mode: "0400" - group: "{{ platform_group }}" owner: "{{ platform_user }}" + group: "{{ platform_group }}" when: - - mongodb_tls_enabled | bool + - platform_mongo_tls_enabled | bool - platform_mongodb_root_ca_file_source is defined diff --git a/roles/platform/tasks/main.yml b/roles/platform/tasks/main.yml index 43544f2..ebed8ad 100644 --- a/roles/platform/tasks/main.yml +++ b/roles/platform/tasks/main.yml @@ -102,13 +102,12 @@ ansible.builtin.include_tasks: file: configure-vault.yml - # TODO: Re-work the copy certs tasks - # - name: Copy certs - # tags: copy_certs - # block: - # - name: Copy certs - # ansible.builtin.include_tasks: - # file: copy-certs.yml + - name: Copy certs + tags: copy_certs + block: + - name: Copy certs + ansible.builtin.include_tasks: + file: copy-certs.yml - name: Configure Platform tags: configure_platform diff --git a/roles/platform/vars/main.yml b/roles/platform/vars/main.yml index 8f19b74..6b1b09e 100644 --- a/roles/platform/vars/main.yml +++ b/roles/platform/vars/main.yml @@ -6,3 +6,4 @@ platform_root_dir: /opt/itential/platform platform_install_dir: "{{ platform_root_dir }}/server" platform_service_dir: "{{ platform_root_dir }}/services" platform_config_dir: /etc/itential +platform_tls_dir: /etc/ssl/itential-platform