- Removed TLS key and cert handling.

- Role is now empty, archiving the role.

- Removed TLS key and cert handling.
853c1f58 · nimrod · d2170ed3 · 853c1f58 · d2170ed3 · d2170ed3
Commit 853c1f58 authored 8 years ago by nimrod
--- a/README.rst
+++ b/README.rst
@@ -17,9 +17,6 @@ Role Variables
 --------------
 ::

-    extra_tls_certs: [] # List of filenames of TLS certs to be added.
-    ssh_ca: # TBD.
-    syslog_server: # The address of syslog server to forward.
    tls_cert: # Filename of the TLS cert for that host.
    tls_key: # Filename of the TLS key for that host.
    tls_ca_cert: #Filename of the TLS CA cert for that host.

--- a/files/dhparams.sh
+++ b/files/dhparams.sh
-#!/bin/sh -e
-if [ -f /etc/ssl/dhparams.pem ]
-then
-    openssl dhparam -in /etc/ssl/dhparams.pem -text -noout | sed -n 's/Diffie-Hellman-Parameters: (\([0-9]*\) bit)/\1/p'
-else
-    echo 0
-fi
--- a/files/update-ca-certificates
+++ b/files/update-ca-certificates
-#!/bin/sh -e
-# Update the CA certificates store.
-
-test -d /etc/ssl/certs || echo "/etc/ssl/certs doesn't exist."
-test -w /etc/ssl/cert.pem || chmod 0644 /etc/ssl/cert.pem
-
-cat /etc/ssl/certs/*.pem > /etc/ssl/cert.pem
--- a/handlers/main.yml
+++ b/handlers/main.yml
 ---
 # handlers file for ansible-common
-
- name: Update CA store
-  command: '{{ update_ca_certificates[ansible_os_family] }}'
-
- name: Restart rsyslog
-  service:
-    name: rsyslog
-    state: restarted
-
- name: Restart syslogd
-  service:
-    name: syslogd
-    state: restarted
--- a/tasks/syslog_forward.yml
+++ b/tasks/syslog_forward.yml
---
-
- name: Assert
-  assert:
-    that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
- name: apt install rsyslog
-  when: ansible_os_family == 'Debian'
-  apt:
-    name: rsyslog-gnutls
-    state: present
-    update_cache: yes
-    cache_valid_time: 3600
-
- name: Configure rsyslog forwarding
-  when: ansible_os_family == 'Debian'
-  template:
-    src: forwarding.conf.j2
-    dest: /etc/rsyslog.d/forwarding.conf.j2
-    owner: root
-    group: root
-    mode: 0o0644
-  notify:
-  - Restart rsyslog
-
- name: Configure syslogd forwarding
-  when: ansible_os_family == 'OpenBSD'
-  lineinfile:
-    dest: /etc/syslog.conf
-    line: '*.* @tls://{{ syslog_server}}'
-    regexp: '^\*.\* '
-    state: present
-  notify:
-  - Restart syslogd
--- a/tasks/tls_cert.yml
+++ b/tasks/tls_cert.yml
---
-
- include: 'tls_cert_Debian.yml'
-  when: ansible_os_family == 'Debian'
-
- include: 'tls_cert_OpenBSD.yml'
-  when: ansible_os_family == 'OpenBSD'
-
- name: Check if dhparams exists and its length
-  ignore_errors: yes
-  dhparams:
-    path: /etc/ssl/dhparams.pem
-  register: tls_dhparams
-
- name: Generate dhparams (this will take a while)
-  when: tls_dhparams.bits < 2048
-  command: /usr/bin/openssl dhparam -out /etc/ssl/dhparams.pem 2048
--- a/tasks/tls_cert_Debian.yml
+++ b/tasks/tls_cert_Debian.yml
---
-
- name: Assert
-  assert:
-    that: ansible_os_family == 'Debian'
-
- name: apt install TLS CA certs
-  apt:
-    name: '{{ item }}'
-    state: present
-    update_cache: yes
-    cache_valid_time: 3600
-  with_items:
-  - ssl-cert
-  - ca-certificates
-
- name: Set TLS key and certificate
-  set_fact:
-    tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key'
-    tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.pem'
-    tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.pem'
-
- name: Copy TLS certificate and key
-  when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined
-  copy:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: '{{ item.group }}'
-    mode: '{{ item.mode }}'
-  register: tls_copy
-  with_items:
-    - src: '{{ tls_key }}'
-      dest: '{{ tls_key_path }}'
-      mode: 0o0640
-      group: ssl-cert
-    - src: '{{ tls_cert }}'
-      dest: '/usr/local/share/ca-certificates/{{ tls_cert|basename }}.crt'
-      mode: 0o0644
-      group: root
-    - src: '{{ tls_ca_cert }}'
-      dest: '/usr/local/share/ca-certificates/{{ tls_ca_cert|basename }}.crt'
-      mode: 0o0644
-      group: root
-
- name: Update certificate authority store
-  command: /usr/sbin/update-ca-certificates
-  when: tls_copy.changed
--- a/tasks/tls_cert_OpenBSD.yml
+++ b/tasks/tls_cert_OpenBSD.yml
---
-
- name: Assert
-  assert:
-    that: ansible_os_family == 'OpenBSD'
-
- name: Create TLS key-owner group
-  group:
-    name: ssl-cert
-    state: present
-
- name: Create TLS keys and certs directories
-  with_items:
-  - name: certs
-    mode: 0o0755
-    group: wheel
-  - name: private
-    mode: 0o0750
-    group: ssl-cert
-  file:
-    path: '/etc/ssl/{{ item.name }}'
-    owner: root
-    group: '{{ item.group }}'
-    mode: '{{ item.mode }}'
-    state: directory
-
- name: Get current CA store
-  get_url:
-    url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem
-    dest: /etc/ssl/certs/ca-certificates.pem
-    owner: root
-    group: wheel
-    mode: 0o0644
-
- name: Copy update-ca-certifcates script
-  copy:
-    src: update-ca-certificates
-    dest: /usr/local/sbin/update-ca-certificates
-    owner: root
-    group: wheel
-    mode: 0o0755
-
- stat:
-    path: /etc/ssl/private/ssl-cert-snakeoil.key
-  register: tls_stat_key
-
- name: Generate self-signed TLS key
-  when: not tls_stat_key.stat.exists
-  command: /usr/bin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048
-
- stat:
-    path: /etc/ssl/certs/ssl-cert-snakeoil.pem
-  register: tls_stat_cert
-
- name: Generate self-signed TLS cert
-  when: not tls_stat_cert.stat.exists
-  command: |
-    /usr/bin/openssl req \
-        -x509 \
-        -new \
-        -key /etc/ssl/private/ssl-cert-snakeoil.key \
-        -nodes \
-        -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
-        -days 3650
-        -subj "/CN={{ ansible_fqdn }}"
-
- name: Set TLS key and certificate
-  set_fact:
-    tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key'
-    tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.pem'
-    tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.pem'
-
- name: Copy TLS certificate and key
-  when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined
-  with_items:
-    - src: '{{ tls_key }}'
-      dest: '{{ tls_key_path }}'
-    - src: '{{ tls_cert }}'
-      dest: '{{ tls_cert_path }}'
-    - src: '{{ tls_ca_cert }}'
-      dest: '{{ tls_ca_cert_path }}'
-  copy:
-    src: '{{ item.src }}'
-    dest: '{{ item.dest }}'
-    owner: root
-    group: wheel
-    mode: 0o0644
-  register: tls_copy
-
- name: Update certificate authority store
-  when: tls_copy.changed or not tls_stat_cert.stat.exists
-  command: /usr/local/sbin/update-ca-certificates
--- a/templates/forwarding.conf.j2
+++ b/templates/forwarding.conf.j2
-$DefaultNetstreamDriver gtls
-$DefaultNetstreamDriverCAFile {{ tls_ca_cert_path }}
-$DefaultNetstreamDriverCertFile {{ tls_cert_path }}
-$DefaultNetstreamDriverKeyFile {{ tls_key_path }}
-
-$ActionSendStreamDriverAuthMode x509/name
-$ActionSendStreamDriverPermittedPeer {{ syslog_server }}
-$ActionSendStreamDriverMode 1
-*.* @@{{ syslog_server }}
--- a/vars/main.yml
+++ b/vars/main.yml
 ---
 # vars file for ansible-common
-
-debian_suite:
-  squeeze: oldoldstable
-  wheezy: oldstable
-  jessie: stable
-  stretch: testing
-  sid: unstable
-
-ca_store:
-    OpenBSD: /etc/ssl/cert.pem
-    Debian: /etc/ssl/certs/ca-certificates.crt
-
-update_ca_certificates:
-    OpenBSD: /usr/local/sbin/update-ca-certificates
-    Debian: /usr/sbin/update-ca-certificates
-
-cert_dir:
-    OpenBSD: /etc/ssl/certs
-    Debian: /usr/local/share/ca-certificates