From 853c1f58e29eba324a7f7d275714d10343e60b20 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Fri, 8 Jul 2016 22:42:41 +0300
Subject: [PATCH] - Removed TLS key and cert handling. - Role is now empty,
archiving the role.
---
README.rst | 3 --
files/dhparams.sh | 7 ---
files/update-ca-certificates | 7 ---
handlers/main.yml | 13 -----
tasks/syslog_forward.yml | 34 -------------
tasks/tls_cert.yml | 17 -------
tasks/tls_cert_Debian.yml | 48 -------------------
tasks/tls_cert_OpenBSD.yml | 92 ------------------------------------
templates/forwarding.conf.j2 | 9 ----
vars/main.yml | 19 --------
10 files changed, 249 deletions(-)
delete mode 100755 files/dhparams.sh
delete mode 100644 files/update-ca-certificates
delete mode 100644 tasks/syslog_forward.yml
delete mode 100644 tasks/tls_cert.yml
delete mode 100644 tasks/tls_cert_Debian.yml
delete mode 100644 tasks/tls_cert_OpenBSD.yml
delete mode 100644 templates/forwarding.conf.j2
diff --git a/README.rst b/README.rst
index d5d6ffe..0c4024c 100644
--- a/README.rst
+++ b/README.rst
@@ -17,9 +17,6 @@ Role Variables
--------------
::
- extra_tls_certs: [] # List of filenames of TLS certs to be added.
- ssh_ca: # TBD.
- syslog_server: # The address of syslog server to forward.
tls_cert: # Filename of the TLS cert for that host.
tls_key: # Filename of the TLS key for that host.
tls_ca_cert: #Filename of the TLS CA cert for that host.
diff --git a/files/dhparams.sh b/files/dhparams.sh
deleted file mode 100755
index eb97eb4..0000000
--- a/files/dhparams.sh
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh -e
-if [ -f /etc/ssl/dhparams.pem ]
-then
- openssl dhparam -in /etc/ssl/dhparams.pem -text -noout | sed -n 's/Diffie-Hellman-Parameters: (\([0-9]*\) bit)/\1/p'
-else
- echo 0
-fi
diff --git a/files/update-ca-certificates b/files/update-ca-certificates
deleted file mode 100644
index 80360b5..0000000
--- a/files/update-ca-certificates
+++ /dev/null
@@ -1,7 +0,0 @@
-#!/bin/sh -e
-# Update the CA certificates store.
-
-test -d /etc/ssl/certs || echo "/etc/ssl/certs doesn't exist."
-test -w /etc/ssl/cert.pem || chmod 0644 /etc/ssl/cert.pem
-
-cat /etc/ssl/certs/*.pem > /etc/ssl/cert.pem
diff --git a/handlers/main.yml b/handlers/main.yml
index 57565ed..f2e65b6 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,15 +1,2 @@
---
# handlers file for ansible-common
-
-- name: Update CA store
- command: '{{ update_ca_certificates[ansible_os_family] }}'
-
-- name: Restart rsyslog
- service:
- name: rsyslog
- state: restarted
-
-- name: Restart syslogd
- service:
- name: syslogd
- state: restarted
diff --git a/tasks/syslog_forward.yml b/tasks/syslog_forward.yml
deleted file mode 100644
index b7f88d9..0000000
--- a/tasks/syslog_forward.yml
+++ /dev/null
@@ -1,34 +0,0 @@
----
-
-- name: Assert
- assert:
- that: ansible_os_family in [ 'Debian', 'OpenBSD' ]
-
-- name: apt install rsyslog
- when: ansible_os_family == 'Debian'
- apt:
- name: rsyslog-gnutls
- state: present
- update_cache: yes
- cache_valid_time: 3600
-
-- name: Configure rsyslog forwarding
- when: ansible_os_family == 'Debian'
- template:
- src: forwarding.conf.j2
- dest: /etc/rsyslog.d/forwarding.conf.j2
- owner: root
- group: root
- mode: 0o0644
- notify:
- - Restart rsyslog
-
-- name: Configure syslogd forwarding
- when: ansible_os_family == 'OpenBSD'
- lineinfile:
- dest: /etc/syslog.conf
- line: '*.* @tls://{{ syslog_server}}'
- regexp: '^\*.\* '
- state: present
- notify:
- - Restart syslogd
diff --git a/tasks/tls_cert.yml b/tasks/tls_cert.yml
deleted file mode 100644
index 39e903f..0000000
--- a/tasks/tls_cert.yml
+++ /dev/null
@@ -1,17 +0,0 @@
----
-
-- include: 'tls_cert_Debian.yml'
- when: ansible_os_family == 'Debian'
-
-- include: 'tls_cert_OpenBSD.yml'
- when: ansible_os_family == 'OpenBSD'
-
-- name: Check if dhparams exists and its length
- ignore_errors: yes
- dhparams:
- path: /etc/ssl/dhparams.pem
- register: tls_dhparams
-
-- name: Generate dhparams (this will take a while)
- when: tls_dhparams.bits < 2048
- command: /usr/bin/openssl dhparam -out /etc/ssl/dhparams.pem 2048
diff --git a/tasks/tls_cert_Debian.yml b/tasks/tls_cert_Debian.yml
deleted file mode 100644
index b236e53..0000000
--- a/tasks/tls_cert_Debian.yml
+++ /dev/null
@@ -1,48 +0,0 @@
----
-
-- name: Assert
- assert:
- that: ansible_os_family == 'Debian'
-
-- name: apt install TLS CA certs
- apt:
- name: '{{ item }}'
- state: present
- update_cache: yes
- cache_valid_time: 3600
- with_items:
- - ssl-cert
- - ca-certificates
-
-- name: Set TLS key and certificate
- set_fact:
- tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key'
- tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.pem'
- tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.pem'
-
-- name: Copy TLS certificate and key
- when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined
- copy:
- src: '{{ item.src }}'
- dest: '{{ item.dest }}'
- owner: root
- group: '{{ item.group }}'
- mode: '{{ item.mode }}'
- register: tls_copy
- with_items:
- - src: '{{ tls_key }}'
- dest: '{{ tls_key_path }}'
- mode: 0o0640
- group: ssl-cert
- - src: '{{ tls_cert }}'
- dest: '/usr/local/share/ca-certificates/{{ tls_cert|basename }}.crt'
- mode: 0o0644
- group: root
- - src: '{{ tls_ca_cert }}'
- dest: '/usr/local/share/ca-certificates/{{ tls_ca_cert|basename }}.crt'
- mode: 0o0644
- group: root
-
-- name: Update certificate authority store
- command: /usr/sbin/update-ca-certificates
- when: tls_copy.changed
diff --git a/tasks/tls_cert_OpenBSD.yml b/tasks/tls_cert_OpenBSD.yml
deleted file mode 100644
index 109f73c..0000000
--- a/tasks/tls_cert_OpenBSD.yml
+++ /dev/null
@@ -1,92 +0,0 @@
----
-
-- name: Assert
- assert:
- that: ansible_os_family == 'OpenBSD'
-
-- name: Create TLS key-owner group
- group:
- name: ssl-cert
- state: present
-
-- name: Create TLS keys and certs directories
- with_items:
- - name: certs
- mode: 0o0755
- group: wheel
- - name: private
- mode: 0o0750
- group: ssl-cert
- file:
- path: '/etc/ssl/{{ item.name }}'
- owner: root
- group: '{{ item.group }}'
- mode: '{{ item.mode }}'
- state: directory
-
-- name: Get current CA store
- get_url:
- url: http://cvsweb.openbsd.org/cgi-bin/cvsweb/~checkout~/src/lib/libcrypto/cert.pem
- dest: /etc/ssl/certs/ca-certificates.pem
- owner: root
- group: wheel
- mode: 0o0644
-
-- name: Copy update-ca-certifcates script
- copy:
- src: update-ca-certificates
- dest: /usr/local/sbin/update-ca-certificates
- owner: root
- group: wheel
- mode: 0o0755
-
-- stat:
- path: /etc/ssl/private/ssl-cert-snakeoil.key
- register: tls_stat_key
-
-- name: Generate self-signed TLS key
- when: not tls_stat_key.stat.exists
- command: /usr/bin/openssl genrsa -out /etc/ssl/private/ssl-cert-snakeoil.key 2048
-
-- stat:
- path: /etc/ssl/certs/ssl-cert-snakeoil.pem
- register: tls_stat_cert
-
-- name: Generate self-signed TLS cert
- when: not tls_stat_cert.stat.exists
- command: |
- /usr/bin/openssl req \
- -x509 \
- -new \
- -key /etc/ssl/private/ssl-cert-snakeoil.key \
- -nodes \
- -out /etc/ssl/certs/ssl-cert-snakeoil.pem \
- -days 3650
- -subj "/CN={{ ansible_fqdn }}"
-
-- name: Set TLS key and certificate
- set_fact:
- tls_key_path: '/etc/ssl/private/{{ tls_key|default("ssl-cert-snakeoil")|basename }}.key'
- tls_cert_path: '/etc/ssl/certs/{{ tls_cert|default("ssl-cert-snakeoil")|basename }}.pem'
- tls_ca_cert_path: '/etc/ssl/certs/{{ tls_ca_cert|default(tls_cert|default("ssl-cert-snakeoil"))|basename }}.pem'
-
-- name: Copy TLS certificate and key
- when: tls_cert is defined and tls_key is defined and tls_ca_cert is defined
- with_items:
- - src: '{{ tls_key }}'
- dest: '{{ tls_key_path }}'
- - src: '{{ tls_cert }}'
- dest: '{{ tls_cert_path }}'
- - src: '{{ tls_ca_cert }}'
- dest: '{{ tls_ca_cert_path }}'
- copy:
- src: '{{ item.src }}'
- dest: '{{ item.dest }}'
- owner: root
- group: wheel
- mode: 0o0644
- register: tls_copy
-
-- name: Update certificate authority store
- when: tls_copy.changed or not tls_stat_cert.stat.exists
- command: /usr/local/sbin/update-ca-certificates
diff --git a/templates/forwarding.conf.j2 b/templates/forwarding.conf.j2
deleted file mode 100644
index 96f001a..0000000
--- a/templates/forwarding.conf.j2
+++ /dev/null
@@ -1,9 +0,0 @@
-$DefaultNetstreamDriver gtls
-$DefaultNetstreamDriverCAFile {{ tls_ca_cert_path }}
-$DefaultNetstreamDriverCertFile {{ tls_cert_path }}
-$DefaultNetstreamDriverKeyFile {{ tls_key_path }}
-
-$ActionSendStreamDriverAuthMode x509/name
-$ActionSendStreamDriverPermittedPeer {{ syslog_server }}
-$ActionSendStreamDriverMode 1
-*.* @@{{ syslog_server }}
diff --git a/vars/main.yml b/vars/main.yml
index 80a93d1..c3dc791 100644
--- a/vars/main.yml
+++ b/vars/main.yml
@@ -1,21 +1,2 @@
---
# vars file for ansible-common
-
-debian_suite:
- squeeze: oldoldstable
- wheezy: oldstable
- jessie: stable
- stretch: testing
- sid: unstable
-
-ca_store:
- OpenBSD: /etc/ssl/cert.pem
- Debian: /etc/ssl/certs/ca-certificates.crt
-
-update_ca_certificates:
- OpenBSD: /usr/local/sbin/update-ca-certificates
- Debian: /usr/sbin/update-ca-certificates
-
-cert_dir:
- OpenBSD: /etc/ssl/certs
- Debian: /usr/local/share/ca-certificates
--
GitLab