add sslletsencrypt and sslselfsigned roles for internal servers

.gitignore

@@ -2,3 +2,4 @@
 secret
 *.pyc
 site.retry
+.directory

README.md

@@ -84,6 +84,13 @@ Authorize your ssh key if you want passwordless ssh login (optional):
     nano /home/deploy/.ssh/authorized_keys
     chmod 400 /home/deploy/.ssh/authorized_keys
     chown deploy:deploy /home/deploy -R
+
+Or, in short:
+
+    ssh-copy-id -i ~/.ssh/id_ecdsa deploy@hostname
+
+Also, enable passwordless sudo for the deploy user:
+
     echo 'deploy ALL=(ALL) NOPASSWD: ALL' > /etc/sudoers.d/deploy
 
 Your new account will be automatically set up for passwordless `sudo`.

roles/common/defaults/main.yml

@@ -1,6 +1,7 @@
 common_timezone: 'Etc/UTC'
 admin_email: "{{ main_user_name }}@{{ domain }}"
 main_user_shell: "/bin/bash"
+server_hostname: "{{ server_fqdn }}"
 friendly_networks:
   - ""
 

roles/common/tasks/main.yml

@@ -1,7 +1,7 @@
 ---
 
 - name: Set hostname
-  hostname: name="{{ server_fqdn }}"
+  hostname: name="{{ server_hostname }}"
 
 - name: Replace /etc/hosts
   template: src=etc_hosts.j2 dest=/etc/hosts
@@ -83,8 +83,6 @@
 
 - include: users.yml tags=users
 - include: apache.yml tags=apache
-- include: ssl.yml tags=ssl
-- include: letsencrypt.yml tags=letsencrypt
 - include: ufw.yml tags=ufw
 - include: security.yml tags=security
 - include: ntp.yml tags=ntp

roles/common/tasks/ufw.yml

@@ -24,7 +24,6 @@
   ufw: rule=allow port={{ item }} proto=tcp
   with_items:
     - http
-    - https
     - ssh
   tags: ufw
 

roles/sslletsencrypt/DESIGN.md

@@ -0,0 +1,18 @@
+# Design Description for Common-SSL Role
+
+## Let's Encrypt Support
+
+[Let's Encrypt](https://letsencrypt.org) (LE) is an automated certificate authority that provides free SSL certificates that are trusted by all major browsers.  LE certificates are used by Sovereign instead of purchased certificates from authorities like RapidSSL in order to reduce the out-of-pocket cost of deploying Sovereign and avoid end-user problems with self-signed certificates.
+
+### Design approach
+
+The Let's Encrypt service uses DNS to look up domains being registered and then contact the client to verify. For this to work, DNS records must be configured before the playbook is run the first time.
+
+A single certificate is created using Let's Encrypt with SANs used for the subdomains.  At deploy-time, a script is used to query DNS for known subdomains, build a list of the subset that is registered, and use it when making the certificate request of Let's Encrypt.
+
+Several packages need access to the private key. Not all are run as root. An example is Prosody (XMPP). Such users are added to the ssl-cert group, and /etc/letsencrypt is set up to allow keys to be read by ssl-cert.
+
+Certificate renewal is done automatically using cron. The cron script must be aware of private key copies and update them as well. Services that depend on new keys must also be bounced. It is up to roles that rely on keys to modify the cron script (preferably using `lineinfile` or something similar) to accomplish this.
+
+If you changed something that requires new domains or subdomains to be considered when generating the certificates, do not just delete the files in /etc/letsencrypt/live!
+Instead, use /root/letsencrypt/letsencrypt-auto delete to remove the old certificates and then re-run the common role in this playbook.

roles/sslletsencrypt/defaults/main.yml

@@ -0,0 +1,29 @@
+common_timezone: 'Etc/UTC'
+admin_email: "{{ main_user_name }}@{{ domain }}"
+main_user_shell: "/bin/bash"
+friendly_networks:
+  - ""
+
+# pass
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
+
+# let's encrypt
+letsencrypt_server: "https://acme-v02.api.letsencrypt.org/directory"
+
+# ssh
+# Following https://infosec.mozilla.org/guidelines/openssh
+kex_algorithms: "curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"
+
+# ntp
+ntp_servers:
+  - 0.pool.ntp.org
+  - 1.pool.ntp.org
+  - 2.pool.ntp.org
+  - 3.pool.ntp.org

roles/common/files/letsencrypt-gencert → roles/sslletsencrypt/files/letsencrypt-gencert

@@ -17,7 +17,7 @@ for domain in "$@"; do
   fi
 
   # subdomains - www.foo.com mail.foo.com ...
-  for sub in www mail autoconfig stats news cloud git matrix status social comments iot; do
+  for sub in eddie www mail autoconfig stats news cloud git matrix status social comments iot; do
     # only add if the DNS entry for the subdomain does actually exist
     if (getent hosts $sub.$domain > /dev/null); then
       if [ -z "$d" ]; then

roles/sslletsencrypt/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+# Defines handlers applicable across all machines in the infrastructure.
+
+- name: restart apache
+  service: name=apache2 state=restarted

roles/sslletsencrypt/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+
+- include: ssl.yml tags=ssl
+- include: letsencrypt.yml tags=letsencrypt
+- include: ufw.yml tags=ufw

roles/sslletsencrypt/tasks/ufw.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Set firewall rules for SSL web traffic
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - https
+  tags: ufw

roles/sslselfsigned/defaults/main.yml

@@ -0,0 +1,19 @@
+common_timezone: 'Etc/UTC'
+admin_email: "{{ main_user_name }}@{{ domain }}"
+main_user_shell: "/bin/bash"
+friendly_networks:
+  - ""
+
+# pass
+secret_root: '{{ inventory_dir | realpath }}'
+secret_name: 'secret'
+secret: '{{ secret_root + "/" + secret_name }}'
+
+db_admin_username: 'postgres'
+db_admin_password: "{{ lookup('password', secret + '/' + 'db_admin_password length=32') }}"
+
+# ssh
+# Following https://infosec.mozilla.org/guidelines/openssh
+kex_algorithms: "curve25519-sha256@libssh.org,ecdh-sha2-nistp521,ecdh-sha2-nistp384,ecdh-sha2-nistp256,diffie-hellman-group-exchange-sha256"
+ciphers: "chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr"
+macs: "hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com"

roles/sslselfsigned/handlers/main.yml

@@ -0,0 +1,5 @@
+---
+# Defines handlers applicable across all machines in the infrastructure.
+
+- name: restart apache
+  service: name=apache2 state=restarted

roles/sslselfsigned/tasks/main.yml

@@ -0,0 +1,5 @@
+---
+
+- include: ssl.yml tags=ssl
+- include: selfsigned.yml
+- include: ufw.yml tags=ufw

roles/sslselfsigned/tasks/selfsigned.yml

@@ -0,0 +1,42 @@
+
+- name: Install Self Signed Cert stuff
+  apt:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+    - openssl
+  tags:
+    - dependencies
+
+- name: Add group name ssl-cert for SSL certificates
+  group:
+    name: ssl-cert
+    state: present
+
+- name: Create directory for certificates
+  file: state=directory path=/etc/letsencrypt group=root owner=root
+
+- name: Create live directory for certificates
+  file: state=directory path=/etc/letsencrypt/live/{{ domain }} group=ssl-cert owner=root
+
+- name: Add script for cert creation
+  template:
+    src=home_deploy_ssl-self-signed.sh.j2
+    dest=/home/deploy/ssl-self-signed.sh
+    owner=deploy
+    group=deploy
+    mode=755
+
+- name: Create self signed certificates
+  command:
+    cmd: /home/deploy/ssl-self-signed.sh
+  notify: restart apache
+
+- name: Modify permissions to allow ssl-cert group access to live
+  file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes
+
+- name: Retrieve the self signing CA to remove warning in users browser
+  fetch: src=/etc/letsencrypt/live/fritz.box/chain.pem
+         dest="{{ secret }}/sovereign-self-signed-cert"
+         fail_on_missing=yes

roles/sslselfsigned/tasks/ssl.yml

@@ -0,0 +1,23 @@
+- name: Create strong Diffie-Hellman group
+  command: openssl dhparam -out /etc/ssl/private/dhparam2048.pem 2048
+    creates=/etc/ssl/private/dhparam2048.pem
+
+- name: Enable Apache SSL module
+  command: a2enmod ssl creates=/etc/apache2/mods-enabled/ssl.load
+  notify: restart apache
+
+- name: Enable Apache SOCACHE_SHMCB module for the SSL stapling cache
+  command: a2enmod socache_shmcb
+    creates=/etc/apache2/mods-enabled/socache_shmcb.load
+  notify: restart apache
+
+- name: Add common Apache SSL config
+  template: src=etc_apache2_conf-available_ssl.conf.j2
+    dest=/etc/apache2/conf-available/ssl.conf
+    owner=root
+    group=root
+  notify: restart apache
+
+- name: Enable Apache SSL config
+  command: a2enconf ssl creates=/etc/apache2/conf-enabled/ssl.conf
+  notify: restart apache

roles/sslselfsigned/tasks/ufw.yml

@@ -0,0 +1,7 @@
+---
+
+- name: Set firewall rules for SSL web traffic
+  ufw: rule=allow port={{ item }} proto=tcp
+  with_items:
+    - https
+  tags: ufw

roles/sslselfsigned/templates/etc_apache2_conf-available_ssl.conf.j2

@@ -0,0 +1,14 @@
+SSLProtocol ALL -SSLv2 -SSLv3
+SSLHonorCipherOrder On
+SSLCompression off
+SSLUseStapling On
+SSLStaplingCache shmcb:${APACHE_RUN_DIR}/stapling_cache(128000)
+SSLStaplingResponderTimeout 5
+SSLStaplingReturnResponderErrors off
+
+SSLCertificateKeyFile	/etc/letsencrypt/live/{{ domain }}/privkey.pem
+SSLCertificateFile	/etc/letsencrypt/live/{{ domain }}/fullchain.pem
+
+SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
+
+Header add Strict-Transport-Security "max-age=15768000; includeSubdomains"

roles/sslselfsigned/templates/home_deploy_ssl-self-signed.sh.j2

@@ -0,0 +1,35 @@
+#!/bin/bash
+
+echo generating CA key
+openssl genrsa -out /etc/letsencrypt/rootCA.key 4096
+
+echo generating CA certificate
+openssl req -x509 -new -nodes -sha256 -days 7300 \
+    -key /etc/letsencrypt/rootCA.key \
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN={{ domain }}" \
+    -out /etc/letsencrypt/rootCA.crt
+
+echo generating server key
+openssl genrsa -out /etc/letsencrypt/{{ domain }}.key 2048
+
+echo generating signing request
+openssl req -new -sha256 \
+    -key /etc/letsencrypt/{{ domain }}.key \
+    -subj "/C=DE/ST=BW/O={{ domain }}/CN=*.{{ domain }}" \
+    -out /etc/letsencrypt/{{ domain }}.csr
+
+echo generating server certificate
+openssl x509 -req -CAcreateserial -days 7300 -sha256 \
+    -in /etc/letsencrypt/{{ domain }}.csr \
+    -CA /etc/letsencrypt/rootCA.crt \
+    -CAkey /etc/letsencrypt/rootCA.key \
+    -out /etc/letsencrypt/{{ domain }}.crt
+
+echo copy to proper locations
+cp /etc/letsencrypt/{{ domain }}.key /etc/letsencrypt/live/{{ domain }}/privkey.pem
+cp /etc/letsencrypt/rootCA.crt /etc/letsencrypt/live/{{ domain }}/chain.pem
+cp /etc/letsencrypt/{{ domain }}.crt /etc/letsencrypt/live/{{ domain }}/cert.pem
+
+echo generate full chain certificate
+cat /etc/letsencrypt/live/{{ domain }}/cert.pem > /etc/letsencrypt/live/{{ domain }}/fullchain.pem
+cat /etc/letsencrypt/live/{{ domain }}/chain.pem >> /etc/letsencrypt/live/{{ domain }}/fullchain.pem

site.yml

@@ -9,6 +9,7 @@
   # This is what I'm using on my minimal web & mail server
   roles:
     - common
+    - sslletsencrypt
     - blog
     - mailserver
     - webmail