Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
Menu
Open sidebar
Jakub Klinkovský
infrastructure-testing
Commits
66ebfe27
Unverified
Commit
66ebfe27
authored
Sep 03, 2020
by
Jakub Klinkovský
Browse files
add mkcert role to provide HTTPS for local containers
parent
72d66e4a
Changes
6
Hide whitespace changes
Inline
Side-by-side
README.md
View file @
66ebfe27
...
...
@@ -55,3 +55,26 @@ some services have to be modified to be accessible over plain HTTP.
cd local_infrastructure
ansible-playbook playbooks/<name>.yml
### SSL certificates for local containers
The Arch infrastructure uses the
`certbot`
role to automatically retrieve SSL
certificates from
[
Let's Encrypt
](
https://letsencrypt.org/
)
. However, this
cannot work for _localhost_ or local containers. See
[
Certificates for
localhost
](
https://letsencrypt.org/docs/certificates-for-localhost/
)
for more
information.
To provide HTTPS for local containers, we can use the tool
[
mkcert
](
https://github.com/FiloSottile/mkcert
)
to create and install a local CA in the
system trust store, and to generate locally-trusted certificates which can be
installed by Ansible in the local containers. You can just replace the
`certbot`
role with the
`mkcert`
role in your playbook and enjoy HTTPS in local
containers.
Before you run the playbook with the
`mkcert`
role, you need to manually install
a local CA. Make sure that the
`mkcert`
package is installed on the host and run
mkcert -install
Note that
`mkcert`
will
[
use sudo to change the system trust store
](
https://github.com/FiloSottile/mkcert/issues/236
)
.
arch_infrastructure
@
bd5ba162
Compare
6cc70709
...
bd5ba162
Subproject commit
6cc70709a66f1ec47679434916b7cea2a4a7ae00
Subproject commit
bd5ba16291fd45229243686c07e9f41850105306
local_infrastructure/.gitignore
0 → 100644
View file @
66ebfe27
/certificates
local_infrastructure/ansible.cfg
View file @
66ebfe27
...
...
@@ -5,7 +5,7 @@ library = ../arch_infrastructure/library
remote_tmp = $HOME/.ansible/tmp
remote_user = root
nocows = 1
roles_path = ../arch_infrastructure/roles
roles_path = ../arch_infrastructure/roles
:./roles
#vault_password_file = misc/get-vault-pass.sh
retry_files_enabled = False
callback_plugins = ../arch_infrastructure/plugins/callback
...
...
local_infrastructure/playbooks/local-archwiki.yml
View file @
66ebfe27
...
...
@@ -9,7 +9,7 @@
-
{
role
:
firewalld
}
-
{
role
:
sshd
}
# - { role: root_ssh }
#
- { role: certbot
}
-
{
role
:
mkcert
}
# replacement for the
certbot
role
-
{
role
:
nginx
}
-
{
role
:
mariadb
,
mariadb_innodb_buffer_pool_size
:
'
64M'
,
mariadb_table_open_cache
:
'
256'
,
mariadb_query_cache_type
:
'
0'
,
mariadb_innodb_file_per_table
:
True
}
...
...
local_infrastructure/roles/mkcert/tasks/main.yml
0 → 100644
View file @
66ebfe27
---
-
name
:
get local CAROOT path
command
:
mkcert -CAROOT
register
:
caroot
delegate_to
:
localhost
changed_when
:
false
# NOTE: this does not work, because mkcert asks for the sudo password
#- name: install the local CA in the host system trust store
# command:
# cmd: mkcert -install
# creates: "{{ caroot.stdout }}"
# delegate_to: localhost
-
name
:
create a directory for SSL certificates
file
:
path=../certificates/{{ inventory_hostname }} state=directory recurse=yes
delegate_to
:
localhost
-
name
:
create an SSL certificate for {{ inventory_hostname }}
command
:
cmd
:
mkcert -cert-file ../certificates/{{ inventory_hostname }}/cert.pem -key-file ../certificates/{{ inventory_hostname }}/privkey.pem {{ inventory_hostname }} localhost
creates
:
../certificates/{{ inventory_hostname }}/privkey.pem
delegate_to
:
localhost
# create certificate chains for nginx, see references:
# - https://github.com/FiloSottile/mkcert/issues/214#issuecomment-552141000
# - https://nginx.org/en/docs/http/configuring_https_servers.html#chains
-
name
:
create chain.pem
copy
:
src={{ caroot.stdout }}/rootCA.pem dest=../certificates/{{ inventory_hostname }}/chain.pem mode=0644
# creates: ../certificates/{{ inventory_hostname }}/chain.pem
delegate_to
:
localhost
-
name
:
create fullchain.pem
shell
:
cmd
:
|
cat cert.pem > fullchain.pem
cat chain.pem >> fullchain.pem
chmod 644 fullchain.pem
chdir
:
../certificates/{{ inventory_hostname }}
creates
:
fullchain.pem
delegate_to
:
localhost
-
name
:
create directory for SSL certificates on the remote host
file
:
path=/etc/letsencrypt/live/{{ inventory_hostname }} state=directory owner=root group=root mode=0755
-
name
:
copy SSL certificates to the remote host
copy
:
src=../certificates/{{ inventory_hostname }}/{{ item }} dest=/etc/letsencrypt/live/{{ inventory_hostname }}/{{ item }} owner=root group=root mode=preserve
with_items
:
-
chain.pem
-
fullchain.pem
-
privkey.pem
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment