add mkcert role to provide HTTPS for local containers

66ebfe27 · Jakub Klinkovský · 72d66e4a · 66ebfe27 · bd5ba162 · 6cc70709
Unverified Commit 66ebfe27 authored Sep 03, 2020 by Jakub Klinkovský
--- a/README.md
+++ b/README.md
@@ -55,3 +55,26 @@ some services have to be modified to be accessible over plain HTTP.

      cd local_infrastructure
      ansible-playbook playbooks/<name>.yml
+
+### SSL certificates for local containers
+
+The Arch infrastructure uses the `certbot` role to automatically retrieve SSL
+certificates from [Let's Encrypt](https://letsencrypt.org/). However, this
+cannot work for _localhost_ or local containers. See [Certificates for
+localhost](https://letsencrypt.org/docs/certificates-for-localhost/) for more
+information.
+
+To provide HTTPS for local containers, we can use the tool [mkcert](
+https://github.com/FiloSottile/mkcert) to create and install a local CA in the
+system trust store, and to generate locally-trusted certificates which can be
+installed by Ansible in the local containers. You can just replace the `certbot`
+role with the `mkcert` role in your playbook and enjoy HTTPS in local
+containers.
+
+Before you run the playbook with the `mkcert` role, you need to manually install
+a local CA. Make sure that the `mkcert` package is installed on the host and run
+
+    mkcert -install
+
+Note that `mkcert` will [use sudo to change the system trust store](
+https://github.com/FiloSottile/mkcert/issues/236).
--- a/arch_infrastructure @ bd5ba162
+++ b/arch_infrastructure @ bd5ba162
-Subproject commit 6cc70709a66f1ec47679434916b7cea2a4a7ae00
+Subproject commit bd5ba16291fd45229243686c07e9f41850105306
--- a/local_infrastructure/.gitignore
+++ b/local_infrastructure/.gitignore
+/certificates
--- a/local_infrastructure/ansible.cfg
+++ b/local_infrastructure/ansible.cfg
@@ -5,7 +5,7 @@ library = ../arch_infrastructure/library
 remote_tmp = $HOME/.ansible/tmp
 remote_user = root
 nocows = 1
-roles_path = ../arch_infrastructure/roles
+roles_path = ../arch_infrastructure/roles:./roles
 #vault_password_file = misc/get-vault-pass.sh
 retry_files_enabled = False
 callback_plugins = ../arch_infrastructure/plugins/callback

--- a/local_infrastructure/playbooks/local-archwiki.yml
+++ b/local_infrastructure/playbooks/local-archwiki.yml
@@ -9,7 +9,7 @@
    - { role: firewalld }
    - { role: sshd }
 #    - { role: root_ssh }
-#    - { role: certbot }
+    - { role: mkcert }   # replacement for the certbot role
    - { role: nginx }
    - { role: mariadb, mariadb_innodb_buffer_pool_size: '64M', mariadb_table_open_cache: '256', mariadb_query_cache_type: '0',
              mariadb_innodb_file_per_table: True }

--- a/local_infrastructure/roles/mkcert/tasks/main.yml
+++ b/local_infrastructure/roles/mkcert/tasks/main.yml
+---
+
+- name: get local CAROOT path
+  command: mkcert -CAROOT
+  register: caroot
+  delegate_to: localhost
+  changed_when: false
+
+# NOTE: this does not work, because mkcert asks for the sudo password
+#- name: install the local CA in the host system trust store
+#  command:
+#    cmd: mkcert -install
+#    creates: "{{ caroot.stdout }}"
+#  delegate_to: localhost
+
+- name: create a directory for SSL certificates
+  file: path=../certificates/{{ inventory_hostname }} state=directory recurse=yes
+  delegate_to: localhost
+
+- name: create an SSL certificate for {{ inventory_hostname }}
+  command:
+    cmd: mkcert -cert-file ../certificates/{{ inventory_hostname }}/cert.pem -key-file ../certificates/{{ inventory_hostname }}/privkey.pem {{ inventory_hostname }} localhost
+    creates: ../certificates/{{ inventory_hostname }}/privkey.pem
+  delegate_to: localhost
+
+# create certificate chains for nginx, see references:
+# - https://github.com/FiloSottile/mkcert/issues/214#issuecomment-552141000
+# - https://nginx.org/en/docs/http/configuring_https_servers.html#chains
+- name: create chain.pem
+  copy: src={{ caroot.stdout }}/rootCA.pem dest=../certificates/{{ inventory_hostname }}/chain.pem mode=0644
+  #  creates: ../certificates/{{ inventory_hostname }}/chain.pem
+  delegate_to: localhost
+
+- name: create fullchain.pem
+  shell:
+    cmd: |
+      cat cert.pem > fullchain.pem
+      cat chain.pem >> fullchain.pem
+      chmod 644 fullchain.pem
+    chdir: ../certificates/{{ inventory_hostname }}
+    creates: fullchain.pem
+  delegate_to: localhost
+
+- name: create directory for SSL certificates on the remote host
+  file: path=/etc/letsencrypt/live/{{ inventory_hostname }} state=directory owner=root group=root mode=0755
+
+- name: copy SSL certificates to the remote host
+  copy: src=../certificates/{{ inventory_hostname }}/{{ item }} dest=/etc/letsencrypt/live/{{ inventory_hostname }}/{{ item }} owner=root group=root mode=preserve
+  with_items:
+    - chain.pem
+    - fullchain.pem
+    - privkey.pem