subspace 2.0.3 → 2.0.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f0f395a5d4a3d5bbe3855a58187e79b58dacd56e1348b79c9d602ddc400381cc
-  data.tar.gz: d525b44722f728e5c3b4dd3026f9739d5d8e2e3bbeea404092ef0426a1a4ffdd
+  metadata.gz: 1c1d8c7fb4a41ced1e5d8729d42307789cbb0a0fdb32301808b47a133c6cca09
+  data.tar.gz: f71bcae77eea9476a364df26eacd5c5c315caf709b8bcf3aa61210eea922ccdc
 SHA512:
-  metadata.gz: 15620914148fb2c0d9dab6b35eec9b10cd84c351068af2db8c65c40b7d21ee09b6a4edaedd8d6b85390ac7d11bd2c6ee8f5034cebac63a7f3051a74569d84d83
-  data.tar.gz: 43e511b8dd06087de53b4dbb40cb0970755591f4f6369734a6c583483ed78447f7186af683c2fe65983533d192ddcd18b3cbec14dc0b12c5c02d794b9faed309
+  metadata.gz: bd653d0e611be208f4daec8edff6385181dfbc1034d8bf4bb4fc60febc5ead184c0579e3e67578c4888eaf6604b8309aa44ba9be82b82cd7254289b8435077cc
+  data.tar.gz: 5f37a070a6c43fa32ade2fa2a4a4bb6c4c18d30ef70677a83009dec8d71300542eb740b1d12010623877671c7a64764f68afe5c269de69dd83bdb17363b90713

data/CHANGELOG.md

@@ -10,6 +10,9 @@ This project attempts to follow [semantic versioning](https://semver.org/)
   * Not working on OSX - macs don't read from /etc/profile.d/
   * Stops showing color if you `sudo su`
 
+## 2.0.4
+  * Add letsencrypt_dns role for doing DNS validation vs HTTP validation
+
 ## 2.0.3
   * Fix bundler / gem version installation on new/vanilla servers
 

data/ansible/roles/common/templates/motd

@@ -4,7 +4,7 @@ This server brought to you by:
 \___ \| | | | '_ \___ \| '_ \ / _` |/ __/ _ \
  ___) | |_| | |_) |__) | |_) | (_| | (_|  __/
 |____/ \__,_|_.__/____/| .__/ \__,_|\___\___|
-                       |_|             v2.0.3
+                       |_|             v2.0.4
 ~~~ https://github.com/tenforwardconsulting/subspace ~~~
 
 If you need to make configuration changes to the server, please modify the

data/ansible/roles/letsencrypt_dns/defaults/main.yml

@@ -0,0 +1,4 @@
+---
+  nginx_ssl_config: |
+    ssl_certificate /etc/letsencrypt/live/{{server_name}}/fullchain.crt;
+    ssl_certificate_key /etc/letsencrypt/live/{{server_name}}/privkey.pem;

data/ansible/roles/letsencrypt_dns/tasks/main.yml

@@ -0,0 +1,133 @@
+- name: Update repositories cache and install pip and setuptools package
+  apt:
+    name: [python-pip, python-setuptools]
+    update_cache: yes
+
+- pip:
+    name: [pyopenssl, boto]
+  tags:
+    - cert
+
+- name: Creates private key directory
+  file:
+    path: "/etc/letsencrypt/live/{{ server_name }}"
+    state: directory
+  tags:
+    - cert
+
+- name: Generate an OpenSSL private key with the default values (4096 bits, RSA)
+  openssl_privatekey:
+    path: "/etc/letsencrypt/live/{{ server_name }}/privkey.pem"
+  register: privkey
+  tags:
+    - cert
+
+- name: Generate an OpenSSL account key with the default values (4096 bits, RSA)
+  openssl_privatekey:
+    path: "/etc/letsencrypt/live/{{ server_name }}/account.pem"
+  tags:
+    - cert
+
+- name: Generate an OpenSSL Certificate Signing Request
+  openssl_csr:
+    path: "/etc/letsencrypt/live/{{ server_name }}/server.csr"
+    privatekey_path: "/etc/letsencrypt/live/{{ server_name }}/privkey.pem"
+    country_name: US
+    email_address: "{{ letsencrypt_email }}"
+    subject_alt_name: "{{ item.value | map('regex_replace', '^', 'DNS:') | list }}"
+  when: privkey is changed
+  register: csr
+  with_dict:
+    dns_server:
+    - "{{ server_name }}"
+    - "*.{{ server_name }}"
+  tags:
+    - cert
+
+- name: Create a challenge using an account key from a variable.
+  acme_certificate:
+    acme_version: 2
+    account_key_src: "/etc/letsencrypt/live/{{ server_name }}/account.pem"
+    csr: "/etc/letsencrypt/live/{{ server_name }}/server.csr"
+    cert: "/etc/letsencrypt/live/{{ server_name }}/server.crt"
+    fullchain: "/etc/letsencrypt/live/{{ server_name }}/fullchain.crt"
+    chain: "/etc/letsencrypt/live/{{ server_name }}/intermediate.crt"
+    challenge: dns-01
+    acme_directory: https://acme-v02.api.letsencrypt.org/directory
+    terms_agreed: yes
+    remaining_days: 60
+  when: csr is changed
+  register: le_challenge
+  tags:
+    - cert
+
+- name: Install txt record on route53
+  route53:
+    zone: "{{ route53_zone }}"
+    type: TXT
+    ttl: 60
+    state: present
+    wait: yes
+    record: "{{ item.key }}"
+    value: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}"
+    aws_access_key: "{{ AWS_ACCESS_KEY_ID }}"
+    aws_secret_key: "{{ AWS_SECRET_ACCESS_KEY }}"
+    overwrite: yes
+  loop: "{{ le_challenge.challenge_data_dns | default({}) | dict2items }}"
+  tags:
+    - cert
+
+- name: Flush dns cache
+  become: true
+  command: "systemd-resolve --flush-caches"
+  when: le_challenge is changed
+  tags:
+    - cert
+
+- name: "Wait for DNS"
+  when: le_challenge is changed
+  pause:
+    minutes: 2
+  tags:
+    - cert
+
+- name: Let the challenge be validated and retrieve the cert and intermediate certificate
+  acme_certificate:
+    acme_version: 2
+    account_key_src: "/etc/letsencrypt/live/{{ server_name }}/account.pem"
+    csr: "/etc/letsencrypt/live/{{ server_name }}/server.csr"
+    cert: "/etc/letsencrypt/live/{{ server_name }}/server.crt"
+    fullchain: "/etc/letsencrypt/live/{{ server_name }}/fullchain.crt"
+    chain: "/etc/letsencrypt/live/{{ server_name }}/intermediate.crt"
+    challenge: dns-01
+    acme_directory: https://acme-v02.api.letsencrypt.org/directory
+    remaining_days: 60
+    terms_agreed: yes
+    data: "{{ le_challenge }}"
+  when: le_challenge is changed
+  tags:
+    - cert
+
+- name: Delete txt record on route53
+  route53:
+    zone: "{{ route53_zone }}"
+    type: TXT
+    ttl: 60
+    state: absent
+    wait: yes
+    record: "{{ item.key }}"
+    value: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}"
+    aws_access_key: "{{ AWS_ACCESS_KEY_ID }}"
+    aws_secret_key: "{{ AWS_SECRET_ACCESS_KEY }}"
+    overwrite: yes
+  loop: "{{ le_challenge.challenge_data_dns | default({}) | dict2items }}"
+  tags:
+    - cert
+
+- name: restart webserver
+  debug: msg="restart webserver"
+  notify: restart webserver
+  changed_when: true
+  when: le_challenge is changed
+  tags:
+    - cert

data/ansible/roles/nginx/handlers/main.yml

@@ -6,3 +6,7 @@
 - name: start webserver
   service: name=nginx state=started
   become: true
+
+- name: restart webserver
+  service: name=nginx state=restarted
+  become: true

data/lib/subspace/version.rb

@@ -1,3 +1,3 @@
 module Subspace
-  VERSION = "2.0.3"
+  VERSION = "2.0.4"
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: subspace
 version: !ruby/object:Gem::Version
-  version: 2.0.3
+  version: 2.0.4
 platform: ruby
 authors:
 - Brian Samson
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2019-05-24 00:00:00.000000000 Z
+date: 2019-06-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
@@ -140,6 +140,8 @@ files:
 - ansible/roles/delayed_job/templates/delayed-job-monit-rc
 - ansible/roles/letsencrypt/defaults/main.yml
 - ansible/roles/letsencrypt/tasks/main.yml
+- ansible/roles/letsencrypt_dns/defaults/main.yml
+- ansible/roles/letsencrypt_dns/tasks/main.yml
 - ansible/roles/logrotate/LICENSE
 - ansible/roles/logrotate/README.md
 - ansible/roles/logrotate/defaults/main.yml
@@ -298,7 +300,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.9
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Ansible-based server provisioning for rails projects