From bbe80867267e73d0f1445ffcd06c7b2bdba57cc3 Mon Sep 17 00:00:00 2001 From: Monty Taylor Date: Tue, 4 Feb 2020 08:17:22 -0600 Subject: [PATCH] Use LE certs for Apache We're getting LE certs for the hosts now, use them in the apache config. Also add the redirects. Change-Id: I67d33b4c542182a2474ac0d2416357541b1c3a47 --- .../host_vars/review-dev01.opendev.org.yaml | 3 +- playbooks/host_vars/review01.opendev.org.yaml | 1 + playbooks/roles/gerrit/tasks/main.yaml | 10 +++++ .../roles/gerrit/templates/gerrit.vhost.j2 | 8 ++-- .../roles/gerrit/templates/redirect.vhost.j2 | 37 +++++++++++++++++++ playbooks/zuul/run-base.yaml | 1 - .../host_vars/review01.opendev.org.yaml.j2 | 3 -- 7 files changed, 52 insertions(+), 11 deletions(-) create mode 100644 playbooks/roles/gerrit/templates/redirect.vhost.j2 delete mode 100644 playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2 diff --git a/playbooks/host_vars/review-dev01.opendev.org.yaml b/playbooks/host_vars/review-dev01.opendev.org.yaml index 0f8f88d226..95ed669b49 100644 --- a/playbooks/host_vars/review-dev01.opendev.org.yaml +++ b/playbooks/host_vars/review-dev01.opendev.org.yaml @@ -9,5 +9,4 @@ letsencrypt_certs: letsencrypt_gid: 3001 gerrit_storyboard_url: https://storyboard-dev.openstack.org gerrit_vhost_name: review-dev.opendev.org -gerrit_ssl_cert_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.cer -gerrit_ssl_key_file: /etc/letsencrypt-certs/review-dev.opendev.org/review-dev.opendev.org.key +gerrit_redirect_vhost: review-dev.openstack.org diff --git a/playbooks/host_vars/review01.opendev.org.yaml b/playbooks/host_vars/review01.opendev.org.yaml index b23d7cbfd1..8592653c98 100644 --- a/playbooks/host_vars/review01.opendev.org.yaml +++ b/playbooks/host_vars/review01.opendev.org.yaml @@ -72,6 +72,7 @@ gerrit_replication: mirror: true gerrit_storyboard_url: https://storyboard.openstack.org gerrit_vhost_name: review.opendev.org +gerrit_redirect_vhost: review.openstack.org letsencrypt_certs: review01-opendev-org-main: - review.opendev.org diff --git a/playbooks/roles/gerrit/tasks/main.yaml b/playbooks/roles/gerrit/tasks/main.yaml index fc036c4d98..1ffdb34177 100644 --- a/playbooks/roles/gerrit/tasks/main.yaml +++ b/playbooks/roles/gerrit/tasks/main.yaml @@ -256,6 +256,16 @@ mode: 0644 notify: gerrit Reload apache2 +- name: Copy redirect config + template: + src: redirect.vhost.j2 + dest: "/etc/apache2/sites-enabled/010-{{ gerrit_redirect_vhost }}.conf" + owner: root + group: root + mode: 0644 + when: gerrit_redirect_vhost is defined + notify: gerrit Reload apache2 + - name: Install podman-compose pip: name: podman-compose diff --git a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 b/playbooks/roles/gerrit/templates/gerrit.vhost.j2 index 608927374b..d677328fef 100644 --- a/playbooks/roles/gerrit/templates/gerrit.vhost.j2 +++ b/playbooks/roles/gerrit/templates/gerrit.vhost.j2 @@ -31,11 +31,9 @@ SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP SSLHonorCipherOrder on - SSLCertificateFile {{ gerrit_ssl_cert_file }} - SSLCertificateKeyFile {{ gerrit_ssl_key_file }} -{% if gerrit_ssl_chain_file is defined %} - SSLCertificateChainFile {{ gerrit_ssl_chain_file }} -{% endif %} + SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key + SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer SSLOptions +StdEnvVars diff --git a/playbooks/roles/gerrit/templates/redirect.vhost.j2 b/playbooks/roles/gerrit/templates/redirect.vhost.j2 new file mode 100644 index 0000000000..71d406705f --- /dev/null +++ b/playbooks/roles/gerrit/templates/redirect.vhost.j2 @@ -0,0 +1,37 @@ +# ************************************ +# Managed by Ansible +# ************************************ + + + ServerName {{ gerrit_redirect_vhost }} + + LogLevel warn + ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log + CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined + ServerSignature Off + + Redirect / https://{{ gerrit_vhost_name }}/ + + + + + ServerName {{ gerrit_redirect_vhost }} + + SSLEngine on + SSLProtocol All -SSLv2 -SSLv3 + # Note: this list should ensure ciphers that provide forward secrecy + SSLCipherSuite ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:!AES256:!aNULL:!eNULL:!MD5:!DSS:!PSK:!SRP + SSLHonorCipherOrder on + + SSLCertificateFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.cer + SSLCertificateKeyFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/{{ gerrit_vhost_name }}.key + SSLCertificateChainFile /etc/letsencrypt-certs/{{ gerrit_vhost_name }}/ca.cer + + LogLevel warn + ErrorLog /var/log/apache2/{{ gerrit_redirect_vhost }}_error.log + CustomLog /var/log/apache2/{{ gerrit_redirect_vhost }}_access.log combined + ServerSignature Off + + Redirect / https://{{ gerrit_vhost_name }}/ + + diff --git a/playbooks/zuul/run-base.yaml b/playbooks/zuul/run-base.yaml index 7e3884fa6f..3a8d553619 100644 --- a/playbooks/zuul/run-base.yaml +++ b/playbooks/zuul/run-base.yaml @@ -92,7 +92,6 @@ - host_vars/mirror-update01.opendev.org.yaml - host_vars/backup-test01.opendev.org.yaml - host_vars/backup-test02.opendev.org.yaml - - host_vars/review01.opendev.org.yaml - name: Display group membership command: ansible localhost -m debug -a 'var=groups' - name: Run base.yaml diff --git a/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2 b/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2 deleted file mode 100644 index c6441fb8bf..0000000000 --- a/playbooks/zuul/templates/host_vars/review01.opendev.org.yaml.j2 +++ /dev/null @@ -1,3 +0,0 @@ -# TODO(mordred) Replace this with LE certs -gerrit_ssl_cert_file: '/etc/ssl/certs/ssl-cert-snakeoil.pem' -gerrit_ssl_key_file: '/etc/ssl/private/ssl-cert-snakeoil.key'