blee/ansible-role-lego
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add support for RedHat 7.9 and document SELinux changes that are necessary.

Browse Source
This commit is contained in:
Brian Lee 2023-07-06 12:20:45 -07:00
parent ea3cad538e
commit 1e41e871cd
3 changed files with 134 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

63
docs/selinux.md Normal file
View File

@ -0,0 +1,63 @@
# selinux
tl;dr nginx wants
```
sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
sudo semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
sudo restorecon -R /var/acme
sudo semanage port -a -t http_port_t -p tcp 4430-4439
```
## File system access
On RedHat 7.9, in order to permit nginx to read `/var/acme`:
```bash
sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
sudo restorecon -R /var/acme
```
This is because its in the `` context:
```bash
$ ls -Z /usr/sbin/nginx
-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/nginx
```
Also, it needs access to write a PID file:
```
nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
```
That can be added as well:
```
semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
restorecon -v /var/run/nginx.pid
```
## Network port utilization
```
nginx: [emerg] bind() to 10.100.102.100:4430 failed (13: Permission denied)
```
Another change that was necessary was to permit nginx to listen on an unpriveled port.
```
semanage port -l | grep http_port_t
sudo semanage port -a -t http_port_t -p tcp 4430-4439
```
And proxy_pass also gets blocked:
```
*126 connect() to 127.0.0.1:8083 failed (13: Permission denied) while connecting to upstream
```
Workaround:
```
sudo setsebool -P httpd_can_network_connect 1
```

59
tasks/certificates-RedHat.yml Normal file
View File

@ -0,0 +1,59 @@
---
- name: "Copy certificate files for {{ acme_domain.domain }}."
ansible.builtin.copy:
src: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.{{ file_extension }}"
dest: "{{ acme_path }}/certificates/"
owner: "{{ acme_system_user }}"
group: "{{ acme_system_group }}"
mode: '0640'
tags: lego
loop:
- crt
- key
- issuer.crt
loop_control:
loop_var: file_extension
- name: Configure nginx TLSv1.2 for {{ acme_domain.domain }}
ansible.builtin.import_role:
name: nginxinc.nginx_core.nginx_config
allow_duplicates: true
tags: nginx
vars:
nginx_config_http_template_enable: true
nginx_config_http_template:
- template_file: http/default.conf.j2
deployment_location: "/etc/nginx/acme_{{ acme_domain.domain }}.conf"
backup: false
config:
core:
server_name: "{{ acme_domain.domain }}"
ssl:
certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.crt"
certificate_key: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.key"
trusted_certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.issuer.crt"
ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
dhparam: "{{ nginx_config_dhparam }}"
# ecdh_curve: X25519:secp521r1:secp384r1
prefer_server_ciphers: true
protocols:
- TLSv1.2
# - TLSv1.3
session_cache:
shared:
name: "{{ acme_domain.domain }}"
size: 1M
session_tickets: false
session_timeout: 1d
ocsp: true
ocsp_cache:
name: cache
size: 64k
stapling: true
stapling_verify: true
ocsp_responder: http://r3.o.lencr.org
headers:
add_headers:
- name: Strict-Transport-Security
value: '"max-age=7776000"'
always: true

12
tasks/main.yml
View File

@ -31,6 +31,18 @@
loop_control:
loop_var: acme_domain
tags: nginx
when: os_family != 'RedHat'
- name: Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
include_tasks:
file: certificates-RedHat.yml
apply:
become: true
loop: "{{ acme_domains }}"
loop_control:
loop_var: acme_domain
tags: nginx
when: os_family == 'RedHat'
- import_tasks: dhparams.yml
become: true