From 1e41e871cd95f2d765a0e98018f53bfb0dba57a9 Mon Sep 17 00:00:00 2001
From: Brian Lee <blee@satstack.cloud>
Date: Thu, 6 Jul 2023 12:20:45 -0700
Subject: [PATCH] Add support for RedHat 7.9 and document SELinux changes that
 are necessary.

---
 docs/selinux.md               | 63 +++++++++++++++++++++++++++++++++++
 tasks/certificates-RedHat.yml | 59 ++++++++++++++++++++++++++++++++
 tasks/main.yml                | 12 +++++++
 3 files changed, 134 insertions(+)
 create mode 100644 docs/selinux.md
 create mode 100644 tasks/certificates-RedHat.yml

diff --git a/docs/selinux.md b/docs/selinux.md
new file mode 100644
index 0000000..ae17cf7
--- /dev/null
+++ b/docs/selinux.md
@@ -0,0 +1,63 @@
+# selinux
+
+tl;dr nginx wants
+
+```
+sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
+sudo semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
+sudo restorecon -R /var/acme
+sudo semanage port -a -t http_port_t -p tcp 4430-4439
+```
+
+## File system access
+On RedHat 7.9, in order to permit nginx to read `/var/acme`:
+
+```bash
+sudo semanage fcontext -a -t httpd_sys_content_t "/var/acme(/.*)?"
+sudo restorecon -R /var/acme
+```
+
+This is because its in the `` context:
+
+```bash
+$ ls -Z /usr/sbin/nginx
+-rwxr-xr-x. root root system_u:object_r:httpd_exec_t:s0 /usr/sbin/nginx
+```
+
+Also, it needs access to write a PID file:
+
+```
+nginx: [emerg] open() "/var/run/nginx.pid" failed (13: Permission denied)
+```
+
+That can be added as well:
+
+```
+semanage fcontext -a -t httpd_var_run_t "/var/run/nginx.pid"
+restorecon -v /var/run/nginx.pid
+```
+
+## Network port utilization
+
+```
+nginx: [emerg] bind() to 10.100.102.100:4430 failed (13: Permission denied)
+```
+
+Another change that was necessary was to permit nginx to listen on an unpriveled port.
+
+```
+semanage port -l | grep http_port_t
+sudo semanage port -a -t http_port_t -p tcp 4430-4439
+```
+
+And proxy_pass also gets blocked:
+
+```
+*126 connect() to 127.0.0.1:8083 failed (13: Permission denied) while connecting to upstream
+```
+
+Workaround:
+
+```
+sudo setsebool -P httpd_can_network_connect 1
+```
\ No newline at end of file
diff --git a/tasks/certificates-RedHat.yml b/tasks/certificates-RedHat.yml
new file mode 100644
index 0000000..897c292
--- /dev/null
+++ b/tasks/certificates-RedHat.yml
@@ -0,0 +1,59 @@
+---
+- name: "Copy certificate files for {{ acme_domain.domain }}."
+  ansible.builtin.copy:
+    src: "{{ lego_path }}/certificates/{{ acme_domain.domain }}.{{ file_extension }}"
+    dest: "{{ acme_path }}/certificates/"
+    owner: "{{ acme_system_user }}"
+    group: "{{ acme_system_group }}"
+    mode: '0640'
+  tags: lego
+  loop:
+    - crt
+    - key
+    - issuer.crt
+  loop_control:
+    loop_var: file_extension
+
+- name: Configure nginx TLSv1.2 for {{ acme_domain.domain }}
+  ansible.builtin.import_role:
+    name: nginxinc.nginx_core.nginx_config
+    allow_duplicates: true
+  tags: nginx
+  vars:
+    nginx_config_http_template_enable: true
+    nginx_config_http_template:
+      - template_file: http/default.conf.j2
+        deployment_location: "/etc/nginx/acme_{{ acme_domain.domain }}.conf"
+        backup: false
+        config:
+          core:
+            server_name: "{{ acme_domain.domain }}"
+          ssl:
+            certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.crt"
+            certificate_key: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.key"
+            trusted_certificate: "{{ acme_path }}/certificates/{{ acme_domain.domain }}.issuer.crt"
+            ciphers: ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384
+            dhparam: "{{ nginx_config_dhparam }}"
+#           ecdh_curve: X25519:secp521r1:secp384r1
+            prefer_server_ciphers: true
+            protocols:
+              - TLSv1.2
+#             - TLSv1.3
+            session_cache:
+              shared:
+                name: "{{ acme_domain.domain }}"
+                size: 1M
+            session_tickets: false
+            session_timeout: 1d
+            ocsp: true
+            ocsp_cache:
+              name: cache
+              size: 64k
+            stapling: true
+            stapling_verify: true
+            ocsp_responder: http://r3.o.lencr.org
+          headers:
+            add_headers:
+              - name: Strict-Transport-Security
+                value: '"max-age=7776000"' 
+                always: true
\ No newline at end of file
diff --git a/tasks/main.yml b/tasks/main.yml
index 0aa3529..fa5dca1 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -31,6 +31,18 @@
   loop_control:
     loop_var: acme_domain
   tags: nginx
+  when: os_family != 'RedHat'
+
+- name: Loop through the domain list (again) to copy certs and configure nginx for each ACME domain
+  include_tasks:
+    file: certificates-RedHat.yml
+    apply:
+      become: true
+  loop: "{{ acme_domains }}"
+  loop_control:
+    loop_var: acme_domain
+  tags: nginx
+  when: os_family == 'RedHat'
 
 - import_tasks: dhparams.yml
   become: true