Vendor Galaxy Roles and Collections
This commit is contained in:
parent
c1e1897cda
commit
2aed20393f
3553 changed files with 387444 additions and 2 deletions
20
ansible_collections/debops/debops/roles/dhparam/COPYRIGHT
Normal file
20
ansible_collections/debops/debops/roles/dhparam/COPYRIGHT
Normal file
|
|
@ -0,0 +1,20 @@
|
|||
debops.dhparam - Manage one or multiple sets of Diffie-Hellman Ephemeral parameters
|
||||
|
||||
Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
Copyright (C) 2015-2017 DebOps <https://debops.org/>
|
||||
SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
This Ansible role is part of DebOps.
|
||||
|
||||
DebOps is free software; you can redistribute it and/or modify
|
||||
it under the terms of the GNU General Public License version 3, as
|
||||
published by the Free Software Foundation.
|
||||
|
||||
DebOps is distributed in the hope that it will be useful,
|
||||
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
GNU General Public License for more details.
|
||||
|
||||
You should have received a copy of the GNU General Public License
|
||||
along with DebOps. If not, see https://www.gnu.org/licenses/.
|
||||
|
|
@ -0,0 +1,215 @@
|
|||
---
|
||||
# .. vim: foldmarker=[[[,]]]:foldmethod=marker
|
||||
|
||||
# .. Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
# .. Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
# .. Copyright (C) 2015-2017 DebOps <https://debops.org/>
|
||||
# .. SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
# .. _dhparam__ref_defaults:
|
||||
|
||||
# debops.dhparam default variables [[[
|
||||
# ====================================
|
||||
|
||||
# .. contents:: Sections
|
||||
# :local:
|
||||
#
|
||||
# .. include:: ../../../../includes/global.rst
|
||||
|
||||
|
||||
# Installation [[[
|
||||
# ----------------
|
||||
|
||||
# .. envvar:: dhparam__deploy_state [[[
|
||||
#
|
||||
# What is the desired state which this role should achieve? Possible options:
|
||||
#
|
||||
# ``present``
|
||||
# Default. DH parameters will be present as configured.
|
||||
#
|
||||
# ``absent``
|
||||
# DH parameters will be absent.
|
||||
#
|
||||
# .. warning:: The roles is currently not able to dismantle from ``present``
|
||||
# state. This needs to be implemented. This state can only be achieved
|
||||
# currently when ``present`` has never been set before on a host.
|
||||
#
|
||||
dhparam__deploy_state: 'present'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__base_packages [[[
|
||||
#
|
||||
# List of APT packages which will be installed to support Diffie-Hellman
|
||||
# parameters.
|
||||
dhparam__base_packages:
|
||||
- [ '{{ "gnutls-bin" if (dhparam__library == "gnutls") else [] }}' ]
|
||||
- [ '{{ "openssl" if (dhparam__library == "openssl") else [] }}' ]
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__packages [[[
|
||||
#
|
||||
# List of additional APT packages to install.
|
||||
dhparam__packages: []
|
||||
# ]]]
|
||||
# ]]]
|
||||
# Cryptographic parameters [[[
|
||||
# ----------------------------
|
||||
|
||||
# .. envvar:: dhparam__source_library [[[
|
||||
#
|
||||
# Cryptographic library which will be used on the Ansible Controller to
|
||||
# generate preseeded DH parameters. Supported libraries: :command:`openssl`,
|
||||
# :command:`gnutls`.
|
||||
dhparam__source_library: 'openssl'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__library [[[
|
||||
#
|
||||
# Cryptographic library which will be used on the remote hosts, by default the
|
||||
# same as the one used on Ansible Controller. Supported libraries: :command:`openssl`,
|
||||
# :command:`gnutls`.
|
||||
dhparam__library: '{{ dhparam__source_library }}'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__default_length [[[
|
||||
#
|
||||
# Default symlinks will point to a specific Diffie-Hellman parameter file named
|
||||
# ``dh<length>.pem``. This variable specifies which ``<length>`` value will be
|
||||
# used, which by default is the first value from the list of DH parameter sizes
|
||||
# to generate.
|
||||
dhparam__default_length: '{{ dhparam__bits[0] }}'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__bits [[[
|
||||
#
|
||||
# List of Diffie-Hellman parameter sizes to generate. First element of the list
|
||||
# will be used as default.
|
||||
dhparam__bits: [ '3072', '2048' ]
|
||||
# ]]]
|
||||
# ]]]
|
||||
# Diffie-Hellman parameter sets [[[
|
||||
# ---------------------------------
|
||||
|
||||
# .. envvar:: dhparam__sets [[[
|
||||
#
|
||||
# Number of sets of Diffie-Hellman parameters to manage, should be >= 1.
|
||||
dhparam__sets: '1'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__default_set [[[
|
||||
#
|
||||
# Name of the default set of Diffie-Hellman parameters.
|
||||
dhparam__default_set: '{{ dhparam__set_prefix + "0" }}'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__set_prefix [[[
|
||||
#
|
||||
# Short string prepended to the name of each "set" of Diffie-Hellman parameter
|
||||
# directories.
|
||||
dhparam__set_prefix: 'set'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__source_path [[[
|
||||
#
|
||||
# Path on the Ansible Controller in the ``secret/`` directory where the initial
|
||||
# set of Diffie-Hellman parameters is stored. See :ref:`debops.secret` role for
|
||||
# more details.
|
||||
dhparam__source_path: '{{ secret + "/dhparam/params" }}'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__path [[[
|
||||
#
|
||||
# Directory on the managed hosts where Diffie-Hellman parameter sets are kept
|
||||
# and maintained.
|
||||
dhparam__path: '/etc/pki/dhparam'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__prefix [[[
|
||||
#
|
||||
# String prepended to the DH parameter file name.
|
||||
dhparam__prefix: 'dh'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__suffix [[[
|
||||
#
|
||||
# String appended to the DH parameter file name.
|
||||
dhparam__suffix: '.pem'
|
||||
# ]]]
|
||||
# ]]]
|
||||
# DH parameter generation script [[[
|
||||
# ----------------------------------
|
||||
|
||||
# .. envvar:: dhparam__generate_params [[[
|
||||
#
|
||||
# Absolute path of the ``dhparam-generate-params`` script on remote hosts.
|
||||
dhparam__generate_params: '{{ (ansible_local.fhs.lib | d("/usr/local/lib"))
|
||||
+ "/dhparam-generate-params" }}'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__generate_log [[[
|
||||
#
|
||||
# Enable or disable log messages from DH generation script.
|
||||
dhparam__generate_log: True
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__hook_path [[[
|
||||
#
|
||||
# Directory on remote hosts where hook scripts are stored. These hooks will be
|
||||
# run at the end of the Diffie-Hellman generator script using ``run-parts``.
|
||||
dhparam__hook_path: '{{ dhparam__path + "/hooks.d" }}'
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__openssl_options [[[
|
||||
#
|
||||
# Provide additional options to the openssl dhparam generator (eg. -dsaparam).
|
||||
dhparam__openssl_options: ''
|
||||
# ]]]
|
||||
# ]]]
|
||||
# Initial Diffie-Hellman re-generation [[[
|
||||
# ----------------------------------------
|
||||
|
||||
# .. envvar:: dhparam__generate_init [[[
|
||||
#
|
||||
# Schedule a background job on the first configuration of ``debops.dhparam`` on
|
||||
# a particular host to re-generate the DH parameters? It will only be done if
|
||||
# the :ref:`debops.atd` role is enabled on the host. If disabled, hosts will use the
|
||||
# default DH parameters seeded from the Ansible Controller.
|
||||
dhparam__generate_init: True
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__generate_init_units [[[
|
||||
#
|
||||
# Time units used to specify the future time of initial DH re-generation. You
|
||||
# can use ``minutes``, ``hours``, ``days`` or ``weeks``.
|
||||
dhparam__generate_init_units: 'minutes'
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__generate_init_count [[[
|
||||
#
|
||||
# Unit count of the initial DH re-generation. By default Diffie-Hellman
|
||||
# parameters will be re-generated about 20 minutes after the initial Ansible run,
|
||||
# depending on system CPU load.
|
||||
dhparam__generate_init_count: '20'
|
||||
# ]]]
|
||||
# ]]]
|
||||
# Periodic Diffie-Hellman re-generation [[[
|
||||
# -----------------------------------------
|
||||
|
||||
# .. envvar:: dhparam__generate_cron [[[
|
||||
#
|
||||
# Enable periodic Diffie-Hellman parameter re-generation. If :command:`systemd`
|
||||
# is present, the role will set up a systemd timer, otherwise the script will
|
||||
# be started periodically by :command:`cron` service.
|
||||
dhparam__generate_cron: True
|
||||
|
||||
# ]]]
|
||||
# .. envvar:: dhparam__generate_cron_period [[[
|
||||
#
|
||||
# Time interval between periodical DH parameter re-generation. You can use
|
||||
# units recognized by :program:`cron` Ansible module ``special_time`` parameter:
|
||||
# ``daily``, ``weekly``, ``monthly``, ``annually``, ``yearly``, ``reboot``.
|
||||
# If :command:`systemd` is used, see the :man:`systemd.time(7)` documentation
|
||||
# for possible ``OnCalendar=`` values.
|
||||
dhparam__generate_cron_period: 'monthly'
|
||||
# ]]]
|
||||
# ]]]
|
||||
# ]]]
|
||||
|
|
@ -0,0 +1,22 @@
|
|||
---
|
||||
# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
# Copyright (C) 2015-2017 DebOps <https://debops.org/>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
- name: Execute DH parameter hooks
|
||||
ansible.builtin.command: run-parts {{ dhparam__hook_path }}
|
||||
register: dhparam__register_hooks
|
||||
changed_when: dhparam__register_hooks.changed | bool
|
||||
|
||||
- name: Regenerate DH parameters on first install
|
||||
ansible.posix.at: # noqa jinja[spacing]
|
||||
command: |
|
||||
test -x {{ dhparam__generate_params }} \
|
||||
&& (echo 'nice {{ dhparam__generate_params }} run' | batch > /dev/null 2>&1) || true
|
||||
count: '{{ dhparam__generate_init_count }}'
|
||||
units: '{{ dhparam__generate_init_units }}'
|
||||
unique: True
|
||||
when: (dhparam__generate_init | bool and
|
||||
(ansible_local | d() and ansible_local.atd | d() and
|
||||
ansible_local.atd.enabled | bool))
|
||||
|
|
@ -0,0 +1,36 @@
|
|||
---
|
||||
# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
# Copyright (C) 2015-2022 DebOps <https://debops.org/>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
# Ensure that custom Ansible plugins and modules included in the main DebOps
|
||||
# collection are available to roles in other collections.
|
||||
collections: [ 'debops.debops' ]
|
||||
|
||||
dependencies: []
|
||||
|
||||
galaxy_info:
|
||||
|
||||
author: 'Maciej Delmanowski, Robin Schneider'
|
||||
description: 'Manage one or multiple sets of Diffie-Hellman Ephemeral parameters'
|
||||
company: 'DebOps'
|
||||
license: 'GPL-3.0-only'
|
||||
min_ansible_version: '2.2.0'
|
||||
|
||||
platforms:
|
||||
|
||||
- name: 'Ubuntu'
|
||||
versions: [ 'all' ]
|
||||
|
||||
- name: 'Debian'
|
||||
versions: [ 'all' ]
|
||||
|
||||
galaxy_tags:
|
||||
- encryption
|
||||
- security
|
||||
- tls
|
||||
- ssl
|
||||
- pki
|
||||
- weakdh
|
||||
- logjam
|
||||
179
ansible_collections/debops/debops/roles/dhparam/tasks/main.yml
Normal file
179
ansible_collections/debops/debops/roles/dhparam/tasks/main.yml
Normal file
|
|
@ -0,0 +1,179 @@
|
|||
---
|
||||
# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
# Copyright (C) 2015-2017 DebOps <https://debops.org/>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
- name: Import DebOps global handlers
|
||||
ansible.builtin.import_role:
|
||||
name: 'global_handlers'
|
||||
|
||||
- name: Import DebOps secret role
|
||||
ansible.builtin.import_role:
|
||||
name: 'secret'
|
||||
|
||||
- name: Check Ansible Controller library version # noqa no-shorthand
|
||||
ansible.builtin.shell: |
|
||||
set -o nounset -o pipefail -o errexit &&
|
||||
{% if dhparam__source_library == 'gnutls' %}
|
||||
certtool --version | head -n 1 | awk '{print $NF}'
|
||||
{% elif dhparam__source_library == 'openssl' %}
|
||||
openssl version | awk '{print $2}'
|
||||
{% endif %}
|
||||
args:
|
||||
executable: 'bash'
|
||||
changed_when: False
|
||||
register: dhparam__register_version
|
||||
delegate_to: 'localhost'
|
||||
become: False
|
||||
run_once: True
|
||||
check_mode: False
|
||||
tags: [ 'meta::provision' ]
|
||||
|
||||
- name: Assert that required software is installed
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- 'dhparam__register_version is defined and dhparam__register_version.stdout'
|
||||
delegate_to: 'localhost'
|
||||
become: False
|
||||
run_once: True
|
||||
tags: [ 'meta::provision' ]
|
||||
|
||||
- name: Create required directories on Ansible Controller
|
||||
ansible.builtin.file:
|
||||
path: '{{ dhparam__source_path }}'
|
||||
state: 'directory'
|
||||
mode: '0755'
|
||||
delegate_to: 'localhost'
|
||||
become: False
|
||||
run_once: True
|
||||
tags: [ 'meta::provision' ]
|
||||
|
||||
- name: Generate Diffie-Hellman params on Ansible Controller # noqa no-shorthand
|
||||
ansible.builtin.command: |
|
||||
{% if dhparam__source_library == 'gnutls' %}
|
||||
certtool --generate-dh-params
|
||||
--outfile {{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }}
|
||||
--bits {{ item }}
|
||||
{% elif dhparam__source_library == 'openssl' %}
|
||||
openssl dhparam {{ dhparam__openssl_options }} -out {{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }} {{ item }}
|
||||
{% endif %}
|
||||
args:
|
||||
creates: '{{ dhparam__source_path + "/" + dhparam__prefix + item + dhparam__suffix }}'
|
||||
with_items: '{{ dhparam__bits }}'
|
||||
delegate_to: 'localhost'
|
||||
become: False
|
||||
run_once: True
|
||||
tags: [ 'meta::provision' ]
|
||||
|
||||
- name: Install encryption software
|
||||
ansible.builtin.package:
|
||||
name: '{{ q("flattened", (dhparam__base_packages + dhparam__packages)) }}'
|
||||
state: 'present'
|
||||
when: dhparam__deploy_state in ['present']
|
||||
register: dhparam__register_packages
|
||||
until: dhparam__register_packages is succeeded
|
||||
tags: [ 'meta::provision' ]
|
||||
|
||||
- name: Create required directories
|
||||
ansible.builtin.file:
|
||||
path: '{{ dhparam__hook_path }}'
|
||||
state: 'directory'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0755'
|
||||
when: dhparam__deploy_state in ['present']
|
||||
notify: [ 'Regenerate DH parameters on first install' ]
|
||||
|
||||
- name: Preseed Diffie-Hellman parameters
|
||||
ansible.builtin.copy:
|
||||
src: '{{ dhparam__source_path + "/" }}'
|
||||
dest: '{{ dhparam__path + "/params/" + dhparam__set_prefix + item + "/" }}'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0644'
|
||||
force: False
|
||||
when: dhparam__deploy_state in ['present']
|
||||
with_sequence: 'start=0 count={{ dhparam__sets }}'
|
||||
notify: [ 'Execute DH parameter hooks' ]
|
||||
|
||||
- name: Create default symlinks for all sets
|
||||
ansible.builtin.file:
|
||||
src: '{{ "params/" + dhparam__set_prefix + item + "/"
|
||||
+ dhparam__prefix + dhparam__default_length + dhparam__suffix }}'
|
||||
path: '{{ dhparam__path + "/" + dhparam__set_prefix + item }}'
|
||||
state: 'link'
|
||||
mode: '0644'
|
||||
when: dhparam__deploy_state in ['present'] and not ansible_check_mode
|
||||
with_sequence: 'start=0 count={{ dhparam__sets }}'
|
||||
|
||||
- name: Install DHE generation script
|
||||
ansible.builtin.template:
|
||||
src: 'usr/local/lib/dhparam-generate-params.j2'
|
||||
dest: '{{ dhparam__generate_params }}'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0755'
|
||||
when: dhparam__deploy_state in ['present']
|
||||
|
||||
- name: Enable periodic DH parameters generation via cron
|
||||
ansible.builtin.cron:
|
||||
name: 'Generate new Diffie-Hellman ephemeral parameters'
|
||||
job: 'test -x {{ dhparam__generate_params }} && {{ dhparam__generate_params }} schedule'
|
||||
cron_file: 'dhparam-generate-params'
|
||||
user: 'root'
|
||||
special_time: '{{ dhparam__generate_cron_period }}'
|
||||
state: '{{ "present"
|
||||
if (ansible_service_mgr != "systemd" and
|
||||
dhparam__generate_cron | bool and
|
||||
dhparam__deploy_state in ["present"])
|
||||
else "absent" }}'
|
||||
when: not ansible_check_mode
|
||||
|
||||
- name: Setup systemd timer for periodic DH parameter regeneration
|
||||
ansible.builtin.template:
|
||||
src: '{{ item }}.j2'
|
||||
dest: '/{{ item }}'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0644'
|
||||
with_items:
|
||||
- 'etc/systemd/system/dhparam-generate-params.service'
|
||||
- 'etc/systemd/system/dhparam-generate-params.timer'
|
||||
register: dhparam__register_systemd
|
||||
when: dhparam__deploy_state in ['present'] and ansible_service_mgr == 'systemd'
|
||||
|
||||
- name: Enable systemd timer
|
||||
ansible.builtin.systemd:
|
||||
daemon_reload: True
|
||||
name: 'dhparam-generate-params.timer'
|
||||
enabled: '{{ True
|
||||
if (dhparam__generate_cron | bool)
|
||||
else False }}'
|
||||
state: '{{ "started"
|
||||
if (dhparam__generate_cron | bool)
|
||||
else "stopped" }}'
|
||||
when: dhparam__deploy_state in ['present'] and ansible_service_mgr == 'systemd' and
|
||||
not ansible_check_mode
|
||||
|
||||
- name: Make sure the Ansible local facts directory exists
|
||||
ansible.builtin.file:
|
||||
path: '/etc/ansible/facts.d'
|
||||
state: 'directory'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0755'
|
||||
when: dhparam__deploy_state in ['present']
|
||||
|
||||
- name: Save dhparam local facts
|
||||
ansible.builtin.template:
|
||||
src: 'etc/ansible/facts.d/dhparam.fact.j2'
|
||||
dest: '/etc/ansible/facts.d/dhparam.fact'
|
||||
owner: 'root'
|
||||
group: 'root'
|
||||
mode: '0644'
|
||||
notify: [ 'Refresh host facts' ]
|
||||
tags: [ 'meta::facts' ]
|
||||
|
||||
- name: Gather facts if they changed
|
||||
ansible.builtin.meta: 'flush_handlers'
|
||||
|
|
@ -0,0 +1,32 @@
|
|||
{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
# Copyright (C) 2015-2017 DebOps <https://debops.org/>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
#}
|
||||
{% set dhparam__tpl_bits = dhparam__bits %}
|
||||
{% set dhparam__tpl_default = dhparam__path + "/" + dhparam__default_set %}
|
||||
{% set dhparam__tpl_default_length = dhparam__default_length %}
|
||||
{% set dhparam__tpl_set_prefix = dhparam__set_prefix %}
|
||||
{% set dhparam__tpl_sets = [] %}
|
||||
{% for number in range(0, dhparam__sets | int) %}
|
||||
{% set _ = dhparam__tpl_sets.append(number) %}
|
||||
{% endfor %}
|
||||
{% set dhparam__tpl_hooks = dhparam__hook_path %}
|
||||
{% set dhparam__tpl_library = dhparam__library %}
|
||||
{% set dhparam__tpl_path = dhparam__path %}
|
||||
{% set dhparam__tpl_params = dhparam__path + "/params" %}
|
||||
{
|
||||
"bits": {{ dhparam__tpl_bits | to_nice_json }},
|
||||
"default": "{{ dhparam__tpl_default }}",
|
||||
"default_length": "{{ dhparam__tpl_default_length }}",
|
||||
"enabled": "true",
|
||||
"set_prefix": "{{ dhparam__tpl_set_prefix }}",
|
||||
"sets": {{ dhparam__tpl_sets | to_nice_json }},
|
||||
{% for number in dhparam__tpl_sets %}
|
||||
"{{ dhparam__set_prefix + number | string }}": "{{ dhparam__tpl_path + '/' + dhparam__set_prefix + number | string }}",
|
||||
{% endfor %}
|
||||
"hooks": "{{ dhparam__tpl_hooks }}",
|
||||
"library": "{{ dhparam__tpl_library }}",
|
||||
"path": "{{ dhparam__tpl_path }}",
|
||||
"params": "{{ dhparam__tpl_params }}"
|
||||
}
|
||||
|
|
@ -0,0 +1,16 @@
|
|||
{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
# Copyright (C) 2015-2017 DebOps <https://debops.org/>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
#}
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Unit]
|
||||
Description=Regenerate Diffie-Hellman parameters
|
||||
Documentation=https://docs.debops.org/en/master/ansible/roles/debops.dhparam/
|
||||
ConditionACPower=true
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
Nice=10
|
||||
ExecStart={{ dhparam__generate_params }} run
|
||||
|
|
@ -0,0 +1,17 @@
|
|||
{# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
|
||||
# Copyright (C) 2015-2017 Robin Schneider <ypid@riseup.net>
|
||||
# Copyright (C) 2015-2017 DebOps <https://debops.org/>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
#}
|
||||
# {{ ansible_managed }}
|
||||
|
||||
[Unit]
|
||||
Description=Regenerate Diffie-Hellman parameters
|
||||
|
||||
[Timer]
|
||||
OnCalendar={{ dhparam__generate_cron_period }}
|
||||
RandomizedDelaySec=12h
|
||||
Persistent=true
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
||||
|
|
@ -0,0 +1,135 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# {{ ansible_managed }}
|
||||
|
||||
# Generate Diffie-Hellman ephemeral parameters
|
||||
# Copyright (C) Maciej Delmanowski <drybjed@gmail.com>
|
||||
# Copyright (C) DebOps <https://debops.org/>
|
||||
# SPDX-License-Identifier: GPL-3.0-only
|
||||
|
||||
|
||||
command="${1:-run}"
|
||||
|
||||
delay_job="${2}"
|
||||
|
||||
pidfile_scheduler="/run/$(basename "${0}")-scheduler.pid"
|
||||
|
||||
pidfile_run="/run/$(basename "${0}").pid"
|
||||
|
||||
dhparam_log="{{ 'true' if dhparam__generate_log | bool else '' }}"
|
||||
|
||||
clean_up () {
|
||||
test -f "${pidfile_run}" && rm -f "${pidfile_run}"
|
||||
test -f "${pidfile_scheduler}" && rm -f "${pidfile_scheduler}"
|
||||
}
|
||||
|
||||
log_message () {
|
||||
if [ -n "${dhparam_log}" ] ; then
|
||||
if type logger > /dev/null 2>&1 ; then
|
||||
logger -t "$(basename "${0}")" "${@}"
|
||||
fi
|
||||
fi
|
||||
}
|
||||
|
||||
if [ "${command}" == "run" ] ; then
|
||||
|
||||
if [ -f "${pidfile_run}" ] ; then
|
||||
log_message "DH parameter generation already in progress managed by PID $(cat "${pidfile_run}"), exiting"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo $$ > "${pidfile_run}"
|
||||
sleep 1
|
||||
|
||||
if [ "$(cat "${pidfile_run}")" != $$ ] ; then
|
||||
log_message "DH parameter generation started by PID $(cat "${pidfile_run}"), aborting"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
elif [ "${command}" == "schedule" ] ; then
|
||||
|
||||
if [ -f "${pidfile_run}" ] ; then
|
||||
log_message "DH parameter generation found at PID $(cat "${pidfile_run}"), aborting scheduler"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
if [ -f "${pidfile_scheduler}" ] ; then
|
||||
log_message "DH generation scheduler already running as PID $(cat "${pidfile_scheduler}"), exiting"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
echo $$ > "${pidfile_scheduler}"
|
||||
sleep 1
|
||||
|
||||
if [ "$(cat "${pidfile_scheduler}")" != $$ ] ; then
|
||||
log_message "DH generation scheduler started as PID $(cat "${pidfile_scheduler}"), aborting"
|
||||
exit 0
|
||||
fi
|
||||
|
||||
fi
|
||||
|
||||
dhparam_library="{{ dhparam__library }}"
|
||||
dhparam_path="{{ dhparam__path + '/params' }}"
|
||||
|
||||
read -r -a dhparam_openssl_options <<< "{{ dhparam__openssl_options | join(' ') }}"
|
||||
|
||||
dhparam_prefix="{{ dhparam__prefix }}"
|
||||
read -r -a dhparam_bits <<< "{{ dhparam__bits | join(' ') }}"
|
||||
dhparam_suffix="{{ dhparam__suffix }}"
|
||||
|
||||
dhparam_hooks="{{ dhparam__hook_path }}"
|
||||
|
||||
|
||||
# Generate Diffie-Hellman parameters
|
||||
generate_params () {
|
||||
|
||||
trap clean_up EXIT
|
||||
|
||||
if [ -n "${delay_job}" ] ; then
|
||||
delay=$(( RANDOM % 20 ))
|
||||
sleep $(( (delay + 1) * 60 ))
|
||||
fi
|
||||
|
||||
cd "${dhparam_path}" || exit 1
|
||||
while IFS= read -r -d '' set ; do
|
||||
|
||||
cd "${set}" || exit 1
|
||||
for length in "${dhparam_bits[@]}" ; do
|
||||
|
||||
log_message "Generating new Diffie-Hellman parameters in $(basename "${set}") with ${length} bits"
|
||||
|
||||
dhparam_file="${dhparam_prefix}${length}${dhparam_suffix}"
|
||||
if [ "${dhparam_library}" == "gnutls" ] ; then
|
||||
certtool --generate-dh-params --outfile "${dhparam_file}.tmp" --bits "${length}" > /dev/null 2>&1 && mv "${dhparam_file}.tmp" "${dhparam_file}"
|
||||
elif [ "${dhparam_library}" == "openssl" ] ; then
|
||||
openssl dhparam "${dhparam_openssl_options[@]}" -out "${dhparam_file}.tmp" "${length}" > /dev/null 2>&1 && mv "${dhparam_file}.tmp" "${dhparam_file}"
|
||||
fi
|
||||
|
||||
done
|
||||
# shellcheck disable=SC2164
|
||||
cd - > /dev/null 2>&1
|
||||
|
||||
done < <(find . -maxdepth 1 -type d -not -name . -print0)
|
||||
|
||||
run-parts "${dhparam_hooks}"
|
||||
|
||||
}
|
||||
|
||||
# Schedule DH parameter generation at a later time
|
||||
schedule_job () {
|
||||
|
||||
if type batch > /dev/null 2>&1 ; then
|
||||
log_message "Scheduling new DH parameter generation using batch"
|
||||
echo "nice ${0} run" | batch > /dev/null 2>&1
|
||||
else
|
||||
log_message "Scheduling new DH parameter generation"
|
||||
(nice "${0}" run delay) &
|
||||
fi
|
||||
|
||||
}
|
||||
|
||||
case "${command}" in
|
||||
run) generate_params ;;
|
||||
schedule) schedule_job ;;
|
||||
*) echo "Usage: $(basename "${0}") {run|schedule}" ;;
|
||||
esac
|
||||
Loading…
Add table
Add a link
Reference in a new issue