diff options
| -rw-r--r-- | ansible/playbook.yml | 1 | ||||
| -rw-r--r-- | ansible/roles/pydis-mtls/README.md | 17 | ||||
| -rw-r--r-- | ansible/roles/pydis-mtls/defaults/main.yml | 29 | ||||
| -rw-r--r-- | ansible/roles/pydis-mtls/tasks/main.yml | 17 |
4 files changed, 64 insertions, 0 deletions
diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 0cb4cf6..f04fefe 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -1,6 +1,7 @@ - name: Deploy common services hosts: all roles: + - pydis-mtls - certbot - common - pydis-users diff --git a/ansible/roles/pydis-mtls/README.md b/ansible/roles/pydis-mtls/README.md new file mode 100644 index 0000000..c72a340 --- /dev/null +++ b/ansible/roles/pydis-mtls/README.md @@ -0,0 +1,17 @@ +# Role "pydis-mtls" + +This role adds a copy of the Python Discord Root CA used for mutual TLS +authentication to a specified location on all hosts. + +Services that need mutual TLS support should validate any incoming request +against this client certificate, the default provided with this role will always +be a subdomain of `tls.pydis.wtf` and the CN can be used for further +authorization validation. + +## Variables + +`pydis_mtls_certificate`: The CA Certificate contents to be copied to the host. +The default should be fine here and is the current production CA. + +`pydis_mtls_location`: The location to copy the CA file to, defaults to +`/opt/pydis/ca.pem`. diff --git a/ansible/roles/pydis-mtls/defaults/main.yml b/ansible/roles/pydis-mtls/defaults/main.yml new file mode 100644 index 0000000..721a747 --- /dev/null +++ b/ansible/roles/pydis-mtls/defaults/main.yml @@ -0,0 +1,29 @@ +--- +pydis_mtls_certificate: | + -----BEGIN CERTIFICATE----- + MIIEPzCCAyegAwIBAgIUEJZIbODQ36KwtyMHrT/shF8Mci4wDQYJKoZIhvcNAQEL + BQAwgYcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxv + bmRvbjEeMBwGA1UEChMVUHl0aG9uIERpc2NvcmQgRGV2T3BzMR4wHAYDVQQLExVQ + eXRob24gRGlzY29yZCBEZXZPcHMxFjAUBgNVBAMTDXRscy5weWRpcy53dGYwHhcN + MjQwNTI2MjIzMTE5WhcNMjkwNTI1MjIzMTQ5WjCBhzELMAkGA1UEBhMCR0IxDzAN + BgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMR4wHAYDVQQKExVQeXRob24g + RGlzY29yZCBEZXZPcHMxHjAcBgNVBAsTFVB5dGhvbiBEaXNjb3JkIERldk9wczEW + MBQGA1UEAxMNdGxzLnB5ZGlzLnd0ZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC + AQoCggEBAN6kkXZQ+4pmgvexhKo9aavohMTiFQkgc0lcU6hjDxhoAHZkBTfIejBJ + yM0oRLsaHnyZwaCzK6qdoNqmKu/N3D9Y/JVlyyyVDnQ8Q78vCG6vLnMiLtmrI7J7 + eZ+o5es80W0NowVNP1VSIA4G9gI6OtmUnepu5+1y9i5g0Uf9wncw8DmjXoxgkYcO + PYzGJpiSMcPugUvKIHVvZlDIUg4avlJi3c/ZheAB7V8nDIltlysakRC/dt6SOsRp + EHw/0dnU9jAGdvFqB1vGwL27CXTzhCz0kfnHRTVTp3LsuCl7KcNwDpqkg2rjt/Xa + NJKhBYMAypVPQIPgnvIiSotHfBkRVGcCAwEAAaOBoDCBnTAOBgNVHQ8BAf8EBAMC + AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUq4RhzM8gg8XsoI62V/scgOC2 + HHwwHwYDVR0jBBgwFoAUq4RhzM8gg8XsoI62V/scgOC2HHwwGAYDVR0RBBEwD4IN + dGxzLnB5ZGlzLnd0ZjAgBgNVHR4BAf8EFjAUoBIwEIIOLnRscy5weWRpcy53dGYw + DQYJKoZIhvcNAQELBQADggEBADDmik7m5+zCB5a3aEMNsudm8fq8sJOj/bGzL3bB + bEdq5ABw9ET0oecR37ow+QpO9haU+keUXdcUhkfo02jsIu78RXg+6+lQPPXQlRuJ + VpdhmBgYp8bosLOsuXJ714HS9dt42SRE2PmlX1si/genJfeAqn8iYjPqjO1wlLwD + QJrybnq0j4glaKDRb5Ve8iITrv3RXGLhJOs97KfDQ10QD3L82C5Q2T5KTZ75n9J3 + p5jBHYLqwd80EoI5Z/w0bL887mKP9tI1N2QG30lHj7Bxw9J2/uwayQ8S9SVOIB4t + QxbEW5JQzaUahX8Kaw9s3BZSezLFC0BvOOLnbYCsXIuB84g= + -----END CERTIFICATE----- + +pydis_mtls_location: /opt/pydis/ca.pem diff --git a/ansible/roles/pydis-mtls/tasks/main.yml b/ansible/roles/pydis-mtls/tasks/main.yml new file mode 100644 index 0000000..70ea7b2 --- /dev/null +++ b/ansible/roles/pydis-mtls/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Ensure directory to store mTLS CA in is created + file: + path: '{{ pydis_mtls_location | dirname }}' + state: directory + mode: '0755' + tags: + - role::pydis-mtls + +- name: Copy mTLS Certificate Authority to host + copy: + content: '{{ pydis_mtls_certificate }}' + dest: '{{ pydis_mtls_location }}' + owner: root + group: root + mode: '0744' + tags: + - role::pydis-mtls |