From 098a31f19e4f3a88314411d89b0c518de73904ea Mon Sep 17 00:00:00 2001 From: Joe Banks Date: Mon, 27 May 2024 23:09:31 +0100 Subject: Add pydis-mtls role for distributing root CA Adds a new role named pydis-mtls to distribute the mTLS certificate authority data to all nodes in the inventory. The defaults are sufficient here and are using the production CA that will be used for service authentication (tls.pydis.wtf). Other services can point to the value stored in pydis_mtls_location as the source of truth for the certificate authority to validate against. --- ansible/playbook.yml | 1 + ansible/roles/pydis-mtls/README.md | 17 +++++++++++++++++ ansible/roles/pydis-mtls/defaults/main.yml | 29 +++++++++++++++++++++++++++++ ansible/roles/pydis-mtls/tasks/main.yml | 17 +++++++++++++++++ 4 files changed, 64 insertions(+) create mode 100644 ansible/roles/pydis-mtls/README.md create mode 100644 ansible/roles/pydis-mtls/defaults/main.yml create mode 100644 ansible/roles/pydis-mtls/tasks/main.yml (limited to 'ansible') diff --git a/ansible/playbook.yml b/ansible/playbook.yml index 0cb4cf6..f04fefe 100644 --- a/ansible/playbook.yml +++ b/ansible/playbook.yml @@ -1,6 +1,7 @@ - name: Deploy common services hosts: all roles: + - pydis-mtls - certbot - common - pydis-users diff --git a/ansible/roles/pydis-mtls/README.md b/ansible/roles/pydis-mtls/README.md new file mode 100644 index 0000000..c72a340 --- /dev/null +++ b/ansible/roles/pydis-mtls/README.md @@ -0,0 +1,17 @@ +# Role "pydis-mtls" + +This role adds a copy of the Python Discord Root CA used for mutual TLS +authentication to a specified location on all hosts. + +Services that need mutual TLS support should validate any incoming request +against this client certificate, the default provided with this role will always +be a subdomain of `tls.pydis.wtf` and the CN can be used for further +authorization validation. + +## Variables + +`pydis_mtls_certificate`: The CA Certificate contents to be copied to the host. +The default should be fine here and is the current production CA. + +`pydis_mtls_location`: The location to copy the CA file to, defaults to +`/opt/pydis/ca.pem`. diff --git a/ansible/roles/pydis-mtls/defaults/main.yml b/ansible/roles/pydis-mtls/defaults/main.yml new file mode 100644 index 0000000..721a747 --- /dev/null +++ b/ansible/roles/pydis-mtls/defaults/main.yml @@ -0,0 +1,29 @@ +--- +pydis_mtls_certificate: | + -----BEGIN CERTIFICATE----- + MIIEPzCCAyegAwIBAgIUEJZIbODQ36KwtyMHrT/shF8Mci4wDQYJKoZIhvcNAQEL + BQAwgYcxCzAJBgNVBAYTAkdCMQ8wDQYDVQQIEwZMb25kb24xDzANBgNVBAcTBkxv + bmRvbjEeMBwGA1UEChMVUHl0aG9uIERpc2NvcmQgRGV2T3BzMR4wHAYDVQQLExVQ + eXRob24gRGlzY29yZCBEZXZPcHMxFjAUBgNVBAMTDXRscy5weWRpcy53dGYwHhcN + MjQwNTI2MjIzMTE5WhcNMjkwNTI1MjIzMTQ5WjCBhzELMAkGA1UEBhMCR0IxDzAN + BgNVBAgTBkxvbmRvbjEPMA0GA1UEBxMGTG9uZG9uMR4wHAYDVQQKExVQeXRob24g + RGlzY29yZCBEZXZPcHMxHjAcBgNVBAsTFVB5dGhvbiBEaXNjb3JkIERldk9wczEW + MBQGA1UEAxMNdGxzLnB5ZGlzLnd0ZjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC + AQoCggEBAN6kkXZQ+4pmgvexhKo9aavohMTiFQkgc0lcU6hjDxhoAHZkBTfIejBJ + yM0oRLsaHnyZwaCzK6qdoNqmKu/N3D9Y/JVlyyyVDnQ8Q78vCG6vLnMiLtmrI7J7 + eZ+o5es80W0NowVNP1VSIA4G9gI6OtmUnepu5+1y9i5g0Uf9wncw8DmjXoxgkYcO + PYzGJpiSMcPugUvKIHVvZlDIUg4avlJi3c/ZheAB7V8nDIltlysakRC/dt6SOsRp + EHw/0dnU9jAGdvFqB1vGwL27CXTzhCz0kfnHRTVTp3LsuCl7KcNwDpqkg2rjt/Xa + NJKhBYMAypVPQIPgnvIiSotHfBkRVGcCAwEAAaOBoDCBnTAOBgNVHQ8BAf8EBAMC + AQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQUq4RhzM8gg8XsoI62V/scgOC2 + HHwwHwYDVR0jBBgwFoAUq4RhzM8gg8XsoI62V/scgOC2HHwwGAYDVR0RBBEwD4IN + dGxzLnB5ZGlzLnd0ZjAgBgNVHR4BAf8EFjAUoBIwEIIOLnRscy5weWRpcy53dGYw + DQYJKoZIhvcNAQELBQADggEBADDmik7m5+zCB5a3aEMNsudm8fq8sJOj/bGzL3bB + bEdq5ABw9ET0oecR37ow+QpO9haU+keUXdcUhkfo02jsIu78RXg+6+lQPPXQlRuJ + VpdhmBgYp8bosLOsuXJ714HS9dt42SRE2PmlX1si/genJfeAqn8iYjPqjO1wlLwD + QJrybnq0j4glaKDRb5Ve8iITrv3RXGLhJOs97KfDQ10QD3L82C5Q2T5KTZ75n9J3 + p5jBHYLqwd80EoI5Z/w0bL887mKP9tI1N2QG30lHj7Bxw9J2/uwayQ8S9SVOIB4t + QxbEW5JQzaUahX8Kaw9s3BZSezLFC0BvOOLnbYCsXIuB84g= + -----END CERTIFICATE----- + +pydis_mtls_location: /opt/pydis/ca.pem diff --git a/ansible/roles/pydis-mtls/tasks/main.yml b/ansible/roles/pydis-mtls/tasks/main.yml new file mode 100644 index 0000000..70ea7b2 --- /dev/null +++ b/ansible/roles/pydis-mtls/tasks/main.yml @@ -0,0 +1,17 @@ +- name: Ensure directory to store mTLS CA in is created + file: + path: '{{ pydis_mtls_location | dirname }}' + state: directory + mode: '0755' + tags: + - role::pydis-mtls + +- name: Copy mTLS Certificate Authority to host + copy: + content: '{{ pydis_mtls_certificate }}' + dest: '{{ pydis_mtls_location }}' + owner: root + group: root + mode: '0744' + tags: + - role::pydis-mtls -- cgit v1.2.3