Update to 2021-05-19 15:00

roles/ampache/defaults/main.yml

@@ -3,10 +3,10 @@
 ampache_id: "1"
 ampache_manage_upgrade: True
 
-ampache_version: '4.4.1'
+ampache_version: '4.4.2'
 ampache_config_version: 49
 ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip
-ampache_zip_sha1: fa0ef4ba8fb0e37d3a90ce88d3306fe34e81cfcd
+ampache_zip_sha1: 1e861091f032c44dc402c97180edd88c2246e0aa
 
 ampache_root_dir: /opt/ampache_{{ ampache_id }}
 

roles/letsencrypt/templates/domains.txt.j2

@@ -39,3 +39,10 @@
 {% if turn_letsencrypt_cert is defined and turn_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
 {{ turn_letsencrypt_cert }}
 {% endif %}
+{% if rabbitmq_letsencrypt_cert is defined %}
+{% if rabbitmq_letsencrypt_cert is string and rabbitmq_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ rabbitmq_letsencrypt_cert }}
+{% elif rabbitmq_letsencrypt_cert == True and inventory_hostname not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ inventory_hostname }}
+{% endif %}
+{% endif %}

roles/mkdir/tasks/main.yml

@@ -33,7 +33,7 @@
   file: path=/etc/dehydrated/{{ item }}.d state=directory
   loop:
     - hooks_deploy_cert
-  tags: backup,mkdir
+  tags: ssl,web,mkdir
 
 - name: Create bash_completion dir
   file: path=/etc/bash_completion.d state=directory

roles/rabbitmq_server/defaults/main.yml

@@ -2,9 +2,23 @@
 
 # Plain TCP port
 rabbitmq_port: 5672
+rabbitmq_ssl_port: 5671
 
 # Access to the plain port
 rabbitmq_src_ip: []
+# Access to the ssl port
+rabbitmq_ssl_src_ip: []
+
+# Can be either true, in which case a cert will be automatically obtained using letsencrypt
+# or can be a name, in which case you have to configure letsencrypt to obtain the cert yourself
+# rabbitmq_letsencrypt_cert: True
+# or
+# rabbitmq_letsencrypt_cert: rabbit.example.org
+# You have to deploy the letsencrypt role on the host for this to work
+
+# Or you can specify cert and key path. They must be readable by rabbitmq
+#rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
+#rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem
 
 # HTTP API / Web management interface
 rabbitmq_web_port: 15672

roles/rabbitmq_server/meta/main.yml

@@ -1,6 +1,7 @@
 ---
 
 dependencies:
+  - role: mkdir
   - role: repo_rabbitmq
     when:
       - ansible_os_family == 'RedHat'

roles/rabbitmq_server/tasks/conf.yml

@@ -6,6 +6,15 @@
   notify: restart rabbitmq-server
   tags: rabbit
 
+  # Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
+  # turnserver must be started before that
+- import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/rabbitmq/ssl/cert.pem
+    - cert_key_path: /etc/rabbitmq/ssl/key.pem
+    - cert_user: rabbitmq
+  tags: rabbitmq
+
 - name: Deploy configuration
   template: src={{ rabbitmq_conf }}.j2 dest=/etc/rabbitmq/{{ rabbitmq_conf }}
   notify: restart rabbitmq-server

roles/rabbitmq_server/tasks/facts.yml

@@ -3,3 +3,9 @@
   # On EL8 and newer, rabbitmq config uses the new format
 - set_fact: rabbitmq_conf={{ ansible_distribution_major_version is version('8','>=') | ternary('rabbitmq.conf','rabbitmq.config') }}
   tags: rabbitmq
+
+- when: rabbitmq_letsencrypt_cert is defined or rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined
+  block:
+    - set_fact: rabbitmq_ssl_cert_path='/etc/rabbitmq/ssl/cert.pem'
+    - set_fact: rabbitmq_ssl_key_path='/etc/rabbitmq/ssl/key.pem'
+  tags: rabbitmq

roles/rabbitmq_server/tasks/install.yml

@@ -12,3 +12,11 @@
     - pre
     - post
   tags: rabbitmq
+
+- name: Create directories
+  file: path=/etc/rabbitmq/ssl state=directory owner=rabbitmq group=rabbitmq mode=700
+  tags: rabbitmq
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/rabbitmq.sh mode=755
+  tags: rabbitmq

roles/rabbitmq_server/tasks/iptables.yml

@@ -9,6 +9,9 @@
     - name: rabbitmq_port
       port: "{{ rabbitmq_port }}"
       src_ip: "{{ rabbitmq_src_ip }}"
+    - name: rabbitmq_ssl_port
+      port: "{{ rabbitmq_ssl_port }}"
+      src_ip: "{{ rabbitmq_ssl_src_ip }}"
     - name: rabbitmq_web_port
       port: "{{ rabbitmq_web_port }}"
       src_ip: "{{ rabbitmq_web_src_ip }}"

roles/rabbitmq_server/templates/dehydrated_hook.sh.j2

@@ -0,0 +1,20 @@
+#!/bin/bash -e
+
+{% if rabbitmq_letsencrypt_cert is defined %}
+
+{% if rabbitmq_letsencrypt_cert == True %}
+{% set cert = inventory_hostname %}
+{% elif rabbitmq_letsencrypt_cert is string %}
+{% set cert = rabbitmq_letsencrypt_cert %}
+{% endif %}
+
+if [ $1 == "{{ cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/fullchain.pem /etc/rabbitmq/ssl/cert.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/rabbitmq/ssl/key.pem
+  chown :rabbitmq /etc/rabbitmq/ssl/key.pem
+  chmod 644 /etc/rabbitmq/ssl/cert.pem
+  chmod 640 /etc/rabbitmq/ssl/key.pem
+  systemctl restart rabbitmq-server
+fi
+{% endif %}
+

roles/rabbitmq_server/templates/rabbitmq.conf.j2

@@ -1,4 +1,7 @@
 listeners.tcp.default = {{ rabbitmq_port }}
+listeners.ssl.default = {{ rabbitmq_ssl_port }}
+ssl_options.certfile = {{ rabbitmq_ssl_cert_path }}
+ssl_options.keyfile = {{ rabbitmq_ssl_key_path }}
 loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }}
 management.tcp.port = {{ rabbitmq_web_port }}
 management.tcp.ip = 0.0.0.0

roles/radius_server/files/rad_check_client_cert

@@ -39,7 +39,7 @@ if ($crl){
     }
 
     if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){
-      my $code = getstore($crl,$crl_file);
+      my $code = getstore($crl, '/run/radiusd/tls/crl.pem');
       if ($code == 200){
         $crl_age  = 0;
         $crl_file = '/run/radiusd/tls/crl.pem';

roles/squid/files/acl/software_various.domains

@@ -47,10 +47,10 @@ s3.eu-central-1.amazonaws.com
 forge.glpi-project.org
 
 # Chrome on Linux
-dl.google.com/linux/chrome
+dl.google.com
 
 # Hosts several things, including the Zabbix datasource for Grafana
-storage.googleapis.com
+.storage.googleapis.com
 
 # Grafana repo
 grafanarel.s3.amazonaws.com