From 72a6d628e0b9589cd8a8794d28d4b5621628ceb3 Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <daniel@firewall-services.com>
Date: Wed, 19 May 2021 15:00:07 +0200
Subject: [PATCH] Update to 2021-05-19 15:00

---
 roles/ampache/defaults/main.yml                      |  4 ++--
 roles/letsencrypt/templates/domains.txt.j2           |  7 +++++++
 roles/mkdir/tasks/main.yml                           |  2 +-
 roles/rabbitmq_server/defaults/main.yml              | 14 ++++++++++++++
 roles/rabbitmq_server/meta/main.yml                  |  1 +
 roles/rabbitmq_server/tasks/conf.yml                 |  9 +++++++++
 roles/rabbitmq_server/tasks/facts.yml                |  6 ++++++
 roles/rabbitmq_server/tasks/install.yml              |  8 ++++++++
 roles/rabbitmq_server/tasks/iptables.yml             |  3 +++
 .../rabbitmq_server/templates/dehydrated_hook.sh.j2  | 20 ++++++++++++++++++++
 roles/rabbitmq_server/templates/rabbitmq.conf.j2     |  3 +++
 roles/radius_server/files/rad_check_client_cert      |  2 +-
 roles/squid/files/acl/software_various.domains       |  4 ++--
 13 files changed, 77 insertions(+), 6 deletions(-)
 create mode 100644 roles/rabbitmq_server/templates/dehydrated_hook.sh.j2

diff --git a/roles/ampache/defaults/main.yml b/roles/ampache/defaults/main.yml
index 1e598ac..64aef39 100644
--- a/roles/ampache/defaults/main.yml
+++ b/roles/ampache/defaults/main.yml
@@ -3,10 +3,10 @@
 ampache_id: "1"
 ampache_manage_upgrade: True
 
-ampache_version: '4.4.1'
+ampache_version: '4.4.2'
 ampache_config_version: 49
 ampache_zip_url: https://github.com/ampache/ampache/releases/download/{{ ampache_version }}/ampache-{{ ampache_version }}_all.zip
-ampache_zip_sha1: fa0ef4ba8fb0e37d3a90ce88d3306fe34e81cfcd
+ampache_zip_sha1: 1e861091f032c44dc402c97180edd88c2246e0aa
 
 ampache_root_dir: /opt/ampache_{{ ampache_id }}
 
diff --git a/roles/letsencrypt/templates/domains.txt.j2 b/roles/letsencrypt/templates/domains.txt.j2
index 56fa04d..80c94d6 100644
--- a/roles/letsencrypt/templates/domains.txt.j2
+++ b/roles/letsencrypt/templates/domains.txt.j2
@@ -39,3 +39,10 @@
 {% if turn_letsencrypt_cert is defined and turn_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
 {{ turn_letsencrypt_cert }}
 {% endif %}
+{% if rabbitmq_letsencrypt_cert is defined %}
+{% if rabbitmq_letsencrypt_cert is string and rabbitmq_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ rabbitmq_letsencrypt_cert }}
+{% elif rabbitmq_letsencrypt_cert == True and inventory_hostname not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ inventory_hostname }}
+{% endif %}
+{% endif %}
diff --git a/roles/mkdir/tasks/main.yml b/roles/mkdir/tasks/main.yml
index 8dfcd35..0583f44 100644
--- a/roles/mkdir/tasks/main.yml
+++ b/roles/mkdir/tasks/main.yml
@@ -33,7 +33,7 @@
   file: path=/etc/dehydrated/{{ item }}.d state=directory
   loop:
     - hooks_deploy_cert
-  tags: backup,mkdir
+  tags: ssl,web,mkdir
 
 - name: Create bash_completion dir
   file: path=/etc/bash_completion.d state=directory
diff --git a/roles/rabbitmq_server/defaults/main.yml b/roles/rabbitmq_server/defaults/main.yml
index 7375d73..2e3a83f 100644
--- a/roles/rabbitmq_server/defaults/main.yml
+++ b/roles/rabbitmq_server/defaults/main.yml
@@ -2,9 +2,23 @@
 
 # Plain TCP port
 rabbitmq_port: 5672
+rabbitmq_ssl_port: 5671
 
 # Access to the plain port
 rabbitmq_src_ip: []
+# Access to the ssl port
+rabbitmq_ssl_src_ip: []
+
+# Can be either true, in which case a cert will be automatically obtained using letsencrypt
+# or can be a name, in which case you have to configure letsencrypt to obtain the cert yourself
+# rabbitmq_letsencrypt_cert: True
+# or
+# rabbitmq_letsencrypt_cert: rabbit.example.org
+# You have to deploy the letsencrypt role on the host for this to work
+
+# Or you can specify cert and key path. They must be readable by rabbitmq
+#rabbitmq_ssl_cert_path: /etc/rabbitmq/ssl/cert.pem
+#rabbitmq_ssl_key_path: /etc/rabbitmq/ssl/key.pem
 
 # HTTP API / Web management interface
 rabbitmq_web_port: 15672
diff --git a/roles/rabbitmq_server/meta/main.yml b/roles/rabbitmq_server/meta/main.yml
index debfb84..14c71d2 100644
--- a/roles/rabbitmq_server/meta/main.yml
+++ b/roles/rabbitmq_server/meta/main.yml
@@ -1,6 +1,7 @@
 ---
 
 dependencies:
+  - role: mkdir
   - role: repo_rabbitmq
     when:
       - ansible_os_family == 'RedHat'
diff --git a/roles/rabbitmq_server/tasks/conf.yml b/roles/rabbitmq_server/tasks/conf.yml
index 43e581b..7f39e21 100644
--- a/roles/rabbitmq_server/tasks/conf.yml
+++ b/roles/rabbitmq_server/tasks/conf.yml
@@ -6,6 +6,15 @@
   notify: restart rabbitmq-server
   tags: rabbit
 
+  # Create a self signed cert. This is needed even if a cert is later obtained with dehydrated as
+  # turnserver must be started before that
+- import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    - cert_path: /etc/rabbitmq/ssl/cert.pem
+    - cert_key_path: /etc/rabbitmq/ssl/key.pem
+    - cert_user: rabbitmq
+  tags: rabbitmq
+
 - name: Deploy configuration
   template: src={{ rabbitmq_conf }}.j2 dest=/etc/rabbitmq/{{ rabbitmq_conf }}
   notify: restart rabbitmq-server
diff --git a/roles/rabbitmq_server/tasks/facts.yml b/roles/rabbitmq_server/tasks/facts.yml
index 446619a..374d847 100644
--- a/roles/rabbitmq_server/tasks/facts.yml
+++ b/roles/rabbitmq_server/tasks/facts.yml
@@ -3,3 +3,9 @@
   # On EL8 and newer, rabbitmq config uses the new format
 - set_fact: rabbitmq_conf={{ ansible_distribution_major_version is version('8','>=') | ternary('rabbitmq.conf','rabbitmq.config') }}
   tags: rabbitmq
+
+- when: rabbitmq_letsencrypt_cert is defined or rabbitmq_ssl_cert_path is not defined or rabbitmq_ssl_key_path is not defined
+  block:
+    - set_fact: rabbitmq_ssl_cert_path='/etc/rabbitmq/ssl/cert.pem'
+    - set_fact: rabbitmq_ssl_key_path='/etc/rabbitmq/ssl/key.pem'
+  tags: rabbitmq
diff --git a/roles/rabbitmq_server/tasks/install.yml b/roles/rabbitmq_server/tasks/install.yml
index 2b5d997..3255568 100644
--- a/roles/rabbitmq_server/tasks/install.yml
+++ b/roles/rabbitmq_server/tasks/install.yml
@@ -12,3 +12,11 @@
     - pre
     - post
   tags: rabbitmq
+
+- name: Create directories
+  file: path=/etc/rabbitmq/ssl state=directory owner=rabbitmq group=rabbitmq mode=700
+  tags: rabbitmq
+
+- name: Install dehydrated hook
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/rabbitmq.sh mode=755
+  tags: rabbitmq
diff --git a/roles/rabbitmq_server/tasks/iptables.yml b/roles/rabbitmq_server/tasks/iptables.yml
index 2096aed..5530b76 100644
--- a/roles/rabbitmq_server/tasks/iptables.yml
+++ b/roles/rabbitmq_server/tasks/iptables.yml
@@ -9,6 +9,9 @@
     - name: rabbitmq_port
       port: "{{ rabbitmq_port }}"
       src_ip: "{{ rabbitmq_src_ip }}"
+    - name: rabbitmq_ssl_port
+      port: "{{ rabbitmq_ssl_port }}"
+      src_ip: "{{ rabbitmq_ssl_src_ip }}"
     - name: rabbitmq_web_port
       port: "{{ rabbitmq_web_port }}"
       src_ip: "{{ rabbitmq_web_src_ip }}"
diff --git a/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2 b/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
new file mode 100644
index 0000000..3331758
--- /dev/null
+++ b/roles/rabbitmq_server/templates/dehydrated_hook.sh.j2
@@ -0,0 +1,20 @@
+#!/bin/bash -e
+
+{% if rabbitmq_letsencrypt_cert is defined %}
+
+{% if rabbitmq_letsencrypt_cert == True %}
+{% set cert = inventory_hostname %}
+{% elif rabbitmq_letsencrypt_cert is string %}
+{% set cert = rabbitmq_letsencrypt_cert %}
+{% endif %}
+
+if [ $1 == "{{ cert }}" ]; then
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/fullchain.pem /etc/rabbitmq/ssl/cert.pem
+  cp /var/lib/dehydrated/certificates/certs/{{ cert }}/privkey.pem /etc/rabbitmq/ssl/key.pem
+  chown :rabbitmq /etc/rabbitmq/ssl/key.pem
+  chmod 644 /etc/rabbitmq/ssl/cert.pem
+  chmod 640 /etc/rabbitmq/ssl/key.pem
+  systemctl restart rabbitmq-server
+fi
+{% endif %}
+
diff --git a/roles/rabbitmq_server/templates/rabbitmq.conf.j2 b/roles/rabbitmq_server/templates/rabbitmq.conf.j2
index afa88be..90b5e98 100644
--- a/roles/rabbitmq_server/templates/rabbitmq.conf.j2
+++ b/roles/rabbitmq_server/templates/rabbitmq.conf.j2
@@ -1,4 +1,7 @@
 listeners.tcp.default = {{ rabbitmq_port }}
+listeners.ssl.default = {{ rabbitmq_ssl_port }}
+ssl_options.certfile = {{ rabbitmq_ssl_cert_path }}
+ssl_options.keyfile = {{ rabbitmq_ssl_key_path }}
 loopback_users.guest = {{ rabbitmq_guest_from_anywhere | ternary('false','true') }}
 management.tcp.port = {{ rabbitmq_web_port }}
 management.tcp.ip = 0.0.0.0
diff --git a/roles/radius_server/files/rad_check_client_cert b/roles/radius_server/files/rad_check_client_cert
index 9cef3fb..097b52e 100644
--- a/roles/radius_server/files/rad_check_client_cert
+++ b/roles/radius_server/files/rad_check_client_cert
@@ -39,7 +39,7 @@ if ($crl){
     }
 
     if (!-e '/run/radiusd/tls/crl.pem' or $crl_age > 900){
-      my $code = getstore($crl,$crl_file);
+      my $code = getstore($crl, '/run/radiusd/tls/crl.pem');
       if ($code == 200){
         $crl_age  = 0;
         $crl_file = '/run/radiusd/tls/crl.pem';
diff --git a/roles/squid/files/acl/software_various.domains b/roles/squid/files/acl/software_various.domains
index 888fe31..7a80907 100644
--- a/roles/squid/files/acl/software_various.domains
+++ b/roles/squid/files/acl/software_various.domains
@@ -47,10 +47,10 @@ s3.eu-central-1.amazonaws.com
 forge.glpi-project.org
 
 # Chrome on Linux
-dl.google.com/linux/chrome
+dl.google.com
 
 # Hosts several things, including the Zabbix datasource for Grafana
-storage.googleapis.com
+.storage.googleapis.com
 
 # Grafana repo
 grafanarel.s3.amazonaws.com