add ibp and dotters keys

rotkonetworks · Oct 25, 2023 · ddebf14 · ddebf14
1 parent 38df153
commit ddebf14
Show file tree

Hide file tree

Showing 9 changed files with 204 additions and 0 deletions.
diff --git a/host_vars/dot23.yaml b/host_vars/dot23.yaml
@@ -13,6 +13,8 @@ default_public_dns: "{{ host_name }}"
 default_public_dns_lb: "polkadot.rotko.net"
 default_public_dns_ibp: "rpc.ibp.network"
 default_public_dns_dotters: "rpc.dotters.network"
+default_ibp_repository: "[email protected]:GATOTECH-LTD/ibp-ssl"
+default_dotters_repository: "[email protected]:senseless/dotters-ssl"
 default_network: "polkadot"
 default_node_type: "endpoint"
 default_pruning: "archive"

diff --git a/host_vars/dot24.yaml b/host_vars/dot24.yaml
@@ -13,6 +13,8 @@ default_public_dns: "{{ host_name }}"
 default_public_dns_lb: "polkadot.rotko.net"
 default_public_dns_ibp: "rpc.ibp.network"
 default_public_dns_dotters: "rpc.dotters.network"
+default_ibp_repository: "[email protected]:GATOTECH-LTD/ibp-ssl"
+default_dotters_repository: "[email protected]:senseless/dotters-ssl"
 default_network: "polkadot"
 default_node_type: "endpoint"
 default_pruning: "archive"

diff --git a/host_vars/ksm23.yaml b/host_vars/ksm23.yaml
@@ -13,6 +13,8 @@ default_public_dns: "{{ host_name }}"
 default_public_dns_lb: "kusama.rotko.net"
 default_public_dns_ibp: "rpc.ibp.network"
 default_public_dns_dotters: "rpc.dotters.network"
+default_ibp_repository: "[email protected]:GATOTECH-LTD/ibp-ssl"
+default_dotters_repository: "[email protected]:senseless/dotters-ssl"
 default_network: kusama
 default_node_type: "endpoint"
 default_pruning: "archive"

diff --git a/host_vars/ksm24.yaml b/host_vars/ksm24.yaml
@@ -13,6 +13,8 @@ default_public_dns: "{{ host_name }}"
 default_public_dns_lb: "kusama.rotko.net"
 default_public_dns_ibp: "rpc.ibp.network"
 default_public_dns_dotters: "rpc.dotters.network"
+default_ibp_repository: "[email protected]:GATOTECH-LTD/ibp-ssl"
+default_dotters_repository: "[email protected]:senseless/dotters-ssl"
 default_network: kusama
 default_node_type: "endpoint"
 default_pruning: "archive"

diff --git a/host_vars/wnd23.yaml b/host_vars/wnd23.yaml
@@ -13,6 +13,8 @@ default_public_dns: "{{ host_name }}"
 default_public_dns_lb: "westend.rotko.net"
 default_public_dns_ibp: "rpc.ibp.network"
 default_public_dns_dotters: "rpc.dotters.network"
+default_ibp_repository: "[email protected]:GATOTECH-LTD/ibp-ssl"
+default_dotters_repository: "[email protected]:senseless/dotters-ssl"
 default_network: "westend"
 default_node_type: "endpoint"
 default_pruning: "archive"

diff --git a/host_vars/wnd24.yaml b/host_vars/wnd24.yaml
@@ -13,6 +13,8 @@ default_public_dns: "{{ host_name }}"
 default_public_dns_lb: "westend.rotko.net"
 default_public_dns_ibp: "rpc.ibp.network"
 default_public_dns_dotters: "rpc.dotters.network"
+default_ibp_repository: "[email protected]:GATOTECH-LTD/ibp-ssl"
+default_dotters_repository: "[email protected]:senseless/dotters-ssl"
 default_network: "westend"
 default_node_type: "endpoint"
 default_pruning: "archive"

diff --git a/roles/setup_install_nginx/tasks/dotters.yaml b/roles/setup_install_nginx/tasks/dotters.yaml
@@ -0,0 +1,96 @@
+---
+# Install SSH key from value
+- name: Install SSH key
+  ansible.builtin.copy:
+    content: "{{ default_dotters_private_key }}"
+    dest: '/root/.ssh/dotters_key'
+    mode: '0600'
+
+- name: Add SSH key to agent
+  ansible.builtin.shell: |
+    eval $(ssh-agent -s)
+    ssh-add /root/.ssh/dotters_key
+  environment:
+    SSH_AUTH_SOCK: /tmp/ssh-agent.sock
+
+- name: Add SSH key to agent
+  ansible.builtin.shell: |
+    eval $(ssh-agent -s)
+    echo "{{ default_dotters_private_key_pw }}" | sshpass ssh-add /root/.ssh/dotters_key
+  environment:
+    SSH_AUTH_SOCK: /tmp/ssh-agent.sock
+  no_log: true  # Do not log sensitive information
+
+- name: Install/Update dotters.network SSL
+  become: True
+  block:
+    - name: Git update
+      ansible.builtin.git:
+        repo: '[email protected]:GATOTECH-LTD/dotters-ssl.git'
+        dest: '/opt/github/dotters-ssl'
+        key_file: '/root/.ssh/dotters_key'
+        update: yes
+
+    - name: "Check new expiration date"
+      ansible.builtin.shell: "openssl x509 -enddate -noout -in /opt/github/dotters-ssl/cert/cert.pem | cut -f2 -d'='"
+      register: expiration_date_new_dotters
+
+# Ensure destination directories exist
+- name: Ensure directories exist for archive and live certificates
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "/etc/letsencrypt/archive/dotters.network"
+    - "/etc/letsencrypt/live/dotters.network"
+
+# Copy the certificates to the archive folder
+- name: Copy SSL certificates to archive directory
+  ansible.builtin.copy:
+    src: "/opt/github/dotters-ssl/cert/{{ item }}"
+    dest: "/etc/letsencrypt/archive/dotters.network/{{ item }}"
+    mode: '0644'
+  loop:
+    - cert.pem
+    - chain.pem
+    - fullchain.pem
+    - privkey.pem
+
+# Create symlinks in the live directory
+- name: Create symlinks in live directory
+  ansible.builtin.file:
+    src: "/etc/letsencrypt/archive/dotters.network/{{ item }}"
+    dest: "/etc/letsencrypt/live/dotters.network/{{ item }}"
+    state: link
+  loop:
+    - cert.pem
+    - chain.pem
+    - fullchain.pem
+    - privkey.pem
+
+# Setup NGINX configuration directories
+- name: Ensure NGINX configuration directories exist
+  ansible.builtin.file:
+    path: "/etc/nginx/{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - sites-available
+    - sites-enabled
+
+# Configure NGINX for HTTPS
+- name: Apply HTTPS configuration to NGINX
+  ansible.builtin.template:
+    src: https-{{ default_node_type }}-dotters.j2
+    dest: "/etc/nginx/sites-available/{{ default_public_dns_dotters }}"
+    mode: '0755'
+
+# Enable the HTTPS configuration in NGINX
+- name: Enable HTTPS configuration for NGINX
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ default_public_dns_dotters }}"
+    dest: "/etc/nginx/sites-enabled/{{ default_public_dns_dotters }}"
+    state: link
+  notify: Reload nginx
+...
diff --git a/roles/setup_install_nginx/tasks/ibp.yaml b/roles/setup_install_nginx/tasks/ibp.yaml
@@ -0,0 +1,88 @@
+---
+# Install SSH key from value
+- name: Install SSH key
+  ansible.builtin.copy:
+    content: "{{ default_ibp_private_key }}"
+    dest: '/root/.ssh/ibp_key'
+    mode: '0600'
+
+- name: Add SSH key to agent
+  ansible.builtin.shell: |
+    eval $(ssh-agent -s)
+    ssh-add /root/.ssh/ibp_key
+  environment:
+    SSH_AUTH_SOCK: /tmp/ssh-agent.sock
+
+- name: Install/Update ibp.network SSL
+  become: True
+  block:
+    - name: Git update
+      ansible.builtin.git:
+        repo: '[email protected]:GATOTECH-LTD/ibp-ssl.git'
+        dest: '/opt/github/ibp-ssl'
+        key_file: '/root/.ssh/ibp_key'
+        update: yes
+
+    - name: "Check new expiration date"
+      ansible.builtin.shell: "openssl x509 -enddate -noout -in /opt/github/ibp-ssl/cert/cert.pem | cut -f2 -d'='"
+      register: expiration_date_new_ibp
+
+# Ensure destination directories exist
+- name: Ensure directories exist for archive and live certificates
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - "/etc/letsencrypt/archive/ibp.network"
+    - "/etc/letsencrypt/live/ibp.network"
+
+# Copy the certificates to the archive folder
+- name: Copy SSL certificates to archive directory
+  ansible.builtin.copy:
+    src: "/opt/github/ibp-ssl/cert/{{ item }}"
+    dest: "/etc/letsencrypt/archive/ibp.network/{{ item }}"
+    mode: '0644'
+  loop:
+    - cert.pem
+    - chain.pem
+    - fullchain.pem
+    - privkey.pem
+
+# Create symlinks in the live directory
+- name: Create symlinks in live directory
+  ansible.builtin.file:
+    src: "/etc/letsencrypt/archive/ibp.network/{{ item }}"
+    dest: "/etc/letsencrypt/live/ibp.network/{{ item }}"
+    state: link
+  loop:
+    - cert.pem
+    - chain.pem
+    - fullchain.pem
+    - privkey.pem
+
+# Setup NGINX configuration directories
+- name: Ensure NGINX configuration directories exist
+  ansible.builtin.file:
+    path: "/etc/nginx/{{ item }}"
+    state: directory
+    mode: '0755'
+  loop:
+    - sites-available
+    - sites-enabled
+
+# Configure NGINX for HTTPS
+- name: Apply HTTPS configuration to NGINX
+  ansible.builtin.template:
+    src: https-{{ default_node_type }}-ibp.j2
+    dest: "/etc/nginx/sites-available/{{ default_public_dns_ibp }}"
+    mode: '0755'
+
+# Enable the HTTPS configuration in NGINX
+- name: Enable HTTPS configuration for NGINX
+  ansible.builtin.file:
+    src: "/etc/nginx/sites-available/{{ default_public_dns_ibp }}"
+    dest: "/etc/nginx/sites-enabled/{{ default_public_dns_ibp }}"
+    state: link
+  notify: Reload nginx
+...
diff --git a/roles/setup_install_nginx/tasks/main.yaml b/roles/setup_install_nginx/tasks/main.yaml
@@ -102,4 +102,12 @@
 - name: Include loadbalancer tasks for endpoints
   ansible.builtin.import_tasks: loadbalancer.yaml
   when: default_node_type == 'endpoint'
+
+- name: Include ibp tasks for endpoints
+  ansible.builtin.import_tasks: ibp.yaml
+  when: default_node_type == 'endpoint'
+
+- name: Include dotters tasks for endpoints
+  ansible.builtin.import_tasks: dotters.yaml
+  when: default_node_type == 'endpoint'
 ...