Skip to content
GitLab
Explore
Sign in
Primary navigation
Search or go to…
Project
W
webservices
Manage
Activity
Members
Labels
Plan
Issues
Issue boards
Milestones
Iterations
Wiki
Requirements
Code
Merge requests
Repository
Branches
Commits
Tags
Repository graph
Compare revisions
Snippets
Locked files
Build
Pipelines
Jobs
Pipeline schedules
Test cases
Artifacts
Deploy
Releases
Container registry
Model registry
Operate
Environments
Monitor
Incidents
Analyze
Value stream analytics
Contributor analytics
CI/CD analytics
Repository analytics
Code review analytics
Issue analytics
Insights
Model experiments
Help
Help
Support
GitLab documentation
Compare GitLab plans
Community forum
Contribute to GitLab
Provide feedback
Keyboard shortcuts
?
Snippets
Groups
Projects
Show more breadcrumbs
infra
ansible-shared
webservices
Merge requests
!4
WIP: add acmebot role
Code
Review changes
Check out branch
Open in Workspace
Download
Patches
Plain diff
Closed
WIP: add acmebot role
acmebot
into
master
Overview
1
Commits
34
Pipelines
1
Changes
66
Closed
Lars Beckers
requested to merge
acmebot
into
master
5 years ago
Overview
1
Commits
34
Pipelines
1
Changes
66
Expand
Implements configuration of the acmebot package we built. Some TODOs and testing left.
0
0
Merge request reports
Compare
master
version 1
028d574a
5 years ago
master (base)
and
latest version
latest version
86f26e73
34 commits,
5 years ago
version 1
028d574a
1 commit,
5 years ago
66 files
+
1176
−
178
Inline
Compare changes
Side-by-side
Inline
Show whitespace changes
Show one file at a time
Files
66
Search (e.g. *.vue) (Ctrl+P)
acmebot/defaults/main.yml
0 → 100644
+
223
−
0
Options
---
acmebot_account_mail
:
"
{{
adminaddr
}}"
acmebot_after_nginx_proxy
:
true
acmebot_settings
:
{}
acmebot_default_settings
:
log_level
:
"
detail"
color_output
:
true
acme_directory_url
:
"
https://acme-v02.api.letsencrypt.org/directory"
public_suffix_list_url
:
"
https://publicsuffix.org/list/public_suffix_list.dat"
ocsp_responder_urls
:
-
"
http://ocsp.int-x3.letsencrypt.org"
reload_zone_command
:
null
nsupdate_command
:
null
hpkp_report_uri
:
null
ct_submit_logs
:
-
"
google_icarus"
-
"
google_pilot"
file_user
:
root
file_group
:
ssl-cert
# TODO default to both key types or single one? default to non-/custom params?
key_size
:
4096
# null to turn off RSA certificates
key_curve
:
"
secp384r1"
# null to turn off ECDSA certificates
key_cipher
:
null
key_passphrase
:
null
# null to turn off private key encryption
dhparam_size
:
2048
# null to turn off custom dhparams
ecparam_curve
:
"
secp384r1"
# null to turn off custom EC params
follower_mode
:
false
ocsp_must_staple
:
false
# application support isn't good enough
auto_rollover
:
true
# must be false on followers
pin_subdomains
:
false
verify
:
null
# e.g. [443]
services
:
null
# e.g. [nginx-proxy]
hpkp_days
:
60
renewal_days
:
30
expiration_days
:
730
max_dns_lookup_attempts
:
60
dns_lookup_delay
:
10
max_domains_per_order
:
100
max_authorization_attempts
:
30
authorization_delay
:
10
cert_poll_time
:
30
max_ocsp_verify_attempts
:
10
ocsp_verify_retry_delay
:
5
min_run_delay
:
300
max_run_delay
:
3600
# can be empty string, e.g. when using only one key type
acmebot_key_suffixes
:
{}
acmebot_default_key_suffixes
:
rsa
:
"
.rsa"
ecdsa
:
"
.ecdsa"
# format strings with: name (of privkey or cert), key_type, suffix, server
# http_challenge uses: zone, host (without zone, "." if fqdn == zone), fqdn
# if http_challenge is set, defaults to http-01
# set to null for specified certs to use dns-01 for those
acmebot_directories
:
{}
acmebot_default_directories
:
pid
:
"
/run"
log
:
"
/var/log/acmebot"
resource
:
"
/var/lib/acmebot"
temp
:
null
# TODO layout equivalent to acmetool
private_key
:
/etc/ssl/acmebot/privkey
backup_key
:
/etc/ssl/acmebot/backup_privkey
previous_key
:
null
full_key
:
/etc/ssl/acmebot/full_privkey
# maybe null to turn off
certificate
:
/etc/ssl/acmebot/cert
full_certificate
:
/etc/ssl/acmebot/full_cert
# maybe null
chain
:
/etc/ssl/acmebot/chain
# maybe null
param
:
/etc/ssl/acmebot/params
# maybe null
challenge
:
/etc/ssl/acmebot/challenges
# for dns-01 only
http_challenge
:
/var/www/acme-challenge
# maybe null
hpkp
:
/etc/ssl/acmebot/hpkp
# maybe null
ocsp
:
/etc/ssl/acmebot/ocsp
# maybe null
sct
:
"
/etc/ssl/acmebot/scts/{name}/{key_type}"
# maybe null
update_key
:
/etc/ssl/acmebot/update_keys
archive
:
/etc/ssl/acmebot/archive
# format strings with: name (of privkey or cert), key_type, suffix, server
acmebot_file_names
:
{}
acmebot_default_file_names
:
log
:
"
acmebot.log"
# TODO layout equivalent to acmetool
private_key
:
"
{name}{suffix}.key"
backup_key
:
"
{name}_backup{suffix}.key"
previous_key
:
"
{name}_previous{suffix}.key"
full_key
:
"
{name}_full{suffix}.key"
certificate
:
"
{name}{suffix}.pem"
full_certificate
:
"
{name}+root{suffix}.pem"
chain
:
"
{name}_chain{suffix}.pem"
param
:
"
{name}_param.pem"
challenge
:
"
{name}"
hpkp
:
"
{name}.{server}"
ocsp
:
"
{name}{suffix}.ocsp"
sct
:
"
{ct_log_name}.sct"
# override with null
acmebot_hpkp_headers
:
{}
acmebot_default_hpkp_headers
:
apache
:
"
Header
always
set
Public-Key-Pins
\"
{header}
\"\n
"
nginx
:
"
add_header
Public-Key-Pins
\"
{header}
\"
always;
\n
"
acmebot_services
:
{}
acmebot_default_services
:
dovecot
:
"
systemctl
restart
dovecot"
mysql
:
"
systemctl
reload
mysql"
nginx
:
"
systemctl
reload
nginx"
nginx-proxy
:
"
systemctl
reload
nginx-proxy"
postfix
:
"
systemctl
reload
postfix"
postgresql
:
"
systemctl
reload
postgresql"
prosody
:
"
systemctl
restart
prosody"
# authorizations to maintain without certficates (e.g. for master/follower)
acmebot_authorizations
:
{}
# <zone-name>:
# - <host-name>
# - <host-name>
# when global http_challenges directory set: use null to revert back to dns-01
# else: override dns-01 default with http-01 per domain
acmebot_http_challenges
:
{}
# <domain-name>: <challenge-directory>
# for doing DNSSEC manually, specify TSIG keys
acmebot_zone_update_keys
:
{}
# when using HPKP it may be beneficial to share private keys between certs
# this dict contains multiple certificate sections per private key,
# all key-specific config moved up
acmebot_private_keys
:
{}
acmebot_certificates
:
{}
# <certificate-name>:
# common_name: <common-name>
# alt_names:
# <zone-name>:
# - "@",
# - <host-name>
# services:
# - <service-name>
# tlsa_records:
# <zone-name>:
# - <host-name>
# - host: <host-name>
# port: <port-number>
# usage: pkix-ee
# selector: spki
# protocol: tcp
# ttl: 300
# dhparam_size: 2048
# ecparam_curve: secp384r1
# key_types:
# - rsa
# - ecdsa
# key_size: 4096
# key_curve: secp384r1
# key_cipher: blowfish
# key_passphrase:
# expiration_days: 730
# auto_rollover: false
# hpkp_days: 30
# pin_subdomains: true
# hpkp_report_uri:
# ocsp_must_staple: false
# ocsp_responder_urls:
# - "http://ocsp.int-x3.letsencrypt.org"
# ct_submit_logs:
# - google_icarus
# - google_pilot
# verify:
# - 443,
# - port: 25
# hosts:
# - <domain-name>
# - <domain-name>
# starttls: smtp
# key_types:
# - rsa
# - ecdsa
# all empty per default, see README for possible hook names
acmebot_hooks
:
{}
# see also: https://www.certificate-transparency.org/known-logs
acmebot_ct_logs
:
{}
acmebot_default_ct_logs
:
google_pilot
:
url
:
"
https://ct.googleapis.com/pilot"
id
:
"
pLkJkLQYWBSHuxOizGdwCjw1mAT5G9+443fNDsgN3BA="
google_icarus
:
url
:
"
https://ct.googleapis.com/icarus"
id
:
"
KTxRllTIOWW6qlD8WAfUt2+/WHopctykwwz05UVH9Hg="
google_rocketeer
:
url
:
"
https://ct.googleapis.com/rocketeer"
id
:
"
7ku9t3XOYLrhQmkfq+GeZqMPfl+wctiDAMR7iXqo/cs="
google_skydiver
:
url
:
"
https://ct.googleapis.com/skydiver"
id
:
"
u9nfvB+KcbWTlCOXqpJ7RzhXlQqrUugakJZkNo4e0YU="
google_argon2018
:
url
:
"
https://ct.googleapis.com/logs/argon2018"
id
:
"
pFASaQVaFVReYhGrN7wQP2KuVXakXksXFEU+GyIQaiU="
digicert
:
url
:
"
https://ct1.digicert-ct.com/log"
id
:
"
VhQGmi/XwuzT9eG9RLI+x0Z2ubyZEVzA75SYVdaJ0N0="
symantec_ct
:
url
:
"
https://ct.ws.symantec.com"
id
:
"
3esdK3oNT6Ygi4GtgWhwfi6OnQHVXIiNPRHEzbbsvsw="
symantec_vega
:
url
:
"
https://vega.ws.symantec.com"
id
:
"
vHjh38X2PGhGSTNNoQ+hXwl5aSAJwIG08/aRfz7ZuKU="
cloudflare_nimbus2018
:
url
:
"
https://ct.cloudflare.com/logs/nimbus2018"
id
:
"
23Sv7ssp7LH+yj5xbSzluaq7NveEcYPHXZ1PN7Yfv2Q="
Loading