TLS with letsencryt. Manage some config options.

2022-05-08 15:12:53 +02:00 · 2022-05-08 15:12:53 +02:00 · d53da5fda3
parent 4a335ef841
commit d53da5fda3
4 changed files with 130 additions and 1 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -3,3 +3,19 @@ influxdb_deb_repo: "deb https://repos.influxdata.com/ubuntu bionic stable"
 influxdb_repo_key: 'https://repos.influxdata.com/influxdb.key'
 influxdb_pkgs:
  - influxdb
+
+influxdb_config_file: /etc/influxdb/influxdb.conf
+influxdb_config:
+  - {section: http, option: 'enabled', value: 'true', state: present}
+  - {section: http, option: 'bind-address', value: ':8086', state: present}
+  - {section: http, option: 'log-enabled', value: 'true', state: present}
+
+influxdb_tls_letsencrypt_managed: true
+influxdb_tls_enabled: false
+influxdb_tls_cert_dir: /etc/pki/influxdb
+influxdb_tls_cert_path: '{{ letsencrypt_acme_sh_certificates_install_path }}/cert'
+influxdb_tls_key_path: '{{ influxdb_tls_cert_dir }}/influxdb.key'
+influxdb_tls_config:
+  - {section: http, option: 'https-enabled', value: '{{ influxdb_tls_enabled | lower }}', state: present}
+  - {section: http, option: 'https-certificate', value: '{{ influxdb_tls_cert_path }}', state: present}
+  - {section: http, option: 'https-private-key', value: '{{ influxdb_tls_key_path }}', state: present}
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -1,2 +1,6 @@
 ---
-# handlers file for ansible-role-template
+- name: restart influxb
+  service:
+    name: influxdb
+    state: restart
+    enabled: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -21,6 +21,77 @@
  when: ansible_distribution_file_variety == "Debian"
  tags: ['influxdb', 'influxdb_repository']

+- name: Manage the Influxd configuration
+  block:
+    - name: Influxdb configuration {{ influxdb_config_file }}
+      ini_file:
+        path: '{{ influxdb_config_file }}'
+        section: '{{ item.section }}'
+        option: '{{ item.option }}'
+        value: '{{ item.value }}'
+        state: "{{ item.state | default('present') }}"
+        owner: root
+        group: root
+        mode: 0644
+      loop: '{{ influxdb_config }}'
+      notify: reload influxdb
+
+  tags: ['influxdb', 'influxdb_config']
+
+- name: Letsencrypt tls management
+  block:
+    - name: Create the acme hooks directory if it does not yet exist
+      file:
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
+        state: directory
+        owner: root
+        group: root
+
+    - name: Create the influxdb certificate directory
+      file:
+        dest: '{{ influxdb_tls_cert_dir }}'
+        state: directory
+        owner: root
+        group: influxdb
+        mode: 0750
+
+    - name: Copy the key file where influxdb expects it
+      copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
+        dest: '{{ influxdb_tls_key_path }}'
+        owner: root
+        group: influxdb
+        mode: 0640
+        remote_src: true
+      notify: restart influxdb
+
+    - name: Influxdb configuration {{ influxdb_config_file }}
+      ini_file:
+        path: '{{ influxdb_config_file }}'
+        section: '{{ item.section }}'
+        option: '{{ item.option }}'
+        value: '{{ item.value }}'
+        state: "{{ item.state | default('present') }}"
+        owner: root
+        group: root
+        mode: 0644
+      loop: '{{ influxdb_tls_config }}'
+      notify: restart influxdb
+
+    - name: Install a script that fixes the letsencrypt certificate for influxdb and then restarts the service
+      template:
+        src: influxdb-letsencrypt-hook.j2
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}/influxdb'
+        owner: root
+        group: root
+        mode: 4555
+
+  when:
+    - influxdb_tls_enabled
+    - influxdb_tls_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: ['influxdb', 'letsencrypt', 'influxdb_letsencrypt']
+
 - name: Manage the Influxdata repository and packages
  block:
    - name: Ensure that influxdb is enabled and running
--- a/templates/influxdb-letsencrypt-hook.j2
+++ b/templates/influxdb-letsencrypt-hook.j2
@ -0,0 +1,38 @@
+#!/bin/bash
+
+LE_CERTS_DIR="{{ letsencrypt_acme_sh_certificates_install_path }}"
+LE_LOG_DIR=/var/log/letsencrypt
+LE_LOGFILE="$LE_LOG_DIR/influxdb.log"
+INFLUXDB_KEYFILE="{{ influxdb_tls_key_path }}"
+DATE=$( date )
+RETVAL=
+
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> "$LE_LOGFILE"
+
+logger "acme-influxdb-hook: Check if the certificate has been renewed"
+cmp ${LE_CERTS_DIR}/privkey  ${INFLUXDB_KEYFILE}
+RETVAL=$?
+if [ $RETVAL -eq 0 ] ; then
+    logger "acme-influxdb-hook: No new cerficate."
+    echo "acme-influxdb-hook: No new cerficate." >> $LE_LOGFILE
+    exit 0
+else
+    logger "acme-influxdb-hook: Copying the key file"
+    echo "Copy the key file" >> $LE_LOGFILE
+    /bin/cp -f ${LE_CERTS_DIR}/privkey  ${INFLUXDB_KEYFILE}
+fi
+
+chmod 440 ${INFLUXDB_KEYFILE}
+chown root ${INFLUXDB_KEYFILE}
+chgrp influxdb ${INFLUXDB_KEYFILE}
+
+logger "acme-influxdb-hook: Restart the influxdb service after a certificate renewal"
+systemctl restart influxdb >> $LE_LOGFILE 2>&1
+echo "acme-influxdb-hook: Restart the influxdb service" >> $LE_LOGFILE
+
+logger "acme-influxdb-hook: Done"
+echo "acme-influxdb-hook: Done." >> $LE_LOGFILE
+
+exit 0
+