From d53da5fda3b1311d2f5e72ed1a1065946aad6cd1 Mon Sep 17 00:00:00 2001
From: Andrea Dell'Amico <andrea.dellamico@isti.cnr.it>
Date: Sun, 8 May 2022 15:12:53 +0200
Subject: [PATCH] TLS with letsencryt. Manage some config options.

---
 defaults/main.yml                      | 16 ++++++
 handlers/main.yml                      |  6 ++-
 tasks/main.yml                         | 71 ++++++++++++++++++++++++++
 templates/influxdb-letsencrypt-hook.j2 | 38 ++++++++++++++
 4 files changed, 130 insertions(+), 1 deletion(-)
 create mode 100644 templates/influxdb-letsencrypt-hook.j2

diff --git a/defaults/main.yml b/defaults/main.yml
index a6c2e15..0220841 100644
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -3,3 +3,19 @@ influxdb_deb_repo: "deb https://repos.influxdata.com/ubuntu bionic stable"
 influxdb_repo_key: 'https://repos.influxdata.com/influxdb.key'
 influxdb_pkgs:
   - influxdb
+
+influxdb_config_file: /etc/influxdb/influxdb.conf
+influxdb_config:
+  - {section: http, option: 'enabled', value: 'true', state: present}
+  - {section: http, option: 'bind-address', value: ':8086', state: present}
+  - {section: http, option: 'log-enabled', value: 'true', state: present}
+
+influxdb_tls_letsencrypt_managed: true
+influxdb_tls_enabled: false
+influxdb_tls_cert_dir: /etc/pki/influxdb
+influxdb_tls_cert_path: '{{ letsencrypt_acme_sh_certificates_install_path }}/cert'
+influxdb_tls_key_path: '{{ influxdb_tls_cert_dir }}/influxdb.key'
+influxdb_tls_config:
+  - {section: http, option: 'https-enabled', value: '{{ influxdb_tls_enabled | lower }}', state: present}
+  - {section: http, option: 'https-certificate', value: '{{ influxdb_tls_cert_path }}', state: present}
+  - {section: http, option: 'https-private-key', value: '{{ influxdb_tls_key_path }}', state: present}
diff --git a/handlers/main.yml b/handlers/main.yml
index 27474e0..8dd5027 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -1,2 +1,6 @@
 ---
-# handlers file for ansible-role-template
\ No newline at end of file
+- name: restart influxb
+  service:
+    name: influxdb
+    state: restart
+    enabled: true
diff --git a/tasks/main.yml b/tasks/main.yml
index d77a124..a2feff5 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -21,6 +21,77 @@
   when: ansible_distribution_file_variety == "Debian"
   tags: ['influxdb', 'influxdb_repository']
 
+- name: Manage the Influxd configuration
+  block:
+    - name: Influxdb configuration {{ influxdb_config_file }}
+      ini_file:
+        path: '{{ influxdb_config_file }}'
+        section: '{{ item.section }}'
+        option: '{{ item.option }}'
+        value: '{{ item.value }}'
+        state: "{{ item.state | default('present') }}"
+        owner: root
+        group: root
+        mode: 0644
+      loop: '{{ influxdb_config }}'
+      notify: reload influxdb
+
+  tags: ['influxdb', 'influxdb_config']
+
+- name: Letsencrypt tls management
+  block:
+    - name: Create the acme hooks directory if it does not yet exist
+      file:
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}'
+        state: directory
+        owner: root
+        group: root
+
+    - name: Create the influxdb certificate directory
+      file:
+        dest: '{{ influxdb_tls_cert_dir }}'
+        state: directory
+        owner: root
+        group: influxdb
+        mode: 0750
+
+    - name: Copy the key file where influxdb expects it
+      copy:
+        src: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
+        dest: '{{ influxdb_tls_key_path }}'
+        owner: root
+        group: influxdb
+        mode: 0640
+        remote_src: true
+      notify: restart influxdb
+
+    - name: Influxdb configuration {{ influxdb_config_file }}
+      ini_file:
+        path: '{{ influxdb_config_file }}'
+        section: '{{ item.section }}'
+        option: '{{ item.option }}'
+        value: '{{ item.value }}'
+        state: "{{ item.state | default('present') }}"
+        owner: root
+        group: root
+        mode: 0644
+      loop: '{{ influxdb_tls_config }}'
+      notify: restart influxdb
+
+    - name: Install a script that fixes the letsencrypt certificate for influxdb and then restarts the service
+      template:
+        src: influxdb-letsencrypt-hook.j2
+        dest: '{{ letsencrypt_acme_services_scripts_dir }}/influxdb'
+        owner: root
+        group: root
+        mode: 4555
+
+  when:
+    - influxdb_tls_enabled
+    - influxdb_tls_letsencrypt_managed
+    - letsencrypt_acme_install
+  tags: ['influxdb', 'letsencrypt', 'influxdb_letsencrypt']
+
 - name: Manage the Influxdata repository and packages
   block:
     - name: Ensure that influxdb is enabled and running
diff --git a/templates/influxdb-letsencrypt-hook.j2 b/templates/influxdb-letsencrypt-hook.j2
new file mode 100644
index 0000000..74d8eda
--- /dev/null
+++ b/templates/influxdb-letsencrypt-hook.j2
@@ -0,0 +1,38 @@
+#!/bin/bash
+
+LE_CERTS_DIR="{{ letsencrypt_acme_sh_certificates_install_path }}"
+LE_LOG_DIR=/var/log/letsencrypt
+LE_LOGFILE="$LE_LOG_DIR/influxdb.log"
+INFLUXDB_KEYFILE="{{ influxdb_tls_key_path }}"
+DATE=$( date )
+RETVAL=
+
+[ ! -d $LE_LOG_DIR ] && mkdir $LE_LOG_DIR
+echo "$DATE" >> "$LE_LOGFILE"
+
+logger "acme-influxdb-hook: Check if the certificate has been renewed"
+cmp ${LE_CERTS_DIR}/privkey  ${INFLUXDB_KEYFILE}
+RETVAL=$?
+if [ $RETVAL -eq 0 ] ; then
+    logger "acme-influxdb-hook: No new cerficate."
+    echo "acme-influxdb-hook: No new cerficate." >> $LE_LOGFILE
+    exit 0
+else
+    logger "acme-influxdb-hook: Copying the key file"
+    echo "Copy the key file" >> $LE_LOGFILE
+    /bin/cp -f ${LE_CERTS_DIR}/privkey  ${INFLUXDB_KEYFILE}
+fi
+
+chmod 440 ${INFLUXDB_KEYFILE}
+chown root ${INFLUXDB_KEYFILE}
+chgrp influxdb ${INFLUXDB_KEYFILE}
+
+logger "acme-influxdb-hook: Restart the influxdb service after a certificate renewal"
+systemctl restart influxdb >> $LE_LOGFILE 2>&1
+echo "acme-influxdb-hook: Restart the influxdb service" >> $LE_LOGFILE
+
+logger "acme-influxdb-hook: Done"
+echo "acme-influxdb-hook: Done." >> $LE_LOGFILE
+
+exit 0
+