Commit fabd84d0 authored by libregerbil-bot's avatar libregerbil-bot 🤖
Browse files

Merge branch 'remove_ssl_dhfile_param_use_dh_size_instead' into 'master'

Generate the DH parameters, remove burp.ssl.DH, improve Buster support

Closes #2

See merge request !6
parents 27ffb270 fa8a5687
......@@ -45,6 +45,8 @@ configuration file will be created too).
m4v,avi,xv,jar,tgz,mp4,mkv,ogg,flv.
* `burp_timeoutstop`: value of `TimeoutStopSec` systemd option for Burp service.
If `None`, keep systemd default.
* `burp_dh_size`: size of DH parameters (default: `2048`). The path of the
generated DH parameters is: `/etc/burp/{{ burp.name }}/dh{{ burp_dh_size }}.pem`.
### Variables required by server and client:
......@@ -71,7 +73,6 @@ burp:
ratelimit:
ssl*: # All files will be copied on the server.
CA*: '{{ lookup("file", "path/to/ca.pem") }} # Certificate Authority
DH*: '{{ burp_dh }}' # DH parameters
cert*: '{{ burp_server_cert }}' # Burp server public certificate
key*: '{{ burp_server_key }}' # Burp server private key
burp_clients:
......
......@@ -34,3 +34,5 @@ burp_default_excludes:
- /run
- /dev
- /tmp
burp_dh_size: 2048
......@@ -9,7 +9,6 @@
CA: '{{ ca["content"] | b64decode }}'
cert: '{{ server_cert["content"] | b64decode }}'
key: '{{ server_key["content"] | b64decode }}'
DH: '{{ dh_param }}'
pre_tasks:
- name: Fetch CA
slurp:
......@@ -49,7 +48,6 @@
CA: '{{ hostvars["molecule-burp-server"]["ca"]["content"] | b64decode }}'
cert: '{{ hostvars["molecule-burp-server"]["server_cert"]["content"] | b64decode }}'
key: '{{ hostvars["molecule-burp-server"]["server_key"]["content"] | b64decode }}'
DH: '{{ dh_param }}'
burp_clients:
_server: *burp_server
testuser:
......
......@@ -78,6 +78,18 @@
organizationalUnitName: Test BURP CA
commonName: molecule-burp-client
- name: Create configuration directory
file: # noqa 208
# 'burp-test-backup' user doesn't exist yet, the role will fix that
path: /etc/burp/test-backup/
state: directory
- name: COPY DH param
copy: # noqa 208
# 'burp-test-backup' user doesn't exist yet, the role will fix that
content: '{{ dh_param }}'
dest: '/etc/burp/test-backup/dh2048.pem'
- name: Generate client certificate
openssl_certificate:
path: /tmp/client.pem
......
......@@ -85,28 +85,29 @@
diff: no
notify: 'reload burp service'
- name: COPY DH param
copy:
content: '{{ burp.ssl.DH }}'
dest: '/etc/burp/{{ burp.name }}/dh2048.pem'
- name: Create DH param
openssl_dhparam:
path: '/etc/burp/{{ burp.name }}/dh{{ burp_dh_size }}.pem'
size: '{{ burp_dh_size }}'
<<: *owner-file
notify: 'reload burp service'
- name: Fetch burp version
import_tasks: fetch_burp_version.yml
- name: 'Generate BURP server configuration'
vars:
- vars:
burp_server_version: '{{ burp_version.stdout.strip().split("-")[-1] }}'
template:
src: server.conf
dest: '/etc/burp/{{ burp.name }}/server.conf'
<<: *owner-file
notify: 'reload burp service'
- name: 'Workaround for #532 (fix not available in Debian Stretch)'
include: 'server_workaround_#532.yml'
when: ansible_os_family == 'Debian'
block:
- name: 'Generate BURP server configuration'
template:
src: server.conf
dest: '/etc/burp/{{ burp.name }}/server.conf'
<<: *owner-file
notify: 'reload burp service'
- name: 'Workaround for #532 (fix not available in Debian Stretch)'
include: 'server_workaround_#532.yml'
when: burp_server_version is version("2.1.2", "<")
- include_tasks: '{{ ansible_service_mgr }}/enable_burp.yml'
......
......@@ -51,4 +51,6 @@ backup_script_arg = {{ arg }}
# Paths are defined in server configuration
# workaround for #531 (Fixed in 2.1.2)
{% if burp_client_version is version("2.1.2", "<") %}
ca_csr_dir='/tmp'
{% endif %}
#jinja2: lstrip_blocks: "true"
# {{ ansible_managed }}
{% if ansible_os_family == 'Debian' %}
{% if burp_server_version is version("2.1.2", "<") %}
. ca_parameters
{% endif %}
......@@ -90,7 +90,7 @@ ssl_cert_ca = /etc/burp/{{ burp.name }}/ca.crt
ssl_cert = /etc/burp/{{ burp.name }}/burp.crt
ssl_key = /etc/burp/{{ burp.name }}/burp.key
# ssl_key_password =
ssl_dhfile = /etc/burp/{{ burp.name }}/dh2048.pem
ssl_dhfile = /etc/burp/{{ burp.name }}/dh{{ burp_dh_size }}.pem
timer_script = {{ timer_script }}
# Available units:
......
......@@ -25,8 +25,8 @@ commands =
docker: molecule --base-config molecule/base.yml test --scenario-name default
k8s: molecule --debug --base-config molecule/base.yml test --scenario-name k8s
[testenv:stretch]
setenv = DEBIAN_RELEASE = stretch
[testenv:buster]
setenv = DEBIAN_RELEASE = buster
[testenv:py{37,38}-ansible29-molecule-{docker,k8s}-{stretch,buster}]
setenv =
{[testenv]setenv}
stretch: DEBIAN_RELEASE = stretch
buster: DEBIAN_RELEASE = buster
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment