add origin-cert role

2018-08-28 10:12:08 -04:00 · 2018-08-28 10:12:08 -04:00 · b904afd2d3
parent 9b49168180
commit b904afd2d3
2 changed files with 30 additions and 0 deletions
--- a/ansible/roles/origin-cert/README.md
+++ b/ansible/roles/origin-cert/README.md
@ -0,0 +1,16 @@
+# Descirption
+
+This role installs the certificate and key pair from CloudFlare which is called an __Origin__ certificate and is issued by CloudFlare CA to facilitate an SSL Proxy setup which allows the site to authenticate with the `*.status.im` wildcard certificate from CloudFlare without having it on the host.
+
+>WARNING: The origin certificate alone is not enough to facilitate a valid SSL setup.
+
+Details: https://blog.cloudflare.com/cloudflare-ca-encryption-origin/
+
+# Usage
+
+The certificates end up in the same place as other certs:
+
+* `/certs/origin.crt`
+* `/certs/origin.key`
+
+And are used by services like Nginx or Grafana for the purpose of verifying their identity for CloudFlare proxy servers.
--- a/ansible/roles/origin-cert/tasks/main.yml
+++ b/ansible/roles/origin-cert/tasks/main.yml
@ -0,0 +1,14 @@
+---
+- name: Copy over CloudFlare origin certificate
+  copy:
+    content: '{{lookup("passwordstore", "cloud/Cloudflare/origin.crt returnall=true")}}'
+    dest: /certs/origin.crt
+    mode: 0644
+    group: adm
+
+- name: Copy over CloudFlare origin key
+  copy:
+    content: '{{lookup("passwordstore", "cloud/Cloudflare/origin.key returnall=true")}}'
+    dest: /certs/origin.key
+    mode: 0644
+    group: adm