diff --git a/ansible/cluster.yml b/ansible/cluster.yml
index a131e1e39f4be97d07fe10e0375b2fa732e8c2f1..9d4eaa32978546479d45d8e6e1371896713a6513 100644
--- a/ansible/cluster.yml
+++ b/ansible/cluster.yml
@@ -9,4 +9,5 @@
- { name: 'slurm_client', tags: 'slurm_client', when: enable_slurm_client }
- { name: 'ssh_host_keys', tags: 'ssh_host_keys' }
- { name: 'ssh_proxy_config', tags: 'ssh_proxy_config', when: enable_ssh_proxy_config }
+ - { name: 'ssl_cert', tags: 'ssl_cert' }
- { name: 'rsyslog_config', tags: 'rsyslog_config', when: enable_rsyslog_config }
diff --git a/ansible/group_vars/all b/ansible/group_vars/all
index 0f8cdbe4a8637c53e342e4da0151de4c063d5199..f68ae57ab7059c813130a0b2d2083a4f4e62545a 100644
--- a/ansible/group_vars/all
+++ b/ansible/group_vars/all
@@ -51,3 +51,13 @@
# rsyslog
enable_rsyslog_config: false
rsyslog_target: "*.* @master:514"
+
+# ssl certs
+ ssl_cert_s3_bucket: ""
+ ssl_cert_key_location: "/etc/pki/tls/private"
+ ssl_cert_file_location: "/etc/pki/tls/certs"
+ ssl_cert_key: ""
+ ssl_cert_file: ""
+ ssl_cert_chain_file: ""
+ ssl_apache_config: ""
+ apache_service: "httpd"
diff --git a/ansible/roles/ssl_cert/tasks/main.yaml b/ansible/roles/ssl_cert/tasks/main.yaml
new file mode 100644
index 0000000000000000000000000000000000000000..aa562aa448b7a62554bc8e9ae27d6eac2b916c04
--- /dev/null
+++ b/ansible/roles/ssl_cert/tasks/main.yaml
@@ -0,0 +1,65 @@
+---
+- name: Download SSL Certs from S3
+ aws_s3:
+ mode: get
+ s3_url: "{{ S3_ENDPOINT }}"
+ bucket: "{{ ssl_cert_s3_bucket }}"
+ object: "{{ item }}"
+ dest: "{{ ssl_cert_file_location }}/{{ item }}"
+ aws_access_key: "{{ LTS_ACCESS_KEY }}"
+ aws_secret_key: "{{ LTS_SECRET_KEY }}"
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+ when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+ loop:
+ - "{{ ssl_cert_file }}"
+ - "{{ ssl_cert_chain_file }}"
+
+- name: Change cert files permissions
+ ansible.builtin.file:
+ path: "{{ ssl_cert_file_location }}/{{ item }}"
+ owner: root
+ group: root
+ mode: '0600'
+ when: ssl_cert_s3_bucket | length > 0 and item | length > 0
+ loop:
+ - "{{ ssl_cert_file }}"
+ - "{{ ssl_cert_chain_file }}"
+
+- name: Download SSL key from S3
+ aws_s3:
+ mode: get
+ s3_url: "{{ S3_ENDPOINT }}"
+ bucket: "{{ ssl_cert_s3_bucket }}"
+ object: "{{ ssl_cert_key }}"
+ dest: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+ aws_access_key: "{{ LTS_ACCESS_KEY }}"
+ aws_secret_key: "{{ LTS_SECRET_KEY }}"
+ vars:
+ ansible_python_interpreter: /usr/bin/python3
+ when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
+- name: Change key file permissions
+ ansible.builtin.file:
+ path: "{{ ssl_cert_key_location }}/{{ ssl_cert_key }}"
+ owner: root
+ group: root
+ mode: '0400'
+ when: ssl_cert_s3_bucket | length > 0 and ssl_cert_key | length > 0
+
+- name: Update SSL in Apache config
+ ansible.builtin.replace:
+ path: "{{ ssl_apache_config }}"
+ regexp: "{{ item.regexp }}"
+ replace: "\\1 {{ item.location }}/{{ item.value }}"
+ backup: true
+ when: ssl_apache_config | length > 0 and item.value | length > 0
+ loop:
+ - { regexp: "#?(SSLCertificateFile).*$", location: "{{ ssl_cert_file_location }}", value: "{{ ssl_cert_file }}" }
+ - { regexp: "#?(SSLCertificateChainFile).*$", location: "{{ ssl_cert_file_location }}", value: "{{ ssl_cert_chain_file }}" }
+ - { regexp: "#?(SSLCertificateKeyFile).*$", location: "{{ ssl_cert_key_location }}", value: "{{ ssl_cert_key }}" }
+
+- name: Restart apache service
+ ansible.builtin.service:
+ name: "{{ apache_service }}"
+ state: restarted