This repository has been archived on 2023-09-13. You can view files and clone it, but cannot push or open issues or pull requests.
homeserver-ansible/roles/networking/ssl/tasks/main.yml

135 lines
3.7 KiB
YAML
Raw Normal View History

2022-03-02 19:58:31 -05:00
- name: Ensure relevant packages are installed
2022-02-27 16:05:34 -05:00
community.general.pacman:
2022-03-02 19:58:31 -05:00
name:
- nginx
- certbot
- certbot-nginx
2022-03-01 17:43:44 -05:00
state: present
2022-02-27 16:05:34 -05:00
- name: Create directories for ACME
file:
path: "/etc/ssl-acme/{{ item }}"
2022-02-27 16:05:34 -05:00
state: directory
owner: root
group: root
mode: 0711
with_items:
- account
- certs
- csrs
- keys
- name: Generate ACME account key
community.crypto.openssl_privatekey:
path: "/etc/ssl-acme/account/account.key"
2022-02-27 16:05:34 -05:00
- name: Generate ACME private key
community.crypto.openssl_privatekey:
path: "/etc/ssl-acme/keys/{{ domain }}.key"
2022-02-27 16:05:34 -05:00
- name: Check if certificate exists
stat:
path: "/etc/ssl-acme/certs/{{ domain }}.crt"
2022-02-27 16:05:34 -05:00
register: cert_file
- name: Check if certificate is expired
community.crypto.x509_certificate_info:
path: "/etc/ssl-acme/certs/{{ domain }}.crt"
2022-02-27 16:05:34 -05:00
valid_at:
now: "+3w"
2022-02-27 16:05:34 -05:00
register: result
when: cert_file.stat.exists
2022-03-02 19:58:31 -05:00
- name: Determine whether the certificate should be regenerated
2022-02-27 16:05:34 -05:00
set_fact:
cert_regen: yes
when: not cert_file.stat.exists or result.expired | bool
- name: Configure nginx for ACME
template:
src: nginx_bare.conf.j2
dest: /etc/nginx/nginx.conf
when: cert_regen is defined
2022-03-01 17:43:44 -05:00
- name: Restart nginx service
2022-02-27 16:05:34 -05:00
service:
name: nginx
state: restarted
enabled: yes
when: cert_regen is defined
- name: Create ACME account
community.crypto.acme_account:
account_key_src: /etc/ssl-acme/account/account.key
2022-02-27 16:05:34 -05:00
state: present
allow_creation: yes
contact:
- "mailto:{{ acme_email }}"
acme_directory: "{{ acme_dir }}"
2022-02-27 16:05:34 -05:00
terms_agreed: 1
acme_version: 2
external_account_binding: {alg: "{{ acme_eab_alg }}", key: "{{ acme_eab_key }}", kid: "{{ acme_eab_kid }}"}
2022-02-27 16:05:34 -05:00
register: account
when: cert_regen is defined
- name: Generate ACME CSR
community.crypto.openssl_csr:
path: "/etc/ssl-acme/csrs/{{ domain }}.csr"
2022-02-27 16:05:34 -05:00
common_name: "{{ domain }}"
subject_alt_name: "DNS:{{ domain }}"
privatekey_path: "/etc/ssl-acme/keys/{{ domain }}.key"
2022-02-27 16:05:34 -05:00
when: cert_regen is defined
- name: Retrieve ACME challenge
community.crypto.acme_certificate:
acme_directory: "{{ acme_dir }}"
2022-02-27 16:05:34 -05:00
acme_version: 2
account_key_src: /etc/ssl-acme/account/account.key
2022-02-27 16:05:34 -05:00
account_uri: "{{ account.account_uri }}"
account_email: "{{ acme_email }}"
terms_agreed: 1
challenge: http-01
csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
2022-02-27 16:05:34 -05:00
remaining_days: 91
register: acme_challenge
when: cert_regen is defined
- name: Create ACME challenge directory
file:
path: "{{ webroot }}/.well-known/acme-challenge"
state: directory
owner: root
group: root
mode: 0755
when: cert_regen is defined
- name: Add ACME challenge files
copy:
content: "{{ acme_challenge['challenge_data'][item]['http-01']['resource_value'] }}"
dest: "{{ webroot }}/{{ acme_challenge['challenge_data'][item]['http-01']['resource'] }}"
owner: root
group: root
mode: 644
with_items:
- "{{ domain }}"
when: cert_regen is defined
- name: Complete ACME challenge
community.crypto.acme_certificate:
acme_directory: "{{ acme_dir }}"
2022-02-27 16:05:34 -05:00
acme_version: 2
account_key_src: /etc/ssl-acme/account/account.key
2022-02-27 16:05:34 -05:00
account_email: "{{ acme_email }}"
account_uri: "{{ account.account_uri }}"
challenge: http-01
terms_agreed: 1
csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
chain_dest: "/etc/ssl-acme/certs/chain_{{ domain }}.crt"
2022-02-27 16:05:34 -05:00
data: "{{ acme_challenge }}"
when: cert_regen is defined