2022-03-02 19:58:31 -05:00
|
|
|
- name: Ensure relevant packages are installed
|
2022-02-27 16:05:34 -05:00
|
|
|
community.general.pacman:
|
2022-03-02 19:58:31 -05:00
|
|
|
name:
|
|
|
|
- nginx
|
|
|
|
- certbot
|
|
|
|
- certbot-nginx
|
|
|
|
|
2022-03-01 17:43:44 -05:00
|
|
|
state: present
|
2022-02-27 16:05:34 -05:00
|
|
|
|
2022-05-22 20:47:58 -04:00
|
|
|
- name: Create SSL read group
|
|
|
|
group:
|
|
|
|
name: sslr
|
|
|
|
state: present
|
|
|
|
|
|
|
|
- name: Add turnserver to SSL read group
|
|
|
|
user:
|
|
|
|
name: "turnserver"
|
|
|
|
append: yes
|
|
|
|
groups: sslr
|
|
|
|
|
2022-02-27 16:05:34 -05:00
|
|
|
- name: Create directories for ACME
|
|
|
|
file:
|
2022-05-21 18:43:54 -04:00
|
|
|
path: "/etc/ssl-acme/{{ item }}"
|
2022-02-27 16:05:34 -05:00
|
|
|
state: directory
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0711
|
|
|
|
with_items:
|
|
|
|
- account
|
|
|
|
- certs
|
|
|
|
- csrs
|
|
|
|
- keys
|
|
|
|
|
|
|
|
- name: Generate ACME account key
|
|
|
|
community.crypto.openssl_privatekey:
|
2022-05-21 18:43:54 -04:00
|
|
|
path: "/etc/ssl-acme/account/account.key"
|
2022-05-22 20:47:58 -04:00
|
|
|
owner: root
|
|
|
|
group: sslr
|
|
|
|
mode: 0640
|
2022-02-27 16:05:34 -05:00
|
|
|
|
|
|
|
- name: Generate ACME private key
|
|
|
|
community.crypto.openssl_privatekey:
|
2022-05-21 18:43:54 -04:00
|
|
|
path: "/etc/ssl-acme/keys/{{ domain }}.key"
|
2022-05-22 20:47:58 -04:00
|
|
|
owner: root
|
|
|
|
group: sslr
|
|
|
|
mode: 0640
|
2022-02-27 16:05:34 -05:00
|
|
|
|
|
|
|
- name: Check if certificate exists
|
|
|
|
stat:
|
2022-05-21 18:43:54 -04:00
|
|
|
path: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
2022-02-27 16:05:34 -05:00
|
|
|
register: cert_file
|
|
|
|
|
|
|
|
- name: Check if certificate is expired
|
|
|
|
community.crypto.x509_certificate_info:
|
2022-05-21 18:43:54 -04:00
|
|
|
path: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
2022-02-27 16:05:34 -05:00
|
|
|
valid_at:
|
2022-04-09 20:54:10 -04:00
|
|
|
now: "+3w"
|
2022-02-27 16:05:34 -05:00
|
|
|
register: result
|
|
|
|
when: cert_file.stat.exists
|
|
|
|
|
2022-03-02 19:58:31 -05:00
|
|
|
- name: Determine whether the certificate should be regenerated
|
2022-02-27 16:05:34 -05:00
|
|
|
set_fact:
|
|
|
|
cert_regen: yes
|
|
|
|
when: not cert_file.stat.exists or result.expired | bool
|
|
|
|
|
|
|
|
- name: Configure nginx for ACME
|
|
|
|
template:
|
|
|
|
src: nginx_bare.conf.j2
|
|
|
|
dest: /etc/nginx/nginx.conf
|
|
|
|
when: cert_regen is defined
|
|
|
|
|
2022-03-01 17:43:44 -05:00
|
|
|
- name: Restart nginx service
|
2022-02-27 16:05:34 -05:00
|
|
|
service:
|
|
|
|
name: nginx
|
|
|
|
state: restarted
|
|
|
|
enabled: yes
|
|
|
|
when: cert_regen is defined
|
|
|
|
|
|
|
|
- name: Create ACME account
|
|
|
|
community.crypto.acme_account:
|
2022-05-21 18:43:54 -04:00
|
|
|
account_key_src: /etc/ssl-acme/account/account.key
|
2022-02-27 16:05:34 -05:00
|
|
|
state: present
|
|
|
|
allow_creation: yes
|
|
|
|
contact:
|
|
|
|
- "mailto:{{ acme_email }}"
|
2022-05-21 18:43:54 -04:00
|
|
|
acme_directory: "{{ acme_dir }}"
|
2022-02-27 16:05:34 -05:00
|
|
|
terms_agreed: 1
|
|
|
|
acme_version: 2
|
2022-05-21 18:43:54 -04:00
|
|
|
external_account_binding: {alg: "{{ acme_eab_alg }}", key: "{{ acme_eab_key }}", kid: "{{ acme_eab_kid }}"}
|
2022-02-27 16:05:34 -05:00
|
|
|
register: account
|
|
|
|
when: cert_regen is defined
|
|
|
|
|
|
|
|
- name: Generate ACME CSR
|
|
|
|
community.crypto.openssl_csr:
|
2022-05-21 18:43:54 -04:00
|
|
|
path: "/etc/ssl-acme/csrs/{{ domain }}.csr"
|
2022-02-27 16:05:34 -05:00
|
|
|
common_name: "{{ domain }}"
|
|
|
|
subject_alt_name: "DNS:{{ domain }}"
|
2022-05-21 18:43:54 -04:00
|
|
|
privatekey_path: "/etc/ssl-acme/keys/{{ domain }}.key"
|
2022-02-27 16:05:34 -05:00
|
|
|
when: cert_regen is defined
|
|
|
|
|
|
|
|
- name: Retrieve ACME challenge
|
|
|
|
community.crypto.acme_certificate:
|
2022-05-21 18:43:54 -04:00
|
|
|
acme_directory: "{{ acme_dir }}"
|
2022-02-27 16:05:34 -05:00
|
|
|
acme_version: 2
|
2022-05-21 18:43:54 -04:00
|
|
|
account_key_src: /etc/ssl-acme/account/account.key
|
2022-02-27 16:05:34 -05:00
|
|
|
account_uri: "{{ account.account_uri }}"
|
|
|
|
account_email: "{{ acme_email }}"
|
|
|
|
terms_agreed: 1
|
|
|
|
challenge: http-01
|
2022-05-21 18:43:54 -04:00
|
|
|
csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
|
|
|
|
dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
|
|
|
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
|
2022-02-27 16:05:34 -05:00
|
|
|
remaining_days: 91
|
|
|
|
register: acme_challenge
|
|
|
|
when: cert_regen is defined
|
|
|
|
|
|
|
|
- name: Create ACME challenge directory
|
|
|
|
file:
|
|
|
|
path: "{{ webroot }}/.well-known/acme-challenge"
|
|
|
|
state: directory
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 0755
|
|
|
|
when: cert_regen is defined
|
|
|
|
|
|
|
|
- name: Add ACME challenge files
|
|
|
|
copy:
|
|
|
|
content: "{{ acme_challenge['challenge_data'][item]['http-01']['resource_value'] }}"
|
|
|
|
dest: "{{ webroot }}/{{ acme_challenge['challenge_data'][item]['http-01']['resource'] }}"
|
|
|
|
owner: root
|
|
|
|
group: root
|
|
|
|
mode: 644
|
|
|
|
with_items:
|
|
|
|
- "{{ domain }}"
|
|
|
|
when: cert_regen is defined
|
|
|
|
|
|
|
|
- name: Complete ACME challenge
|
|
|
|
community.crypto.acme_certificate:
|
2022-05-21 18:43:54 -04:00
|
|
|
acme_directory: "{{ acme_dir }}"
|
2022-02-27 16:05:34 -05:00
|
|
|
acme_version: 2
|
2022-05-21 18:43:54 -04:00
|
|
|
account_key_src: /etc/ssl-acme/account/account.key
|
2022-02-27 16:05:34 -05:00
|
|
|
account_email: "{{ acme_email }}"
|
|
|
|
account_uri: "{{ account.account_uri }}"
|
|
|
|
challenge: http-01
|
|
|
|
terms_agreed: 1
|
2022-05-21 18:43:54 -04:00
|
|
|
csr: "/etc/ssl-acme/csrs/{{ domain }}.csr"
|
|
|
|
dest: "/etc/ssl-acme/certs/{{ domain }}.crt"
|
|
|
|
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ domain }}.crt"
|
|
|
|
chain_dest: "/etc/ssl-acme/certs/chain_{{ domain }}.crt"
|
2022-02-27 16:05:34 -05:00
|
|
|
data: "{{ acme_challenge }}"
|
|
|
|
when: cert_regen is defined
|