dogeystamp/homeserver-ansible
Archived
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
This repository has been archived on 2023-09-13. You can view files and clone it, but cannot push or open issues or pull requests.
main
homeserver-ansible/roles/networking/ssl/tasks/main.yml

146 lines
4.0 KiB
YAML
Raw Permalink Blame History

- name: Ensure relevant packages are installed
community.general.pacman:
name:
- nginx
- certbot
- certbot-nginx
state: present
- name: Create SSL read group
group:
name: sslr
state: present
- name: Create directories for ACME
file:
path: "/etc/ssl-acme/{{ item }}"
state: directory
owner: root
group: root
mode: 0755
with_items:
- account
- certs
- csrs
- keys
- name: Generate ACME account key
community.crypto.openssl_privatekey:
path: "/etc/ssl-acme/account/{{ account_name }}.key"
owner: root
group: sslr
mode: 0640
- name: Generate ACME private key
community.crypto.openssl_privatekey:
path: "/etc/ssl-acme/keys/{{ key_name }}.key"
owner: root
group: sslr
mode: 0640
- name: Check if certificate file exists
stat:
path: "/etc/ssl-acme/certs/{{ cert_name }}.crt"
register: cert_file
- name: Check if certificate is expired
community.crypto.x509_certificate_info:
path: "{{ cert_file.stat.path }}"
valid_at:
now: "+3w"
when: cert_file.stat.exists
register: expired_cert
- name: Determine whether the certificate should be regenerated
set_fact:
to_regen: "{{ ssl_domains }}"
when: not cert_file.stat.exists or not expired_cert.valid_at.now
- name: Configure nginx for ACME
template:
src: nginx_bare.conf.j2
dest: /etc/nginx/nginx.conf
when: to_regen is defined
- name: Restart nginx service
service:
name: nginx
state: restarted
enabled: yes
when: to_regen is defined
- name: Create ACME account
community.crypto.acme_account:
account_key_src: "/etc/ssl-acme/account/{{ account_name }}.key"
state: present
allow_creation: yes
contact:
- "mailto:{{ acme_email }}"
acme_directory: "{{ acme_dir }}"
terms_agreed: 1
acme_version: 2
external_account_binding: "{{ (acme_eab.key != '') | ternary(acme_eab, omit) }}"
register: account
when: to_regen is defined
- name: Generate ACME CSR
community.crypto.openssl_csr:
path: "/etc/ssl-acme/csrs/{{ cert_name }}.csr"
subject_alt_name: "{{ to_regen | map('regex_replace', '^', 'DNS:') | join(',') }}"
privatekey_path: "/etc/ssl-acme/keys/{{ key_name }}.key"
when: to_regen is defined
- name: Retrieve ACME challenge
community.crypto.acme_certificate:
acme_directory: "{{ acme_dir }}"
acme_version: 2
account_key_src: "/etc/ssl-acme/account/{{ account_name }}.key"
account_uri: "{{ account.account_uri }}"
account_email: "{{ acme_email }}"
terms_agreed: 1
challenge: http-01
csr: "/etc/ssl-acme/csrs/{{ cert_name }}.csr"
dest: "/etc/ssl-acme/certs/{{ cert_name }}.crt"
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ cert_name }}.crt"
remaining_days: 91
register: acme_challenge
when: to_regen is defined
- name: Create ACME challenge directory
file:
path: "{{ webroot }}/{{ item }}/.well-known/acme-challenge"
state: directory
owner: root
group: root
mode: 0755
with_items: "{{ to_regen }}"
when: to_regen is defined
- name: Add ACME challenge files
copy:
content: "{{ item.value['http-01']['resource_value'] }}"
dest: "{{ webroot }}/{{ item.key }}/{{ item.value['http-01']['resource'] }}"
owner: root
group: root
mode: 644
with_items: "{{ acme_challenge['challenge_data'] | dict2items }}"
when: to_regen is defined
- name: Complete ACME challenge
community.crypto.acme_certificate:
acme_directory: "{{ acme_dir }}"
acme_version: 2
account_key_src: "/etc/ssl-acme/account/{{ account_name }}.key"
account_email: "{{ acme_email }}"
account_uri: "{{ account.account_uri }}"
challenge: http-01
terms_agreed: 1
csr: "/etc/ssl-acme/csrs/{{ cert_name }}.csr"
dest: "/etc/ssl-acme/certs/{{ cert_name }}.crt"
fullchain_dest: "/etc/ssl-acme/certs/fullchain_{{ cert_name }}.crt"
chain_dest: "/etc/ssl-acme/certs/chain_{{ cert_name }}.crt"
data: "{{ acme_challenge }}"
remaining_days: 21
when: to_regen is defined
Reference in New Issue View Git Blame Copy Permalink