This repository has been archived on 2023-09-13. You can view files and clone it, but cannot push or open issues or pull requests.
homeserver-ansible/roles/networking/ssl/tasks/main.yml

134 lines
3.7 KiB
YAML

- name: Ensure relevant packages are installed
community.general.pacman:
name:
- nginx
- certbot
- certbot-nginx
state: present
- name: Create directories for ACME
file:
path: "/etc/letsencrypt/{{ item }}"
state: directory
owner: root
group: root
mode: 0711
with_items:
- account
- certs
- csrs
- keys
- name: Generate ACME account key
community.crypto.openssl_privatekey:
path: "/etc/letsencrypt/account/account.key"
- name: Generate ACME private key
community.crypto.openssl_privatekey:
path: "/etc/letsencrypt/keys/{{ domain }}.key"
- name: Check if certificate exists
stat:
path: "/etc/letsencrypt/certs/{{ domain }}.crt"
register: cert_file
- name: Check if certificate is expired
community.crypto.x509_certificate_info:
path: "/etc/letsencrypt/certs/{{ domain }}.crt"
valid_at:
now: "+0"
register: result
when: cert_file.stat.exists
- name: Determine whether the certificate should be regenerated
set_fact:
cert_regen: yes
when: not cert_file.stat.exists or result.expired | bool
- name: Configure nginx for ACME
template:
src: nginx_bare.conf.j2
dest: /etc/nginx/nginx.conf
when: cert_regen is defined
- name: Restart nginx service
service:
name: nginx
state: restarted
enabled: yes
when: cert_regen is defined
- name: Create ACME account
community.crypto.acme_account:
account_key_src: /etc/letsencrypt/account/account.key
state: present
allow_creation: yes
contact:
- "mailto:{{ acme_email }}"
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
terms_agreed: 1
acme_version: 2
register: account
when: cert_regen is defined
- name: Generate ACME CSR
community.crypto.openssl_csr:
path: "/etc/letsencrypt/csrs/{{ domain }}.csr"
common_name: "{{ domain }}"
subject_alt_name: "DNS:{{ domain }}"
privatekey_path: "/etc/letsencrypt/keys/{{ domain }}.key"
when: cert_regen is defined
- name: Retrieve ACME challenge
community.crypto.acme_certificate:
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
acme_version: 2
account_key_src: /etc/letsencrypt/account/account.key
account_uri: "{{ account.account_uri }}"
account_email: "{{ acme_email }}"
terms_agreed: 1
challenge: http-01
csr: "/etc/letsencrypt/csrs/{{ domain }}.csr"
dest: "/etc/letsencrypt/certs/{{ domain }}.crt"
fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt"
remaining_days: 91
register: acme_challenge
when: cert_regen is defined
- name: Create ACME challenge directory
file:
path: "{{ webroot }}/.well-known/acme-challenge"
state: directory
owner: root
group: root
mode: 0755
when: cert_regen is defined
- name: Add ACME challenge files
copy:
content: "{{ acme_challenge['challenge_data'][item]['http-01']['resource_value'] }}"
dest: "{{ webroot }}/{{ acme_challenge['challenge_data'][item]['http-01']['resource'] }}"
owner: root
group: root
mode: 644
with_items:
- "{{ domain }}"
when: cert_regen is defined
- name: Complete ACME challenge
community.crypto.acme_certificate:
acme_directory: "https://acme-v02.api.letsencrypt.org/directory"
acme_version: 2
account_key_src: /etc/letsencrypt/account/account.key
account_email: "{{ acme_email }}"
account_uri: "{{ account.account_uri }}"
challenge: http-01
terms_agreed: 1
csr: "/etc/letsencrypt/csrs/{{ domain }}.csr"
dest: "/etc/letsencrypt/certs/{{ domain }}.crt"
fullchain_dest: "/etc/letsencrypt/certs/fullchain_{{ domain }}.crt"
chain_dest: "/etc/letsencrypt/certs/chain_{{ domain }}.crt"
data: "{{ acme_challenge }}"
when: cert_regen is defined