- name: 'Create ssl certificates directory for in /etc/ssl' file: path: '/etc/ssl/local/certs/{{ item }}' state: 'directory' owner: 'root' group: 'root' mode: '0755' with_items: '{{ ssl_certs }}' when: ssl_certs|length > 0 tags: - 'ssl' - name: 'Install ssl certificates (certificate)' copy: content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.crt') }}" dest: '/etc/ssl/local/certs/{{ item }}/cert.pem' owner: 'root' group: 'root' mode: '0640' register: ssl_cert_result with_items: '{{ ssl_certs }}' when: ssl_certs|length > 0 tags: - 'ssl' - name: 'Install ssl certificates (private key)' copy: content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.key') }}" dest: '/etc/ssl/local/certs/{{ item }}/privkey.pem' owner: 'root' group: 'root' mode: '0640' register: ssl_key_result with_items: '{{ ssl_certs }}' when: ssl_certs|length > 0 tags: - 'ssl' - name: 'Install ssl certificates (chain)' copy: content: "{{ lookup('file', 'data/ssl/' + item + '/bundle.crt') }}" dest: '/etc/ssl/local/certs/{{ item }}/chain.pem' owner: 'root' group: 'root' mode: '0644' register: ssl_chain_result with_items: '{{ ssl_certs }}' when: ssl_certs|length > 0 tags: - 'ssl' - name: 'Gathering info about ssl full chain (certificate + chain)' stat: path: '/etc/ssl/local/certs/{{ item }}/fullchain.pem' with_items: '{{ ssl_certs }}' register: ssl_fullchain_stats when: ssl_certs|length > 0 tags: - 'ssl' - name: 'Gathering info about ssl bundle (key + fullchain)' stat: path: '/etc/ssl/local/certs/{{ item }}/bundle.pem' with_items: '{{ ssl_certs }}' register: ssl_bundle_stats when: ssl_certs|length > 0 tags: - 'ssl' - name: 'Create ssl certificates full chain (certificate + chain)' shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/fullchain.pem' with_items: '{{ ssl_fullchain_stats.results }}' when: ssl_certs|length > 0 and (not item.stat.exists or ssl_cert_result is changed or ssl_chain_result is changed) tags: - 'ssl' - name: 'Create ssl certificates bundle (key + certificate + bundle)' shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/privkey.pem' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/bundle.pem' with_items: '{{ ssl_bundle_stats.results }}' when: ssl_certs|length > 0 and (not item.stat.exists or ssl_key_result is changed or ssl_cert_result is changed or ssl_chain_result is changed) tags: - 'ssl' - name: 'Install Lets Encrypt client (dehydrated)' apt: pkg: 'dehydrated' state: 'present' default_release: '{{ ansible_lsb.codename }}' when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int != 9 tags: - 'ssl' - name: 'Install Lets Encrypt client (dehydrated) from backports (Debian == 9)' apt: pkg: 'dehydrated' state: 'present' default_release: '{{ ansible_lsb.codename }}-backports' when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int == 9 tags: - 'ssl' - name: 'Install Lets Encrypt domains configuration for dehydrated)' template: src: 'dehydrated/domains.j2' dest: '/etc/dehydrated/domains.txt' owner: 'root' group: 'root' mode: '0644' when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'Create dehydrated hooks directory' file: path: '/etc/dehydrated/hooks' state: 'directory' owner: 'root' group: 'root' mode: '0755' when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'Install configuration for hooks support in dehydrated' template: src: 'dehydrated/config_hooks.sh.j2' dest: '/etc/dehydrated/conf.d/hooks.sh' owner: 'root' group: 'root' mode: '0644' when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'Install hook script for dehydrated' template: src: 'dehydrated/hook.sh.j2' dest: '/etc/dehydrated/hook.sh' owner: 'root' group: 'root' mode: '0755' when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'Install dehydrated hooks for various services' template: src: 'dehydrated/hooks/{{ item }}.sh.j2' dest: '/etc/dehydrated/hooks/{{ item }}.sh' owner: 'root' group: 'root' mode: '0755' with_items: - 'nginx' - 'apache2' when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'List Lets Encrypt SSL installed certificates' shell: find /var/lib/dehydrated/certs -iname privkey.pem | cut -d / -f6 register: ssl_certs_auto_installed changed_when: False ignore_errors: True when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'List Lets Encrypt SSL certificates to be generated' shell: egrep -v '^#' /etc/dehydrated/domains.txt | cut -d ' ' -f 1 | while read c ; do test -f "/var/lib/dehydrated/certs/${c}/privkey.pem" || echo "${c}" ; done register: ssl_certs_auto_missing ignore_errors: True changed_when: ssl_certs_auto_missing.stdout_lines != [] notify: - 'Generate Lets Encrypt SSL certificates' when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'Install Lets Encrypt cron job' template: src: 'cron/letsencrypt.j2' dest: '/etc/cron.d/letsencrypt-local' owner: 'root' group: 'root' mode: '0644' when: ssl_certs_auto|length > 0 tags: - 'ssl' - name: 'Register and accept Lets Encrypt terms of service' shell: if dehydrated --help | grep -q -- 'register' && dehydrated --help | grep -q -- 'accept-terms' ; then dehydrated --register --accept-terms ; fi changed_when: False when: ssl_certs_auto|length > 0 tags: - 'ssl' # vim: ft=yaml.ansible