| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106 |
- - name: 'Create ssl certificates directory for in /etc/ssl'
- file:
- path: '/etc/ssl/local/certs/{{ item }}'
- state: 'directory'
- owner: 'root'
- group: 'root'
- mode: '0755'
- with_items: '{{ ssl_certs }}'
- when: ssl_certs
- - name: 'Install ssl certificates (certificate)'
- copy:
- content: "{{lookup('file', 'data/ssl/' + item + '/' + item + '.crt')}}"
- dest: '/etc/ssl/local/certs/{{ item }}/cert.pem'
- owner: 'root'
- group: 'root'
- mode: '0640'
- register: ssl_cert_result
- with_items: '{{ ssl_certs }}'
- when: ssl_certs
- - name: 'Install ssl certificates (private key)'
- copy:
- content: "{{lookup('file', 'data/ssl/' + item + '/' + item + '.key')}}"
- dest: '/etc/ssl/local/certs/{{ item }}/privkey.pem'
- owner: 'root'
- group: 'root'
- mode: '0640'
- register: ssl_key_result
- with_items: '{{ ssl_certs }}'
- when: ssl_certs
- - name: 'Install ssl certificates (chain)'
- copy:
- content: "{{lookup('file', 'data/ssl/' + item + '/bundle.crt')}}"
- dest: '/etc/ssl/local/certs/{{ item }}/chain.pem'
- owner: 'root'
- group: 'root'
- mode: '0644'
- register: ssl_chain_result
- with_items: '{{ ssl_certs }}'
- when: ssl_certs
- - name: 'Gathering info about ssl full chain (certificate + chain)'
- stat:
- path: '/etc/ssl/local/certs/{{ item }}/fullchain.pem'
- with_items: '{{ ssl_certs }}'
- register: ssl_fullchain_stats
- when: ssl_certs
- - name: 'Gathering info about ssl bundle (key + fullchain)'
- stat:
- path: '/etc/ssl/local/certs/{{ item }}/bundle.pem'
- with_items: '{{ ssl_certs }}'
- register: ssl_bundle_stats
- when: ssl_certs
- - name: 'Create ssl certificates full chain (certificate + chain)'
- shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/fullchain.pem'
- with_items: '{{ ssl_fullchain_stats.results }}'
- when: ssl_certs and (not item.stat.exists or ssl_cert_result|changed or ssl_chain_result|changed)
- - name: 'Create ssl certificates bundle (key + certificate + bundle)'
- shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/privkey.pem' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/bundle.pem'
- with_items: '{{ ssl_bundle_stats.results }}'
- when: ssl_certs and (not item.stat.exists or ssl_key_result|changed or ssl_cert_result|changed or ssl_chain_result|changed)
- - name: 'Install Lets Encrypt client'
- apt:
- pkg: 'dehydrated'
- state: 'installed'
- when: ssl_certs_auto
- - name: 'Install Lets Encrypt domains configuration'
- template:
- src: 'ssl/letsencrypt_domains.j2'
- dest: '/etc/dehydrated/domains.txt'
- owner: 'root'
- group: 'root'
- mode: '0644'
- when: ssl_certs_auto
- - name: 'List Lets Encrypt SSL installed certificates'
- shell: find /var/lib/dehydrated/certs -iname privkey.pem | cut -d / -f6
- register: ssl_certs_auto_installed
- changed_when: False
- ignore_errors: True
- when: ssl_certs_auto
- - name: 'List Lets Encrypt SSL certificates to be generated'
- shell: egrep -v '^#' /etc/dehydrated/domains.txt | while read c ; do test -f "/var/lib/dehydrated/certs/${c}/privkey.pem" || echo "${c}" ; done
- register: ssl_certs_auto_missing
- ignore_errors: True
- changed_when: ssl_certs_auto_missing.stdout_lines != []
- notify:
- - 'Generate Lets Encrypt SSL certificates'
- when: ssl_certs_auto
- - name: 'Install Lets Encrypt cron job'
- template:
- src: 'cron/letsencrypt.j2'
- dest: '/etc/cron.d/letsencrypt-local'
- owner: 'root'
- group: 'root'
- mode: '0644'
- when: ssl_certs_auto
|
