123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198 |
- - name: 'Create ssl certificates directory for in /etc/ssl'
- file:
- path: '/etc/ssl/local/certs/{{ item }}'
- state: 'directory'
- owner: 'root'
- group: 'root'
- mode: '0755'
- with_items: '{{ ssl_certs }}'
- when: ssl_certs|length > 0
- tags:
- - 'ssl'
- - name: 'Install ssl certificates (certificate)'
- copy:
- content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.crt') }}"
- dest: '/etc/ssl/local/certs/{{ item }}/cert.pem'
- owner: 'root'
- group: 'root'
- mode: '0640'
- register: ssl_cert_result
- with_items: '{{ ssl_certs }}'
- when: ssl_certs|length > 0
- tags:
- - 'ssl'
- - name: 'Install ssl certificates (private key)'
- copy:
- content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.key') }}"
- dest: '/etc/ssl/local/certs/{{ item }}/privkey.pem'
- owner: 'root'
- group: 'root'
- mode: '0640'
- register: ssl_key_result
- with_items: '{{ ssl_certs }}'
- when: ssl_certs|length > 0
- tags:
- - 'ssl'
- - name: 'Install ssl certificates (chain)'
- copy:
- content: "{{ lookup('file', 'data/ssl/' + item + '/bundle.crt') }}"
- dest: '/etc/ssl/local/certs/{{ item }}/chain.pem'
- owner: 'root'
- group: 'root'
- mode: '0644'
- register: ssl_chain_result
- with_items: '{{ ssl_certs }}'
- when: ssl_certs|length > 0
- tags:
- - 'ssl'
- - name: 'Gathering info about ssl full chain (certificate + chain)'
- stat:
- path: '/etc/ssl/local/certs/{{ item }}/fullchain.pem'
- with_items: '{{ ssl_certs }}'
- register: ssl_fullchain_stats
- when: ssl_certs|length > 0
- tags:
- - 'ssl'
- - name: 'Gathering info about ssl bundle (key + fullchain)'
- stat:
- path: '/etc/ssl/local/certs/{{ item }}/bundle.pem'
- with_items: '{{ ssl_certs }}'
- register: ssl_bundle_stats
- when: ssl_certs|length > 0
- tags:
- - 'ssl'
- - name: 'Create ssl certificates full chain (certificate + chain)'
- shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/fullchain.pem'
- with_items: '{{ ssl_fullchain_stats.results }}'
- when: ssl_certs|length > 0 and (not item.stat.exists or ssl_cert_result is changed or ssl_chain_result is changed)
- tags:
- - 'ssl'
- - name: 'Create ssl certificates bundle (key + certificate + bundle)'
- shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/privkey.pem' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/bundle.pem'
- with_items: '{{ ssl_bundle_stats.results }}'
- when: ssl_certs|length > 0 and (not item.stat.exists or ssl_key_result is changed or ssl_cert_result is changed or ssl_chain_result is changed)
- tags:
- - 'ssl'
- - name: 'Install Lets Encrypt client (dehydrated)'
- apt:
- pkg: 'dehydrated'
- state: 'present'
- default_release: '{{ ansible_lsb.codename }}'
- when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int != 9
- tags:
- - 'ssl'
- - name: 'Install Lets Encrypt client (dehydrated) from backports (Debian == 9)'
- apt:
- pkg: 'dehydrated'
- state: 'present'
- default_release: '{{ ansible_lsb.codename }}-backports'
- when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int == 9
- tags:
- - 'ssl'
- - name: 'Install Lets Encrypt domains configuration for dehydrated)'
- template:
- src: 'dehydrated/domains.j2'
- dest: '/etc/dehydrated/domains.txt'
- owner: 'root'
- group: 'root'
- mode: '0644'
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'Create dehydrated hooks directory'
- file:
- path: '/etc/dehydrated/hooks'
- state: 'directory'
- owner: 'root'
- group: 'root'
- mode: '0755'
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'Install configuration for hooks support in dehydrated'
- template:
- src: 'dehydrated/config_hooks.sh.j2'
- dest: '/etc/dehydrated/conf.d/hooks.sh'
- owner: 'root'
- group: 'root'
- mode: '0644'
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'Install hook script for dehydrated'
- template:
- src: 'dehydrated/hook.sh.j2'
- dest: '/etc/dehydrated/hook.sh'
- owner: 'root'
- group: 'root'
- mode: '0755'
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'Install dehydrated hooks for various services'
- template:
- src: 'dehydrated/hooks/{{ item }}.sh.j2'
- dest: '/etc/dehydrated/hooks/{{ item }}.sh'
- owner: 'root'
- group: 'root'
- mode: '0755'
- with_items:
- - 'nginx'
- - 'apache2'
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'List Lets Encrypt SSL installed certificates'
- shell: find /var/lib/dehydrated/certs -iname privkey.pem | cut -d / -f6
- register: ssl_certs_auto_installed
- changed_when: False
- ignore_errors: True
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'List Lets Encrypt SSL certificates to be generated'
- shell: egrep -v '^#' /etc/dehydrated/domains.txt | cut -d ' ' -f 1 | while read c ; do test -f "/var/lib/dehydrated/certs/${c}/privkey.pem" || echo "${c}" ; done
- register: ssl_certs_auto_missing
- ignore_errors: True
- changed_when: ssl_certs_auto_missing.stdout_lines != []
- notify:
- - 'Generate Lets Encrypt SSL certificates'
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'Install Lets Encrypt cron job'
- template:
- src: 'cron/letsencrypt.j2'
- dest: '/etc/cron.d/letsencrypt-local'
- owner: 'root'
- group: 'root'
- mode: '0644'
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- - name: 'Register and accept Lets Encrypt terms of service'
- shell: if dehydrated --help | grep -q -- 'register' && dehydrated --help | grep -q -- 'accept-terms' ; then dehydrated --register --accept-terms ; fi
- changed_when: False
- when: ssl_certs_auto|length > 0
- tags:
- - 'ssl'
- # vim: ft=yaml.ansible
|