ssl.yml 5.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198
  1. - name: 'Create ssl certificates directory for in /etc/ssl'
  2. file:
  3. path: '/etc/ssl/local/certs/{{ item }}'
  4. state: 'directory'
  5. owner: 'root'
  6. group: 'root'
  7. mode: '0755'
  8. with_items: '{{ ssl_certs }}'
  9. when: ssl_certs|length > 0
  10. tags:
  11. - 'ssl'
  12. - name: 'Install ssl certificates (certificate)'
  13. copy:
  14. content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.crt') }}"
  15. dest: '/etc/ssl/local/certs/{{ item }}/cert.pem'
  16. owner: 'root'
  17. group: 'root'
  18. mode: '0640'
  19. register: ssl_cert_result
  20. with_items: '{{ ssl_certs }}'
  21. when: ssl_certs|length > 0
  22. tags:
  23. - 'ssl'
  24. - name: 'Install ssl certificates (private key)'
  25. copy:
  26. content: "{{ lookup('file', 'data/ssl/' + item + '/' + item + '.key') }}"
  27. dest: '/etc/ssl/local/certs/{{ item }}/privkey.pem'
  28. owner: 'root'
  29. group: 'root'
  30. mode: '0640'
  31. register: ssl_key_result
  32. with_items: '{{ ssl_certs }}'
  33. when: ssl_certs|length > 0
  34. tags:
  35. - 'ssl'
  36. - name: 'Install ssl certificates (chain)'
  37. copy:
  38. content: "{{ lookup('file', 'data/ssl/' + item + '/bundle.crt') }}"
  39. dest: '/etc/ssl/local/certs/{{ item }}/chain.pem'
  40. owner: 'root'
  41. group: 'root'
  42. mode: '0644'
  43. register: ssl_chain_result
  44. with_items: '{{ ssl_certs }}'
  45. when: ssl_certs|length > 0
  46. tags:
  47. - 'ssl'
  48. - name: 'Gathering info about ssl full chain (certificate + chain)'
  49. stat:
  50. path: '/etc/ssl/local/certs/{{ item }}/fullchain.pem'
  51. with_items: '{{ ssl_certs }}'
  52. register: ssl_fullchain_stats
  53. when: ssl_certs|length > 0
  54. tags:
  55. - 'ssl'
  56. - name: 'Gathering info about ssl bundle (key + fullchain)'
  57. stat:
  58. path: '/etc/ssl/local/certs/{{ item }}/bundle.pem'
  59. with_items: '{{ ssl_certs }}'
  60. register: ssl_bundle_stats
  61. when: ssl_certs|length > 0
  62. tags:
  63. - 'ssl'
  64. - name: 'Create ssl certificates full chain (certificate + chain)'
  65. shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/fullchain.pem'
  66. with_items: '{{ ssl_fullchain_stats.results }}'
  67. when: ssl_certs|length > 0 and (not item.stat.exists or ssl_cert_result is changed or ssl_chain_result is changed)
  68. tags:
  69. - 'ssl'
  70. - name: 'Create ssl certificates bundle (key + certificate + bundle)'
  71. shell: sed '/^\s*$/d' '/etc/ssl/local/certs/{{ item.item }}/privkey.pem' '/etc/ssl/local/certs/{{ item.item }}/cert.pem' '/etc/ssl/local/certs/{{ item.item }}/chain.pem' > '/etc/ssl/local/certs/{{ item.item }}/bundle.pem'
  72. with_items: '{{ ssl_bundle_stats.results }}'
  73. when: ssl_certs|length > 0 and (not item.stat.exists or ssl_key_result is changed or ssl_cert_result is changed or ssl_chain_result is changed)
  74. tags:
  75. - 'ssl'
  76. - name: 'Install Lets Encrypt client (dehydrated)'
  77. apt:
  78. pkg: 'dehydrated'
  79. state: 'present'
  80. default_release: '{{ ansible_lsb.codename }}'
  81. when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int != 9
  82. tags:
  83. - 'ssl'
  84. - name: 'Install Lets Encrypt client (dehydrated) from backports (Debian == 9)'
  85. apt:
  86. pkg: 'dehydrated'
  87. state: 'present'
  88. default_release: '{{ ansible_lsb.codename }}-backports'
  89. when: ssl_certs_auto|length > 0 and ansible_lsb.major_release|int == 9
  90. tags:
  91. - 'ssl'
  92. - name: 'Install Lets Encrypt domains configuration for dehydrated)'
  93. template:
  94. src: 'dehydrated/domains.j2'
  95. dest: '/etc/dehydrated/domains.txt'
  96. owner: 'root'
  97. group: 'root'
  98. mode: '0644'
  99. when: ssl_certs_auto|length > 0
  100. tags:
  101. - 'ssl'
  102. - name: 'Create dehydrated hooks directory'
  103. file:
  104. path: '/etc/dehydrated/hooks'
  105. state: 'directory'
  106. owner: 'root'
  107. group: 'root'
  108. mode: '0755'
  109. when: ssl_certs_auto|length > 0
  110. tags:
  111. - 'ssl'
  112. - name: 'Install configuration for hooks support in dehydrated'
  113. template:
  114. src: 'dehydrated/config_hooks.sh.j2'
  115. dest: '/etc/dehydrated/conf.d/hooks.sh'
  116. owner: 'root'
  117. group: 'root'
  118. mode: '0644'
  119. when: ssl_certs_auto|length > 0
  120. tags:
  121. - 'ssl'
  122. - name: 'Install hook script for dehydrated'
  123. template:
  124. src: 'dehydrated/hook.sh.j2'
  125. dest: '/etc/dehydrated/hook.sh'
  126. owner: 'root'
  127. group: 'root'
  128. mode: '0755'
  129. when: ssl_certs_auto|length > 0
  130. tags:
  131. - 'ssl'
  132. - name: 'Install dehydrated hooks for various services'
  133. template:
  134. src: 'dehydrated/hooks/{{ item }}.sh.j2'
  135. dest: '/etc/dehydrated/hooks/{{ item }}.sh'
  136. owner: 'root'
  137. group: 'root'
  138. mode: '0755'
  139. with_items:
  140. - 'nginx'
  141. - 'apache2'
  142. when: ssl_certs_auto|length > 0
  143. tags:
  144. - 'ssl'
  145. - name: 'List Lets Encrypt SSL installed certificates'
  146. shell: find /var/lib/dehydrated/certs -iname privkey.pem | cut -d / -f6
  147. register: ssl_certs_auto_installed
  148. changed_when: False
  149. ignore_errors: True
  150. when: ssl_certs_auto|length > 0
  151. tags:
  152. - 'ssl'
  153. - name: 'List Lets Encrypt SSL certificates to be generated'
  154. shell: egrep -v '^#' /etc/dehydrated/domains.txt | cut -d ' ' -f 1 | while read c ; do test -f "/var/lib/dehydrated/certs/${c}/privkey.pem" || echo "${c}" ; done
  155. register: ssl_certs_auto_missing
  156. ignore_errors: True
  157. changed_when: ssl_certs_auto_missing.stdout_lines != []
  158. notify:
  159. - 'Generate Lets Encrypt SSL certificates'
  160. when: ssl_certs_auto|length > 0
  161. tags:
  162. - 'ssl'
  163. - name: 'Install Lets Encrypt cron job'
  164. template:
  165. src: 'cron/letsencrypt.j2'
  166. dest: '/etc/cron.d/letsencrypt-local'
  167. owner: 'root'
  168. group: 'root'
  169. mode: '0644'
  170. when: ssl_certs_auto|length > 0
  171. tags:
  172. - 'ssl'
  173. - name: 'Register and accept Lets Encrypt terms of service'
  174. shell: if dehydrated --help | grep -q -- 'register' && dehydrated --help | grep -q -- 'accept-terms' ; then dehydrated --register --accept-terms ; fi
  175. changed_when: False
  176. when: ssl_certs_auto|length > 0
  177. tags:
  178. - 'ssl'
  179. # vim: ft=yaml.ansible