75 lines
2.7 KiB
YAML
75 lines
2.7 KiB
YAML
|
#!/usr/bin/ansible-playbook
|
||
|
# vim:ft=ansible:
|
||
|
---
|
||
|
- name: "Register certificate for {{ website_url }}"
|
||
|
block:
|
||
|
- name: Set up PKI filesystem hierarchy
|
||
|
file:
|
||
|
path: "{{ item.dir }}"
|
||
|
mode: "{{ item.mode }}"
|
||
|
recurse: yes
|
||
|
owner: root
|
||
|
group: www-data
|
||
|
state: directory
|
||
|
loop:
|
||
|
- { dir: "/etc/pki", mode: "0750" }
|
||
|
- { dir: "/etc/pki/cert", mode: "0750" }
|
||
|
- { dir: "/etc/pki/cert/crt", mode: "0750" }
|
||
|
- { dir: "/etc/pki/cert/csr", mode: "0750" }
|
||
|
- { dir: "/etc/pki/cert/private", mode: "0750" }
|
||
|
- name: Create ACME account key
|
||
|
openssl_privatekey:
|
||
|
path: "/etc/pki/cert/private/account.key"
|
||
|
- name: Create certificate key
|
||
|
openssl_privatekey:
|
||
|
path: "/etc/pki/cert/private/{{ website_url }}.key"
|
||
|
- name: Create CSR
|
||
|
openssl_csr:
|
||
|
path: "/etc/pki/cert/csr/{{ website_url }}.csr"
|
||
|
common_name: "{{ website_url }}"
|
||
|
privatekey_path: /etc/pki/cert/private/{{ website_url }}.key
|
||
|
email_address: "rehashedsalt@cock.li"
|
||
|
- name: Create challenge for CSR
|
||
|
acme_certificate:
|
||
|
acme_directory: "{{ acme_directory }}"
|
||
|
acme_version: 2
|
||
|
terms_agreed: yes
|
||
|
account_email: "rehashedsalt@cock.li"
|
||
|
account_key: "/etc/pki/cert/private/account.key"
|
||
|
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
|
||
|
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
|
||
|
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
|
||
|
register: com_challenge
|
||
|
- name: Fulfill challenge
|
||
|
block:
|
||
|
- name: Reload Apache
|
||
|
service:
|
||
|
name: apache2
|
||
|
state: reloaded
|
||
|
- name: Create well-known directory
|
||
|
file:
|
||
|
path: "{{ website_webroot }}/.well-known/acme-challenge"
|
||
|
mode: "0755"
|
||
|
recurse: yes
|
||
|
state: directory
|
||
|
- name: Copy challenge files
|
||
|
copy:
|
||
|
dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
|
||
|
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
|
||
|
- name: Create certificate
|
||
|
acme_certificate:
|
||
|
acme_directory: "{{ acme_directory }}"
|
||
|
acme_version: 2
|
||
|
account_key: /etc/pki/cert/private/account.key
|
||
|
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
|
||
|
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
|
||
|
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
|
||
|
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
|
||
|
data: "{{ com_challenge }}"
|
||
|
- name: Clean up
|
||
|
file:
|
||
|
path: "{{ website_webroot }}/.well-known"
|
||
|
state: absent
|
||
|
when: com_challenge is changed
|
||
|
become: yes
|