salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Maybe set up PKI fully? Probably not

Browse Source
This commit is contained in:
Salt 2020-02-05 21:06:44 -06:00
parent 02e5164eed
commit 2437728f94
1 changed files with 22 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

32
roles/nextcloud/tasks/main.yml
View File

@ -45,34 +45,46 @@
loop: loop:
- { dir: "/etc/pki", mode: "0600" } - { dir: "/etc/pki", mode: "0600" }
- { dir: "/etc/pki/cert", mode: "0600" } - { dir: "/etc/pki/cert", mode: "0600" }
- { dir: "/etc/pki/cert/crt", mode: "0600" }
- { dir: "/etc/pki/cert/csr", mode: "0600" } - { dir: "/etc/pki/cert/csr", mode: "0600" }
- { dir: "/etc/pki/cert/fullchain", mode: "0600" }
- { dir: "/etc/pki/cert/private", mode: "0600" } - { dir: "/etc/pki/cert/private", mode: "0600" }
- { dir: "/etc/pki/cert/challenge/{{ website_url }}", mode: "0600" } - { dir: "/etc/pki/cert/challenge/{{ website_url }}", mode: "0600" }
- name: Create ACME account key - name: Create ACME account key
openssl_privatekey: openssl_privatekey:
path: "/etc/pki/cert/private/account.key" path: "/etc/pki/cert/private/account.key"
size: 4096 size: 4096
- name: Register ACME account - name: Create certificate key
acme_account: openssl_privatekey:
account_key: "/etc/pki/cert/private/account.key" path: "/etc/pki/cert/private/{{ website_url }}.key"
acme_directory: "{{ acme_directory }}" size: 4096
acme_version: "{{ acme_version }}"
terms_agreed: yes
- name: Create CSR - name: Create CSR
openssl_csr: openssl_csr:
path: "/etc/pki/cert/csr/{{ website_url }}.csr" path: "/etc/pki/cert/csr/{{ website_url }}.csr"
common_name: "{{ website_url }}" common_name: "{{ website_url }}"
privatekey_path: /etc/pki/cert/private/account.key privatekey_path: /etc/pki/cert/private/account.key
email_address: "rehashedsalt@cock.li" email_address: "rehashedsalt@cock.li"
- name: Register LE cert - name: Create challenge for CSR
acme_certificate: acme_certificate:
acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory" acme_directory: "https://acme-staging-v02.api.letsencrypt.org/directory"
acme_version: 2 acme_version: 2
terms_agreed: yes terms_agreed: yes
account_email: "rehashedsalt@cock.li" account_email: "rehashedsalt@cock.li"
account_key: "/etc/pki/cert/private/account.key"
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
register: com_challenge
- name: Fulfill challenge
copy:
dest: "/var/www/html/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
when: com_challenge is changed
- name: Create certificate
acme_certificate:
account_key: /etc/pki/cert/private/account.key account_key: /etc/pki/cert/private/account.key
csr: "/etc/pki/cert/csr/{{ website_url }}.csr" csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
dest: "/etc/pki/cert/{{ website_url }}.crt" dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/fullchain/{{ website_url }}.crt" fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
data: "{{ com_challenge }}"
become: true become: true