114 lines
4.4 KiB
YAML

#!/usr/bin/ansible-playbook
# vim:ft=ansible:
---
- name: "Register certificate for {{ website_url }}"
block:
- name: Install SSL-required packages
apt:
name: python3-openssl
- name: Set up PKI filesystem hierarchy
file:
path: "{{ item.dir }}"
mode: "{{ item.mode }}"
owner: root
group: www-data
state: directory
loop:
- { dir: "/etc/pki", mode: "0750" }
- { dir: "/etc/pki/cert", mode: "0750" }
- { dir: "/etc/pki/cert/crt", mode: "0750" }
- { dir: "/etc/pki/cert/csr", mode: "0750" }
- { dir: "/etc/pki/cert/private", mode: "0750" }
- name: Create ACME account key
openssl_privatekey:
path: "/etc/pki/cert/private/account.key"
- name: Create certificate key
openssl_privatekey:
path: "/etc/pki/cert/private/{{ website_url }}.key"
mode: "0750"
- name: Create CSR
openssl_csr:
path: "/etc/pki/cert/csr/{{ website_url }}.csr"
common_name: "{{ website_url }}"
privatekey_path: /etc/pki/cert/private/{{ website_url }}.key
email_address: "rehashedsalt@cock.li"
- name: Create challenge for CSR
acme_certificate:
acme_directory: "{{ acme.directory }}"
acme_version: 2
terms_agreed: yes
account_email: "rehashedsalt@cock.li"
account_key: "/etc/pki/cert/private/account.key"
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
register: com_challenge
- name: Create or renew certificate
block:
- name: Fulfill challenge
block:
- name: Disable website
command:
cmd: "a2dissite {{ website_url }}.conf"
removes: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
- name: Create temporary config
template:
src: apache2-vhost.conf
dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
- name: Create well-known directory
file:
path: "{{ acme.webroot }}/.well-known/acme-challenge"
mode: "0755"
recurse: yes
state: directory
- name: Copy challenge files
copy:
dest: "{{ acme.webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
when: com_challenge['challenge_data']|length > 0
- name: Create certificate
acme_certificate:
acme_directory: "{{ acme.directory }}"
acme_version: 2
account_key: /etc/pki/cert/private/account.key
csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
data: "{{ com_challenge }}"
- name: Assign appropriate permissions to certificate
file:
path: "{{ item }}"
owner: root
group: www-data
mode: "0640"
loop:
- "/etc/pki/cert/crt/{{ website_url }}.crt"
- "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
- "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
- name: Clean up fulfillment
block:
- name: Remove webroot
file:
path: "{{ acme.webroot }}/.well-known/acme-challenge"
state: absent
- name: Remove temporary config
file:
path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
state: absent
- name: Restore original config
command:
cmd: "a2ensite {{ website_url }}.conf"
creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
when: com_challenge['challenge_data']|length > 0
- name: Reload Apache
service:
name: apache2
state: reloaded
when: com_challenge is changed
become: yes