Commit 08422585 authored by nimrod's avatar nimrod
Browse files

Recreate private keys every year.

The Let's Encrypt account key as well as the hosts' private keys.
parent 4fc0ce86
Loading
Loading
Loading
Loading
Loading
+26 −3
Original line number Diff line number Diff line
@@ -5,10 +5,24 @@
      - domains is iterable
      - host is string

- name: Gather facts
  ansible.builtin.setup:
    gather_subset:
      - date_time

- name: Get account key file stat
  ansible.builtin.stat:
    path: &account_key_src account.key
  register: account_key_stat

- name: Generate account key
  community.crypto.openssl_privatekey:
    # yamllint disable rule:line-length
    force: |-
      {{ (ansible_date_time.epoch|int - account_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
    # yamllint enable rule:line-length
    mode: 0o0600
    path: &account_key_src account.key
    path: *account_key_src
    size: 4096
    state: present
    type: RSA
@@ -33,11 +47,20 @@
  tags:
    - always

- name: Get host key file stat
  ansible.builtin.stat:
    path: &key_src |-
        {{ playbook_dir }}/{{ host }}.key
  register: host_key_stat

- name: Generate {{ host }} key
  community.crypto.openssl_privatekey:
    # yamllint disable rule:line-length
    force: |-
      {{ (ansible_date_time.epoch|int - host_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
    # yamllint enable rule:line-length
    mode: &mode 0o0600
    path: &key_src |-
        {{ playbook_dir }}/{{ host }}.key
    path: *key_src
    size: &size 4096
    state: present
    type: &type RSA