Recreate private keys every year.

The Let's Encrypt account key as well as the hosts' private keys.

Recreate private keys every year.
08422585 · nimrod · 4fc0ce86 · 08422585
Commit 08422585 authored 4 years ago by nimrod
--- a/tasks/renew-cert.yaml
+++ b/tasks/renew-cert.yaml
@@ -5,10 +5,24 @@
      - domains is iterable
      - host is string

+- name: Gather facts
+  ansible.builtin.setup:
+    gather_subset:
+      - date_time
+
+- name: Get account key file stat
+  ansible.builtin.stat:
+    path: &account_key_src account.key
+  register: account_key_stat
+
 - name: Generate account key
  community.crypto.openssl_privatekey:
+    # yamllint disable rule:line-length
+    force: |-
+      {{ (ansible_date_time.epoch|int - account_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+    # yamllint enable rule:line-length
    mode: 0o0600
-    path: &account_key_src account.key
+    path: *account_key_src
    size: 4096
    state: present
    type: RSA
@@ -33,11 +47,20 @@
  tags:
    - always

+- name: Get host key file stat
+  ansible.builtin.stat:
+    path: &key_src |-
+        {{ playbook_dir }}/{{ host }}.key
+  register: host_key_stat
+
 - name: Generate {{ host }} key
  community.crypto.openssl_privatekey:
+    # yamllint disable rule:line-length
+    force: |-
+      {{ (ansible_date_time.epoch|int - host_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+    # yamllint enable rule:line-length
    mode: &mode 0o0600
-    path: &key_src |-
-        {{ playbook_dir }}/{{ host }}.key
+    path: *key_src
    size: &size 4096
    state: present
    type: &type RSA