Rotate all keys once a year. (4fed031a) · Commits · shore / homelab

Ansible/tasks/renew-cert.yaml

+8 −3

Original line number	Diff line number	Diff line
		@@ -12,6 +12,11 @@
		tags:
		- always

		- name: Calculate the time 1 year ago (for regenerating long-term keys)
		ansible.builtin.set_fact:
		one_year_ago: \|-
		{{ ansible_facts.date_time.epoch\|int - (606024*365) }}

		- name: Get account key file stat
		ansible.builtin.stat:
		path: &account_key_src account.key
		@@ -23,7 +28,7 @@
		community.crypto.openssl_privatekey:
		# yamllint disable rule:line-length
		force: \|-
		{{ account_key_stat.stat.exists and (ansible_facts.date_time.epoch\|int - account_key_stat.stat.mtime\|int)/(606024*365) >= 4 }}
		{{ account_key_stat.stat.exists and account_key_stat.stat.mtime\|int < one_year_ago }}
		# yamllint enable rule:line-length
		mode: 0o0600
		path: *account_key_src
		@@ -61,7 +66,7 @@
		community.crypto.openssl_privatekey:
		# yamllint disable rule:line-length
		force: \|-
		{{ host_key_stat.stat.exists and (ansible_facts.date_time.epoch\|int - host_key_stat.stat.mtime\|int)/(606024*365) >= 4 }}
		{{ host_key_stat.stat.exists and host_key_stat.stat.mtime\|int < one_year_ago }}
		# yamllint enable rule:line-length
		mode: &mode 0o0600
		path: *key_src
		@@ -180,7 +185,7 @@
		community.crypto.openssl_dhparam:
		# yamllint disable rule:line-length
		force: \|-
		{{ dhparams_stat.stat.exists and (ansible_facts.date_time.epoch\|int - dhparams_stat.stat.mtime\|int)/(606024*7) >= 4 }}
		{{ dhparams_stat.stat.exists and dhparams_stat.stat.mtime\|int < one_year_ago }}
		# yamllint enable rule:line-length
		mode: 0o0644
		path: *dhparams