From 4fed031ae5dc809e025bf2d31fa6e94e17837920 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 1 Jan 2022 13:11:28 +0200
Subject: [PATCH] Rotate all keys once a year.

Cleans up the code a bit, I think. Also, why do host keys or account
keys are good for 4 years but the DH parameters are onl good for 4
weeks? Settle on 1 year for all of them.
---
 Ansible/tasks/renew-cert.yaml | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/Ansible/tasks/renew-cert.yaml b/Ansible/tasks/renew-cert.yaml
index c8f15f8..00bf385 100644
--- a/Ansible/tasks/renew-cert.yaml
+++ b/Ansible/tasks/renew-cert.yaml
@@ -12,6 +12,11 @@
   tags:
     - always
 
+- name: Calculate the time 1 year ago (for regenerating long-term keys)
+  ansible.builtin.set_fact:
+    one_year_ago: |-
+      {{ ansible_facts.date_time.epoch|int - (60*60*24*365) }}
+
 - name: Get account key file stat
   ansible.builtin.stat:
     path: &account_key_src account.key
@@ -23,7 +28,7 @@
   community.crypto.openssl_privatekey:
     # yamllint disable rule:line-length
     force: |-
-      {{ account_key_stat.stat.exists and (ansible_facts.date_time.epoch|int - account_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+      {{ account_key_stat.stat.exists and account_key_stat.stat.mtime|int < one_year_ago }}
     # yamllint enable rule:line-length
     mode: 0o0600
     path: *account_key_src
@@ -61,7 +66,7 @@
   community.crypto.openssl_privatekey:
     # yamllint disable rule:line-length
     force: |-
-      {{  host_key_stat.stat.exists and (ansible_facts.date_time.epoch|int - host_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+      {{  host_key_stat.stat.exists and host_key_stat.stat.mtime|int < one_year_ago }}
     # yamllint enable rule:line-length
     mode: &mode 0o0600
     path: *key_src
@@ -180,7 +185,7 @@
       community.crypto.openssl_dhparam:
         # yamllint disable rule:line-length
         force: |-
-          {{ dhparams_stat.stat.exists and (ansible_facts.date_time.epoch|int - dhparams_stat.stat.mtime|int)/(60*60*24*7) >= 4 }}
+          {{ dhparams_stat.stat.exists and dhparams_stat.stat.mtime|int < one_year_ago }}
         # yamllint enable rule:line-length
         mode: 0o0644
         path: *dhparams
-- 
GitLab