Rotate all keys once a year.

Cleans up the code a bit, I think. Also, why do host keys or account
keys are good for 4 years but the DH parameters are onl good for 4
weeks? Settle on 1 year for all of them.

Ansible/tasks/renew-cert.yaml

@@ -12,6 +12,11 @@
   tags:
     - always
 
+- name: Calculate the time 1 year ago (for regenerating long-term keys)
+  ansible.builtin.set_fact:
+    one_year_ago: |-
+      {{ ansible_facts.date_time.epoch|int - (60*60*24*365) }}
+
 - name: Get account key file stat
   ansible.builtin.stat:
     path: &account_key_src account.key
@@ -23,7 +28,7 @@
   community.crypto.openssl_privatekey:
     # yamllint disable rule:line-length
     force: |-
-      {{ account_key_stat.stat.exists and (ansible_facts.date_time.epoch|int - account_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+      {{ account_key_stat.stat.exists and account_key_stat.stat.mtime|int < one_year_ago }}
     # yamllint enable rule:line-length
     mode: 0o0600
     path: *account_key_src
@@ -61,7 +66,7 @@
   community.crypto.openssl_privatekey:
     # yamllint disable rule:line-length
     force: |-
-      {{  host_key_stat.stat.exists and (ansible_facts.date_time.epoch|int - host_key_stat.stat.mtime|int)/(60*60*24*365) >= 4 }}
+      {{  host_key_stat.stat.exists and host_key_stat.stat.mtime|int < one_year_ago }}
     # yamllint enable rule:line-length
     mode: &mode 0o0600
     path: *key_src
@@ -180,7 +185,7 @@
       community.crypto.openssl_dhparam:
         # yamllint disable rule:line-length
         force: |-
-          {{ dhparams_stat.stat.exists and (ansible_facts.date_time.epoch|int - dhparams_stat.stat.mtime|int)/(60*60*24*7) >= 4 }}
+          {{ dhparams_stat.stat.exists and dhparams_stat.stat.mtime|int < one_year_ago }}
         # yamllint enable rule:line-length
         mode: 0o0644
         path: *dhparams