Commit 66a865d6 authored by nimrod's avatar nimrod
Browse files

Renew certs playbook improvements. 

- Store the list of domains as a list, generate the SAN in the tasks
file.
- Validate variables in the tasks files.
- Default to an empty list of handlers.
- Define the email address just once.
parent 3a58bfaa

renew-certs.yaml

+18 −6
Original line number Diff line number Diff line
@@ -32,11 +32,16 @@ 
            - ns4

        file: '{{ playbook_dir }}/tasks/renew-cert.yaml'

      vars:

        domains:

          - autoconfig.shore.co.il

          - myip.shore.co.il

          - ns4.shore.co.il

          - registry.shore.co.il

          - shore.co.il

          - www.shore.co.il

        handlers:

          - Restart Nginx on ns4

        host: ns4

        subject_alt_name: |-

          DNS:ns4.shore.co.il,DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il,DNS:www.shore.co.il,DNS:shore.co.il,DNS:myip.shore.co.il

      tags:

        - ns4
@@ -47,11 +52,16 @@ 
            - host01

        file: '{{ playbook_dir }}/tasks/renew-cert.yaml'

      vars:

        domains:

          - code.shore.co.il

          - git.shore.co.il

          - lam.shore.co.il

          - nextcloud.shore.co.il

          - ns1.shore.co.il

          - vouch.shore.co.il

        handlers:

          - Restart Nginx on host01

        host: host01

        subject_alt_name: |-

          DNS:ns1.shore.co.il,DNS:lam.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:code.shore.co.il,DNS:vouch.shore.co.il

      tags:

        - host01
@@ -63,13 +73,15 @@ 
        file: '{{ playbook_dir }}/tasks/renew-cert.yaml'

      vars:

        delegate_host: host01

        domains:

          - imap.shore.co.il

          - mta-sts.shore.co.il

          - smtp.shore.co.il

        filename: mail

        handlers:

          - Reload Dovecot

          - Reload Exim

          - Restart Nginx on host01

        host: mail

        subject_alt_name: |-

            DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il

      tags:

        - smtp

tasks/renew-cert.yaml

+13 −5
Original line number Diff line number Diff line 
---

- name: Validate assertions

  assert:

    that:

      - domains is iterable

      - host is string



- name: Generate account key

  community.crypto.openssl_privatekey:

    mode: 0o0600
@@ -18,10 +24,12 @@ 
    #   https://acme-staging-v02.api.letsencrypt.org/directory

    acme_version: &acme_version 2

    contact:

      - mailto:hostmaster@shore.co.il

      - mailto:{{ email }}

    select_crypto_backend: &crypto_backend cryptography

    state: present

    terms_agreed: true

  vars:

    email: &email hostmaster@shore.co.il

  tags:

    - always
@@ -38,13 +46,13 @@ 
  community.crypto.openssl_csr:

    country_name: &country_name IL

    digest: &digest sha256

    email_address: &email hostmaster@shore.co.il

    email_address: *email

    locality_name: &locality_name Israel

    organization_name: &organization_name Shore technologies

    path: &csr_src '{{ host }}.csr'

    privatekey_path: *key_src

    state: present

    subject_alt_name: '{{ subject_alt_name }}'

    subject_alt_name: 'DNS:{{ domains|join(",DNS:") }}'

  register: acme_csr



- name: Create {{ host }} challenge
@@ -122,7 +130,7 @@ 
        {{ item.mode }}

    owner: root

    group: root

  notify: '{{ handlers }}'

  notify: '{{ handlers|default([]) }}'



- name: Generate Diffie-Hellman parameters on {{ host }}

  delegate_to: *delegate_to
@@ -132,6 +140,6 @@ 
    path: /var/ssl/dhparams

    size: 4096

    state: present

  notify: '{{ handlers }}'

  notify: '{{ handlers|default([]) }}'

  tags:

    - dhparams