Renew certs playbook improvements.

- Store the list of domains as a list, generate the SAN in the tasks file. - Validate variables in the tasks files. - Default to an empty list of handlers. - Define the email address just once.

Renew certs playbook improvements.
66a865d6 · nimrod · 3a58bfaa · 66a865d6 · 66a865d6
Commit 66a865d6 authored 4 years ago by nimrod
--- a/renew-certs.yaml
+++ b/renew-certs.yaml
@@ -32,11 +32,16 @@
            - ns4
        file: '{{ playbook_dir }}/tasks/renew-cert.yaml'
      vars:
+        domains:
+          - autoconfig.shore.co.il
+          - myip.shore.co.il
+          - ns4.shore.co.il
+          - registry.shore.co.il
+          - shore.co.il
+          - www.shore.co.il
        handlers:
          - Restart Nginx on ns4
        host: ns4
-        subject_alt_name: |-
-          DNS:ns4.shore.co.il,DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il,DNS:www.shore.co.il,DNS:shore.co.il,DNS:myip.shore.co.il
      tags:
        - ns4
@@ -47,11 +52,16 @@
            - host01
        file: '{{ playbook_dir }}/tasks/renew-cert.yaml'
      vars:
+        domains:
+          - code.shore.co.il
+          - git.shore.co.il
+          - lam.shore.co.il
+          - nextcloud.shore.co.il
+          - ns1.shore.co.il
+          - vouch.shore.co.il
        handlers:
          - Restart Nginx on host01
        host: host01
-        subject_alt_name: |-
-          DNS:ns1.shore.co.il,DNS:lam.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:code.shore.co.il,DNS:vouch.shore.co.il
      tags:
        - host01
@@ -63,13 +73,15 @@
        file: '{{ playbook_dir }}/tasks/renew-cert.yaml'
      vars:
        delegate_host: host01
+        domains:
+          - imap.shore.co.il
+          - mta-sts.shore.co.il
+          - smtp.shore.co.il
        filename: mail
        handlers:
          - Reload Dovecot
          - Reload Exim
          - Restart Nginx on host01
        host: mail
-        subject_alt_name: |-
-            DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il
      tags:
        - smtp
--- a/tasks/renew-cert.yaml
+++ b/tasks/renew-cert.yaml
 ---
+- name: Validate assertions
+  assert:
+    that:
+      - domains is iterable
+      - host is string
 - name: Generate account key
  community.crypto.openssl_privatekey:
    mode: 0o0600
@@ -18,10 +24,12 @@
    #   https://acme-staging-v02.api.letsencrypt.org/directory
    acme_version: &acme_version 2
    contact:
-      - mailto:hostmaster@shore.co.il
+      - mailto:{{ email }}
    select_crypto_backend: &crypto_backend cryptography
    state: present
    terms_agreed: true
+  vars:
+    email: &email hostmaster@shore.co.il
  tags:
    - always
@@ -38,13 +46,13 @@
  community.crypto.openssl_csr:
    country_name: &country_name IL
    digest: &digest sha256
-    email_address: &email hostmaster@shore.co.il
+    email_address: *email
    locality_name: &locality_name Israel
    organization_name: &organization_name Shore technologies
    path: &csr_src '{{ host }}.csr'
    privatekey_path: *key_src
    state: present
-    subject_alt_name: '{{ subject_alt_name }}'
+    subject_alt_name: 'DNS:{{ domains|join(",DNS:") }}'
  register: acme_csr
 - name: Create {{ host }} challenge
@@ -122,7 +130,7 @@
        {{ item.mode }}
    owner: root
    group: root
-  notify: '{{ handlers }}'
+  notify: '{{ handlers|default([]) }}'
 - name: Generate Diffie-Hellman parameters on {{ host }}
  delegate_to: *delegate_to
@@ -132,6 +140,6 @@
    path: /var/ssl/dhparams
    size: 4096
    state: present
-  notify: '{{ handlers }}'
+  notify: '{{ handlers|default([]) }}'
  tags:
    - dhparams