diff --git a/renew-certs.yml b/renew-certs.yaml similarity index 56% rename from renew-certs.yml rename to renew-certs.yaml index b1dd319341c6efc6227ac99ac8287e632f939208..464413869a4640ddc38df8e2c329680288a71fa3 100644 --- a/renew-certs.yml +++ b/renew-certs.yaml @@ -6,44 +6,41 @@ become: false gather_facts: false vars: - email: nimrod@shore.co.il + email: hostmaster@shore.co.il acme_directory: https://acme-v02.api.letsencrypt.org/directory # acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory acme_version: 2 handlers: - - name: Restart Nginx - delegate_to: host01.shore.co.il + - name: Restart Nginx on host01 + delegate_to: host01 + command: docker restart web-proxy_proxy_1 + + - name: Restart Nginx on ns4 + delegate_to: ns4 command: docker restart web-proxy_proxy_1 - name: Reload Exim - delegate_to: host01.shore.co.il + delegate_to: host01 command: docker kill --signal SIGHUP mail_smtp_1 - name: Reload Dovecot - delegate_to: host01.shore.co.il + delegate_to: host01 command: docker kill --signal SIGHUP mail_imap_1 tasks: - - name: Create SSL directory on the server - delegate_to: host01.shore.co.il - file: - group: root - mode: 0o0755 - owner: root - path: /var/ssl - state: directory - - name: Generate account key - openssl_privatekey: + community.crypto.openssl_privatekey: mode: 0o0600 path: &account_key_src account.key size: 4096 state: present type: RSA + tags: + - always - name: Register account - acme_account: + community.crypto.acme_account: account_key_src: *account_key_src acme_directory: |- {{ acme_directory }} @@ -54,34 +51,40 @@ select_crypto_backend: &crypto_backend cryptography state: present terms_agreed: true + tags: + - always - name: Generate site key - openssl_privatekey: + community.crypto.openssl_privatekey: mode: &mode 0o0600 path: &site_key_src |- {{ playbook_dir }}/site.key size: &size 4096 state: present type: &type RSA + tags: + - ns4 - name: Generate site certificate signing request - openssl_csr: - common_name: &common_name shore.co.il + community.crypto.openssl_csr: + common_name: ns4.shore.co.il country_name: &country_name IL digest: &digest sha256 email_address: |- {{ email }} - locality_name: &locality_name Haifa + locality_name: &locality_name Israel organization_name: &organization_name Shore technologies path: &site_csr_src site.csr privatekey_path: *site_key_src state: present subject_alt_name: |- - DNS:shore.co.il,DNS:www.shore.co.il,DNS:autoconfig.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:registry.shore.co.il + DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il register: acme_site_csr + tags: + - ns4 - name: Create site challenge - acme_certificate: + community.crypto.acme_certificate: account_email: |- {{ email }} account_key_src: *account_key_src @@ -96,25 +99,31 @@ remaining_days: 35 select_crypto_backend: *crypto_backend register: acme_site_challenge + tags: + - ns4 - name: Debug site challenge debug: var: acme_site_challenge verbosity: 1 + tags: + - ns4 - name: Renew site cert - when: acme_site_challenge is changed or acme_site_csr is changed + when: acme_site_challenge is changed + tags: + - ns4 block: - name: Create ACME challenge directory - delegate_to: host01.shore.co.il + delegate_to: ns4 become: true file: path: /var/www/www.shore.co.il/.well-known/acme-challenge state: directory - name: Copy http-01 site challenge - delegate_to: host01.shore.co.il + delegate_to: ns4 become: true with_dict: | {{ acme_site_challenge['challenge_data'] }} @@ -128,7 +137,7 @@ owner: root - name: Validate site challenge - acme_certificate: + community.crypto.acme_certificate: account_email: |- {{ email }} account_key_src: *account_key_src @@ -145,7 +154,7 @@ select_crypto_backend: *crypto_backend - name: Copy site key, certificate to server - delegate_to: host01.shore.co.il + delegate_to: ns4 become: true with_items: - src: *site_key_src @@ -164,19 +173,146 @@ owner: root group: root notify: - - Restart Nginx + - Restart Nginx on ns4 + tags: + - ns4 + + - name: Generate host key + community.crypto.openssl_privatekey: + mode: *mode + path: &host_key_src |- + {{ playbook_dir }}/host.key + size: *size + state: present + type: *type + tags: + - host01 + + - name: Generate host certificate signing request + community.crypto.openssl_csr: + common_name: ns1.shore.co.il + country_name: *country_name + digest: *digest + email_address: |- + {{ email }} + locality_name: *locality_name + organization_name: *organization_name + path: &host_csr_src host.csr + privatekey_path: *host_key_src + state: present + subject_alt_name: |- + DNS:shore.co.il,DNS:www.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il + register: acme_host_csr + tags: + - host01 + + - name: Create host challenge + community.crypto.acme_certificate: + account_email: |- + {{ email }} + account_key_src: *account_key_src + acme_directory: |- + {{ acme_directory }} + acme_version: | + {{ acme_version }} + csr: *host_csr_src + fullchain_dest: &host_cert_src |- + {{ playbook_dir }}/host.crt + modify_account: false + remaining_days: 35 + select_crypto_backend: *crypto_backend + register: acme_host_challenge + tags: + - host01 + + - name: Debug host challenge + debug: + var: acme_host_challenge + verbosity: 1 + tags: + - host01 + + - name: Renew host cert + when: acme_host_challenge is changed + tags: + - host01 + block: + + - name: Create ACME challenge directory + delegate_to: host01 + become: true + file: + path: /var/www/www.shore.co.il/.well-known/acme-challenge + state: directory + + - name: Copy http-01 host challenge + delegate_to: host01 + become: true + with_dict: | + {{ acme_host_challenge['challenge_data'] }} + copy: + content: |- + {{ item.value['http-01']['resource_value'] }} + # yamllint disable-line rule:line-length + dest: /var/www/www.shore.co.il/{{ item.value['http-01']['resource'] }} + group: www-data + mode: 0o0644 + owner: root + + - name: Validate host challenge + community.crypto.acme_certificate: + account_email: |- + {{ email }} + account_key_src: *account_key_src + acme_directory: |- + {{ acme_directory }} + acme_version: | + {{ acme_version }} + challenge: http-01 + csr: *host_csr_src + data: "{{ acme_host_challenge }}" + fullchain_dest: *host_cert_src + modify_account: false + remaining_days: 35 + select_crypto_backend: *crypto_backend + + - name: Copy host key, certificate to server + delegate_to: host01 + become: true + with_items: + - src: *host_key_src + dest: /var/ssl/site.key + mode: 0o0444 + - src: *host_cert_src + dest: /var/ssl/site.crt + mode: 0o0444 + copy: + src: |- + {{ item.src }} + dest: |- + {{ item.dest }} + mode: |- + {{ item.mode }} + owner: root + group: root + notify: + - Restart Nginx on host01 + tags: + - mail - name: Generate mail key - openssl_privatekey: + community.crypto.openssl_privatekey: mode: *mode path: &mail_key_src |- {{ playbook_dir }}/mail.key size: *size state: present type: *type + tags: + - mail - name: Generate mail certificate signing request - openssl_csr: + community.crypto.openssl_csr: common_name: smtp.shore.co.il country_name: *country_name digest: *digest @@ -190,9 +326,11 @@ subject_alt_name: |- DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il register: acme_mail_csr + tags: + - mail - name: Create mail challenge - acme_certificate: + community.crypto.acme_certificate: account_email: |- {{ email }} account_key_src: *account_key_src @@ -207,25 +345,31 @@ remaining_days: 35 select_crypto_backend: *crypto_backend register: acme_mail_challenge + tags: + - mail - name: Debug mail challenge debug: var: acme_mail_challenge verbosity: 1 + tags: + - mail - name: Renew mail cert - when: acme_mail_challenge is changed or acme_mail_csr is changed + when: acme_mail_challenge is changed + tags: + - mail block: - name: Create ACME challenge directory - delegate_to: host01.shore.co.il + delegate_to: host01 become: true file: path: /var/www/mail.shore.co.il/.well-known/acme-challenge state: directory - name: Copy http-01 mail challenge - delegate_to: host01.shore.co.il + delegate_to: host01 become: true with_dict: | {{ acme_mail_challenge['challenge_data'] }} @@ -239,7 +383,7 @@ owner: root - name: Validate mail challenge - acme_certificate: + community.crypto.acme_certificate: account_email: |- {{ email }} account_key_src: *account_key_src @@ -256,7 +400,7 @@ select_crypto_backend: *crypto_backend - name: Copy mail key, certificate to server - delegate_to: host01.shore.co.il + delegate_to: host01 become: true with_items: - src: *mail_key_src @@ -277,12 +421,14 @@ notify: - Reload Dovecot - Reload Exim - - Restart Nginx + - Restart Nginx on host01 + tags: + - mail - - name: Generate Diffie-Hellman parameters + - name: Generate Diffie-Hellman parameters on host01 become: true - delegate_to: host01.shore.co.il - openssl_dhparam: + delegate_to: host01 + community.crypto.openssl_dhparam: force: true mode: 0o0644 path: /var/ssl/dhparams @@ -290,4 +436,21 @@ state: present notify: - Reload Dovecot - - Restart Nginx + - Restart Nginx on host01 + tags: + - mail + - host01 + + - name: Generate Diffie-Hellman parameters on ns4 + become: true + delegate_to: host01 + community.crypto.openssl_dhparam: + force: true + mode: 0o0644 + path: /var/ssl/dhparams + size: 4096 + state: present + notify: + - Restart Nginx on ns4 + tags: + - ns4