From fc872c9b2680143e866b9c43d80ffeec2350a3a8 Mon Sep 17 00:00:00 2001
From: Adar Nimrod <nimrod@shore.co.il>
Date: Sat, 16 Jan 2021 13:31:25 +0200
Subject: [PATCH] Renew certs on ns4.
- Renew the certs for the hosts on ns4.
- Silence a few warnings from Ansible.
- Rely on debian_server for bootstrapping.
- Tag tasks for specific hosts.
---
renew-certs.yml => renew-certs.yaml | 245 +++++++++++++++++++++++-----
1 file changed, 204 insertions(+), 41 deletions(-)
rename renew-certs.yml => renew-certs.yaml (56%)
diff --git a/renew-certs.yml b/renew-certs.yaml
similarity index 56%
rename from renew-certs.yml
rename to renew-certs.yaml
index b1dd319..4644138 100644
--- a/renew-certs.yml
+++ b/renew-certs.yaml
@@ -6,44 +6,41 @@
become: false
gather_facts: false
vars:
- email: nimrod@shore.co.il
+ email: hostmaster@shore.co.il
acme_directory: https://acme-v02.api.letsencrypt.org/directory
# acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
acme_version: 2
handlers:
- - name: Restart Nginx
- delegate_to: host01.shore.co.il
+ - name: Restart Nginx on host01
+ delegate_to: host01
+ command: docker restart web-proxy_proxy_1
+
+ - name: Restart Nginx on ns4
+ delegate_to: ns4
command: docker restart web-proxy_proxy_1
- name: Reload Exim
- delegate_to: host01.shore.co.il
+ delegate_to: host01
command: docker kill --signal SIGHUP mail_smtp_1
- name: Reload Dovecot
- delegate_to: host01.shore.co.il
+ delegate_to: host01
command: docker kill --signal SIGHUP mail_imap_1
tasks:
- - name: Create SSL directory on the server
- delegate_to: host01.shore.co.il
- file:
- group: root
- mode: 0o0755
- owner: root
- path: /var/ssl
- state: directory
-
- name: Generate account key
- openssl_privatekey:
+ community.crypto.openssl_privatekey:
mode: 0o0600
path: &account_key_src account.key
size: 4096
state: present
type: RSA
+ tags:
+ - always
- name: Register account
- acme_account:
+ community.crypto.acme_account:
account_key_src: *account_key_src
acme_directory: |-
{{ acme_directory }}
@@ -54,34 +51,40 @@
select_crypto_backend: &crypto_backend cryptography
state: present
terms_agreed: true
+ tags:
+ - always
- name: Generate site key
- openssl_privatekey:
+ community.crypto.openssl_privatekey:
mode: &mode 0o0600
path: &site_key_src |-
{{ playbook_dir }}/site.key
size: &size 4096
state: present
type: &type RSA
+ tags:
+ - ns4
- name: Generate site certificate signing request
- openssl_csr:
- common_name: &common_name shore.co.il
+ community.crypto.openssl_csr:
+ common_name: ns4.shore.co.il
country_name: &country_name IL
digest: &digest sha256
email_address: |-
{{ email }}
- locality_name: &locality_name Haifa
+ locality_name: &locality_name Israel
organization_name: &organization_name Shore technologies
path: &site_csr_src site.csr
privatekey_path: *site_key_src
state: present
subject_alt_name: |-
- DNS:shore.co.il,DNS:www.shore.co.il,DNS:autoconfig.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:registry.shore.co.il
+ DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il
register: acme_site_csr
+ tags:
+ - ns4
- name: Create site challenge
- acme_certificate:
+ community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
@@ -96,25 +99,31 @@
remaining_days: 35
select_crypto_backend: *crypto_backend
register: acme_site_challenge
+ tags:
+ - ns4
- name: Debug site challenge
debug:
var: acme_site_challenge
verbosity: 1
+ tags:
+ - ns4
- name: Renew site cert
- when: acme_site_challenge is changed or acme_site_csr is changed
+ when: acme_site_challenge is changed
+ tags:
+ - ns4
block:
- name: Create ACME challenge directory
- delegate_to: host01.shore.co.il
+ delegate_to: ns4
become: true
file:
path: /var/www/www.shore.co.il/.well-known/acme-challenge
state: directory
- name: Copy http-01 site challenge
- delegate_to: host01.shore.co.il
+ delegate_to: ns4
become: true
with_dict: |
{{ acme_site_challenge['challenge_data'] }}
@@ -128,7 +137,7 @@
owner: root
- name: Validate site challenge
- acme_certificate:
+ community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
@@ -145,7 +154,7 @@
select_crypto_backend: *crypto_backend
- name: Copy site key, certificate to server
- delegate_to: host01.shore.co.il
+ delegate_to: ns4
become: true
with_items:
- src: *site_key_src
@@ -164,19 +173,146 @@
owner: root
group: root
notify:
- - Restart Nginx
+ - Restart Nginx on ns4
+ tags:
+ - ns4
+
+ - name: Generate host key
+ community.crypto.openssl_privatekey:
+ mode: *mode
+ path: &host_key_src |-
+ {{ playbook_dir }}/host.key
+ size: *size
+ state: present
+ type: *type
+ tags:
+ - host01
+
+ - name: Generate host certificate signing request
+ community.crypto.openssl_csr:
+ common_name: ns1.shore.co.il
+ country_name: *country_name
+ digest: *digest
+ email_address: |-
+ {{ email }}
+ locality_name: *locality_name
+ organization_name: *organization_name
+ path: &host_csr_src host.csr
+ privatekey_path: *host_key_src
+ state: present
+ subject_alt_name: |-
+ DNS:shore.co.il,DNS:www.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il
+ register: acme_host_csr
+ tags:
+ - host01
+
+ - name: Create host challenge
+ community.crypto.acme_certificate:
+ account_email: |-
+ {{ email }}
+ account_key_src: *account_key_src
+ acme_directory: |-
+ {{ acme_directory }}
+ acme_version: |
+ {{ acme_version }}
+ csr: *host_csr_src
+ fullchain_dest: &host_cert_src |-
+ {{ playbook_dir }}/host.crt
+ modify_account: false
+ remaining_days: 35
+ select_crypto_backend: *crypto_backend
+ register: acme_host_challenge
+ tags:
+ - host01
+
+ - name: Debug host challenge
+ debug:
+ var: acme_host_challenge
+ verbosity: 1
+ tags:
+ - host01
+
+ - name: Renew host cert
+ when: acme_host_challenge is changed
+ tags:
+ - host01
+ block:
+
+ - name: Create ACME challenge directory
+ delegate_to: host01
+ become: true
+ file:
+ path: /var/www/www.shore.co.il/.well-known/acme-challenge
+ state: directory
+
+ - name: Copy http-01 host challenge
+ delegate_to: host01
+ become: true
+ with_dict: |
+ {{ acme_host_challenge['challenge_data'] }}
+ copy:
+ content: |-
+ {{ item.value['http-01']['resource_value'] }}
+ # yamllint disable-line rule:line-length
+ dest: /var/www/www.shore.co.il/{{ item.value['http-01']['resource'] }}
+ group: www-data
+ mode: 0o0644
+ owner: root
+
+ - name: Validate host challenge
+ community.crypto.acme_certificate:
+ account_email: |-
+ {{ email }}
+ account_key_src: *account_key_src
+ acme_directory: |-
+ {{ acme_directory }}
+ acme_version: |
+ {{ acme_version }}
+ challenge: http-01
+ csr: *host_csr_src
+ data: "{{ acme_host_challenge }}"
+ fullchain_dest: *host_cert_src
+ modify_account: false
+ remaining_days: 35
+ select_crypto_backend: *crypto_backend
+
+ - name: Copy host key, certificate to server
+ delegate_to: host01
+ become: true
+ with_items:
+ - src: *host_key_src
+ dest: /var/ssl/site.key
+ mode: 0o0444
+ - src: *host_cert_src
+ dest: /var/ssl/site.crt
+ mode: 0o0444
+ copy:
+ src: |-
+ {{ item.src }}
+ dest: |-
+ {{ item.dest }}
+ mode: |-
+ {{ item.mode }}
+ owner: root
+ group: root
+ notify:
+ - Restart Nginx on host01
+ tags:
+ - mail
- name: Generate mail key
- openssl_privatekey:
+ community.crypto.openssl_privatekey:
mode: *mode
path: &mail_key_src |-
{{ playbook_dir }}/mail.key
size: *size
state: present
type: *type
+ tags:
+ - mail
- name: Generate mail certificate signing request
- openssl_csr:
+ community.crypto.openssl_csr:
common_name: smtp.shore.co.il
country_name: *country_name
digest: *digest
@@ -190,9 +326,11 @@
subject_alt_name: |-
DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il
register: acme_mail_csr
+ tags:
+ - mail
- name: Create mail challenge
- acme_certificate:
+ community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
@@ -207,25 +345,31 @@
remaining_days: 35
select_crypto_backend: *crypto_backend
register: acme_mail_challenge
+ tags:
+ - mail
- name: Debug mail challenge
debug:
var: acme_mail_challenge
verbosity: 1
+ tags:
+ - mail
- name: Renew mail cert
- when: acme_mail_challenge is changed or acme_mail_csr is changed
+ when: acme_mail_challenge is changed
+ tags:
+ - mail
block:
- name: Create ACME challenge directory
- delegate_to: host01.shore.co.il
+ delegate_to: host01
become: true
file:
path: /var/www/mail.shore.co.il/.well-known/acme-challenge
state: directory
- name: Copy http-01 mail challenge
- delegate_to: host01.shore.co.il
+ delegate_to: host01
become: true
with_dict: |
{{ acme_mail_challenge['challenge_data'] }}
@@ -239,7 +383,7 @@
owner: root
- name: Validate mail challenge
- acme_certificate:
+ community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
@@ -256,7 +400,7 @@
select_crypto_backend: *crypto_backend
- name: Copy mail key, certificate to server
- delegate_to: host01.shore.co.il
+ delegate_to: host01
become: true
with_items:
- src: *mail_key_src
@@ -277,12 +421,14 @@
notify:
- Reload Dovecot
- Reload Exim
- - Restart Nginx
+ - Restart Nginx on host01
+ tags:
+ - mail
- - name: Generate Diffie-Hellman parameters
+ - name: Generate Diffie-Hellman parameters on host01
become: true
- delegate_to: host01.shore.co.il
- openssl_dhparam:
+ delegate_to: host01
+ community.crypto.openssl_dhparam:
force: true
mode: 0o0644
path: /var/ssl/dhparams
@@ -290,4 +436,21 @@
state: present
notify:
- Reload Dovecot
- - Restart Nginx
+ - Restart Nginx on host01
+ tags:
+ - mail
+ - host01
+
+ - name: Generate Diffie-Hellman parameters on ns4
+ become: true
+ delegate_to: host01
+ community.crypto.openssl_dhparam:
+ force: true
+ mode: 0o0644
+ path: /var/ssl/dhparams
+ size: 4096
+ state: present
+ notify:
+ - Restart Nginx on ns4
+ tags:
+ - ns4
--
GitLab