Renew certs on ns4.

- Renew the certs for the hosts on ns4.
- Silence a few warnings from Ansible.
- Rely on debian_server for bootstrapping.
- Tag tasks for specific hosts.

renew-certs.yml → renew-certs.yaml

@@ -6,44 +6,41 @@
   become: false
   gather_facts: false
   vars:
-    email: nimrod@shore.co.il
+    email: hostmaster@shore.co.il
     acme_directory: https://acme-v02.api.letsencrypt.org/directory
     # acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
     acme_version: 2
 
   handlers:
-    - name: Restart Nginx
-      delegate_to: host01.shore.co.il
+    - name: Restart Nginx on host01
+      delegate_to: host01
+      command: docker restart web-proxy_proxy_1
+
+    - name: Restart Nginx on ns4
+      delegate_to: ns4
       command: docker restart web-proxy_proxy_1
 
     - name: Reload Exim
-      delegate_to: host01.shore.co.il
+      delegate_to: host01
       command: docker kill --signal SIGHUP mail_smtp_1
 
     - name: Reload Dovecot
-      delegate_to: host01.shore.co.il
+      delegate_to: host01
       command: docker kill --signal SIGHUP mail_imap_1
 
   tasks:
-    - name: Create SSL directory on the server
-      delegate_to: host01.shore.co.il
-      file:
-        group: root
-        mode: 0o0755
-        owner: root
-        path: /var/ssl
-        state: directory
-
     - name: Generate account key
-      openssl_privatekey:
+      community.crypto.openssl_privatekey:
         mode: 0o0600
         path: &account_key_src account.key
         size: 4096
         state: present
         type: RSA
+      tags:
+        - always
 
     - name: Register account
-      acme_account:
+      community.crypto.acme_account:
         account_key_src: *account_key_src
         acme_directory: |-
             {{ acme_directory }}
@@ -54,34 +51,40 @@
         select_crypto_backend: &crypto_backend cryptography
         state: present
         terms_agreed: true
+      tags:
+        - always
 
     - name: Generate site key
-      openssl_privatekey:
+      community.crypto.openssl_privatekey:
         mode: &mode 0o0600
         path: &site_key_src |-
             {{ playbook_dir }}/site.key
         size: &size 4096
         state: present
         type: &type RSA
+      tags:
+        - ns4
 
     - name: Generate site certificate signing request
-      openssl_csr:
-        common_name: &common_name shore.co.il
+      community.crypto.openssl_csr:
+        common_name: ns4.shore.co.il
         country_name: &country_name IL
         digest: &digest sha256
         email_address: |-
             {{ email }}
-        locality_name: &locality_name Haifa
+        locality_name: &locality_name Israel
         organization_name: &organization_name Shore technologies
         path: &site_csr_src site.csr
         privatekey_path: *site_key_src
         state: present
         subject_alt_name: |-
-            DNS:shore.co.il,DNS:www.shore.co.il,DNS:autoconfig.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:registry.shore.co.il
+            DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il
       register: acme_site_csr
+      tags:
+        - ns4
 
     - name: Create site challenge
-      acme_certificate:
+      community.crypto.acme_certificate:
         account_email: |-
             {{ email }}
         account_key_src: *account_key_src
@@ -96,25 +99,31 @@
         remaining_days: 35
         select_crypto_backend: *crypto_backend
       register: acme_site_challenge
+      tags:
+        - ns4
 
     - name: Debug site challenge
       debug:
         var: acme_site_challenge
         verbosity: 1
+      tags:
+        - ns4
 
     - name: Renew site cert
-      when: acme_site_challenge is changed or acme_site_csr is changed
+      when: acme_site_challenge is changed
+      tags:
+        - ns4
       block:
 
         - name: Create ACME challenge directory
-          delegate_to: host01.shore.co.il
+          delegate_to: ns4
           become: true
           file:
             path: /var/www/www.shore.co.il/.well-known/acme-challenge
             state: directory
 
         - name: Copy http-01 site challenge
-          delegate_to: host01.shore.co.il
+          delegate_to: ns4
           become: true
           with_dict: |
               {{ acme_site_challenge['challenge_data'] }}
@@ -128,7 +137,7 @@
             owner: root
 
         - name: Validate site challenge
-          acme_certificate:
+          community.crypto.acme_certificate:
             account_email: |-
                 {{ email }}
             account_key_src: *account_key_src
@@ -145,7 +154,7 @@
             select_crypto_backend: *crypto_backend
 
     - name: Copy site key, certificate to server
-      delegate_to: host01.shore.co.il
+      delegate_to: ns4
       become: true
       with_items:
         - src: *site_key_src
@@ -164,19 +173,146 @@
         owner: root
         group: root
       notify:
-        - Restart Nginx
+        - Restart Nginx on ns4
+      tags:
+        - ns4
+
+    - name: Generate host key
+      community.crypto.openssl_privatekey:
+        mode: *mode
+        path: &host_key_src |-
+            {{ playbook_dir }}/host.key
+        size: *size
+        state: present
+        type: *type
+      tags:
+        - host01
+
+    - name: Generate host certificate signing request
+      community.crypto.openssl_csr:
+        common_name: ns1.shore.co.il
+        country_name: *country_name
+        digest: *digest
+        email_address: |-
+            {{ email }}
+        locality_name: *locality_name
+        organization_name: *organization_name
+        path: &host_csr_src host.csr
+        privatekey_path: *host_key_src
+        state: present
+        subject_alt_name: |-
+            DNS:shore.co.il,DNS:www.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il
+      register: acme_host_csr
+      tags:
+        - host01
+
+    - name: Create host challenge
+      community.crypto.acme_certificate:
+        account_email: |-
+            {{ email }}
+        account_key_src: *account_key_src
+        acme_directory: |-
+            {{ acme_directory }}
+        acme_version: |
+            {{ acme_version }}
+        csr: *host_csr_src
+        fullchain_dest: &host_cert_src |-
+            {{ playbook_dir }}/host.crt
+        modify_account: false
+        remaining_days: 35
+        select_crypto_backend: *crypto_backend
+      register: acme_host_challenge
+      tags:
+        - host01
+
+    - name: Debug host challenge
+      debug:
+        var: acme_host_challenge
+        verbosity: 1
+      tags:
+        - host01
+
+    - name: Renew host cert
+      when: acme_host_challenge is changed
+      tags:
+        - host01
+      block:
+
+        - name: Create ACME challenge directory
+          delegate_to: host01
+          become: true
+          file:
+            path: /var/www/www.shore.co.il/.well-known/acme-challenge
+            state: directory
+
+        - name: Copy http-01 host challenge
+          delegate_to: host01
+          become: true
+          with_dict: |
+              {{ acme_host_challenge['challenge_data'] }}
+          copy:
+            content: |-
+                {{ item.value['http-01']['resource_value'] }}
+            # yamllint disable-line rule:line-length
+            dest: /var/www/www.shore.co.il/{{ item.value['http-01']['resource'] }}
+            group: www-data
+            mode: 0o0644
+            owner: root
+
+        - name: Validate host challenge
+          community.crypto.acme_certificate:
+            account_email: |-
+                {{ email }}
+            account_key_src: *account_key_src
+            acme_directory: |-
+                {{ acme_directory }}
+            acme_version: |
+                {{ acme_version }}
+            challenge: http-01
+            csr: *host_csr_src
+            data: "{{ acme_host_challenge }}"
+            fullchain_dest: *host_cert_src
+            modify_account: false
+            remaining_days: 35
+            select_crypto_backend: *crypto_backend
+
+    - name: Copy host key, certificate to server
+      delegate_to: host01
+      become: true
+      with_items:
+        - src: *host_key_src
+          dest: /var/ssl/site.key
+          mode: 0o0444
+        - src: *host_cert_src
+          dest: /var/ssl/site.crt
+          mode: 0o0444
+      copy:
+        src: |-
+            {{ item.src }}
+        dest: |-
+            {{ item.dest }}
+        mode: |-
+            {{ item.mode }}
+        owner: root
+        group: root
+      notify:
+        - Restart Nginx on host01
+      tags:
+        - mail
 
     - name: Generate mail key
-      openssl_privatekey:
+      community.crypto.openssl_privatekey:
         mode: *mode
         path: &mail_key_src |-
             {{ playbook_dir }}/mail.key
         size: *size
         state: present
         type: *type
+      tags:
+        - mail
 
     - name: Generate mail certificate signing request
-      openssl_csr:
+      community.crypto.openssl_csr:
         common_name: smtp.shore.co.il
         country_name: *country_name
         digest: *digest
@@ -190,9 +326,11 @@
         subject_alt_name: |-
             DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il
       register: acme_mail_csr
+      tags:
+        - mail
 
     - name: Create mail challenge
-      acme_certificate:
+      community.crypto.acme_certificate:
         account_email: |-
             {{ email }}
         account_key_src: *account_key_src
@@ -207,25 +345,31 @@
         remaining_days: 35
         select_crypto_backend: *crypto_backend
       register: acme_mail_challenge
+      tags:
+        - mail
 
     - name: Debug mail challenge
       debug:
         var: acme_mail_challenge
         verbosity: 1
+      tags:
+        - mail
 
     - name: Renew mail cert
-      when: acme_mail_challenge is changed or acme_mail_csr is changed
+      when: acme_mail_challenge is changed
+      tags:
+        - mail
       block:
 
         - name: Create ACME challenge directory
-          delegate_to: host01.shore.co.il
+          delegate_to: host01
           become: true
           file:
             path: /var/www/mail.shore.co.il/.well-known/acme-challenge
             state: directory
 
         - name: Copy http-01 mail challenge
-          delegate_to: host01.shore.co.il
+          delegate_to: host01
           become: true
           with_dict: |
               {{ acme_mail_challenge['challenge_data'] }}
@@ -239,7 +383,7 @@
             owner: root
 
         - name: Validate mail challenge
-          acme_certificate:
+          community.crypto.acme_certificate:
             account_email: |-
                 {{ email }}
             account_key_src: *account_key_src
@@ -256,7 +400,7 @@
             select_crypto_backend: *crypto_backend
 
     - name: Copy mail key, certificate to server
-      delegate_to: host01.shore.co.il
+      delegate_to: host01
       become: true
       with_items:
         - src: *mail_key_src
@@ -277,12 +421,14 @@
       notify:
         - Reload Dovecot
         - Reload Exim
-        - Restart Nginx
+        - Restart Nginx on host01
+      tags:
+        - mail
 
-    - name: Generate Diffie-Hellman parameters
+    - name: Generate Diffie-Hellman parameters on host01
       become: true
-      delegate_to: host01.shore.co.il
-      openssl_dhparam:
+      delegate_to: host01
+      community.crypto.openssl_dhparam:
         force: true
         mode: 0o0644
         path: /var/ssl/dhparams
@@ -290,4 +436,21 @@
         state: present
       notify:
         - Reload Dovecot
-        - Restart Nginx
+        - Restart Nginx on host01
+      tags:
+        - mail
+        - host01
+
+    - name: Generate Diffie-Hellman parameters on ns4
+      become: true
+      delegate_to: host01
+      community.crypto.openssl_dhparam:
+        force: true
+        mode: 0o0644
+        path: /var/ssl/dhparams
+        size: 4096
+        state: present
+      notify:
+        - Restart Nginx on ns4
+      tags:
+        - ns4