Skip to content
Snippets Groups Projects
Commit fc872c9b authored by nimrod's avatar nimrod
Browse files

Renew certs on ns4.

- Renew the certs for the hosts on ns4.
- Silence a few warnings from Ansible.
- Rely on debian_server for bootstrapping.
- Tag tasks for specific hosts.
parent 6186e30b
No related branches found
No related tags found
No related merge requests found
Pipeline #490 passed
...@@ -6,44 +6,41 @@ ...@@ -6,44 +6,41 @@
become: false become: false
gather_facts: false gather_facts: false
vars: vars:
email: nimrod@shore.co.il email: hostmaster@shore.co.il
acme_directory: https://acme-v02.api.letsencrypt.org/directory acme_directory: https://acme-v02.api.letsencrypt.org/directory
# acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory # acme_directory: https://acme-staging-v02.api.letsencrypt.org/directory
acme_version: 2 acme_version: 2
handlers: handlers:
- name: Restart Nginx - name: Restart Nginx on host01
delegate_to: host01.shore.co.il delegate_to: host01
command: docker restart web-proxy_proxy_1
- name: Restart Nginx on ns4
delegate_to: ns4
command: docker restart web-proxy_proxy_1 command: docker restart web-proxy_proxy_1
- name: Reload Exim - name: Reload Exim
delegate_to: host01.shore.co.il delegate_to: host01
command: docker kill --signal SIGHUP mail_smtp_1 command: docker kill --signal SIGHUP mail_smtp_1
- name: Reload Dovecot - name: Reload Dovecot
delegate_to: host01.shore.co.il delegate_to: host01
command: docker kill --signal SIGHUP mail_imap_1 command: docker kill --signal SIGHUP mail_imap_1
tasks: tasks:
- name: Create SSL directory on the server
delegate_to: host01.shore.co.il
file:
group: root
mode: 0o0755
owner: root
path: /var/ssl
state: directory
- name: Generate account key - name: Generate account key
openssl_privatekey: community.crypto.openssl_privatekey:
mode: 0o0600 mode: 0o0600
path: &account_key_src account.key path: &account_key_src account.key
size: 4096 size: 4096
state: present state: present
type: RSA type: RSA
tags:
- always
- name: Register account - name: Register account
acme_account: community.crypto.acme_account:
account_key_src: *account_key_src account_key_src: *account_key_src
acme_directory: |- acme_directory: |-
{{ acme_directory }} {{ acme_directory }}
...@@ -54,34 +51,40 @@ ...@@ -54,34 +51,40 @@
select_crypto_backend: &crypto_backend cryptography select_crypto_backend: &crypto_backend cryptography
state: present state: present
terms_agreed: true terms_agreed: true
tags:
- always
- name: Generate site key - name: Generate site key
openssl_privatekey: community.crypto.openssl_privatekey:
mode: &mode 0o0600 mode: &mode 0o0600
path: &site_key_src |- path: &site_key_src |-
{{ playbook_dir }}/site.key {{ playbook_dir }}/site.key
size: &size 4096 size: &size 4096
state: present state: present
type: &type RSA type: &type RSA
tags:
- ns4
- name: Generate site certificate signing request - name: Generate site certificate signing request
openssl_csr: community.crypto.openssl_csr:
common_name: &common_name shore.co.il common_name: ns4.shore.co.il
country_name: &country_name IL country_name: &country_name IL
digest: &digest sha256 digest: &digest sha256
email_address: |- email_address: |-
{{ email }} {{ email }}
locality_name: &locality_name Haifa locality_name: &locality_name Israel
organization_name: &organization_name Shore technologies organization_name: &organization_name Shore technologies
path: &site_csr_src site.csr path: &site_csr_src site.csr
privatekey_path: *site_key_src privatekey_path: *site_key_src
state: present state: present
subject_alt_name: |- subject_alt_name: |-
DNS:shore.co.il,DNS:www.shore.co.il,DNS:autoconfig.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il,DNS:registry.shore.co.il DNS:autoconfig.shore.co.il,DNS:registry.shore.co.il
register: acme_site_csr register: acme_site_csr
tags:
- ns4
- name: Create site challenge - name: Create site challenge
acme_certificate: community.crypto.acme_certificate:
account_email: |- account_email: |-
{{ email }} {{ email }}
account_key_src: *account_key_src account_key_src: *account_key_src
...@@ -96,25 +99,31 @@ ...@@ -96,25 +99,31 @@
remaining_days: 35 remaining_days: 35
select_crypto_backend: *crypto_backend select_crypto_backend: *crypto_backend
register: acme_site_challenge register: acme_site_challenge
tags:
- ns4
- name: Debug site challenge - name: Debug site challenge
debug: debug:
var: acme_site_challenge var: acme_site_challenge
verbosity: 1 verbosity: 1
tags:
- ns4
- name: Renew site cert - name: Renew site cert
when: acme_site_challenge is changed or acme_site_csr is changed when: acme_site_challenge is changed
tags:
- ns4
block: block:
- name: Create ACME challenge directory - name: Create ACME challenge directory
delegate_to: host01.shore.co.il delegate_to: ns4
become: true become: true
file: file:
path: /var/www/www.shore.co.il/.well-known/acme-challenge path: /var/www/www.shore.co.il/.well-known/acme-challenge
state: directory state: directory
- name: Copy http-01 site challenge - name: Copy http-01 site challenge
delegate_to: host01.shore.co.il delegate_to: ns4
become: true become: true
with_dict: | with_dict: |
{{ acme_site_challenge['challenge_data'] }} {{ acme_site_challenge['challenge_data'] }}
...@@ -128,7 +137,7 @@ ...@@ -128,7 +137,7 @@
owner: root owner: root
- name: Validate site challenge - name: Validate site challenge
acme_certificate: community.crypto.acme_certificate:
account_email: |- account_email: |-
{{ email }} {{ email }}
account_key_src: *account_key_src account_key_src: *account_key_src
...@@ -145,7 +154,7 @@ ...@@ -145,7 +154,7 @@
select_crypto_backend: *crypto_backend select_crypto_backend: *crypto_backend
- name: Copy site key, certificate to server - name: Copy site key, certificate to server
delegate_to: host01.shore.co.il delegate_to: ns4
become: true become: true
with_items: with_items:
- src: *site_key_src - src: *site_key_src
...@@ -164,19 +173,146 @@ ...@@ -164,19 +173,146 @@
owner: root owner: root
group: root group: root
notify: notify:
- Restart Nginx - Restart Nginx on ns4
tags:
- ns4
- name: Generate host key
community.crypto.openssl_privatekey:
mode: *mode
path: &host_key_src |-
{{ playbook_dir }}/host.key
size: *size
state: present
type: *type
tags:
- host01
- name: Generate host certificate signing request
community.crypto.openssl_csr:
common_name: ns1.shore.co.il
country_name: *country_name
digest: *digest
email_address: |-
{{ email }}
locality_name: *locality_name
organization_name: *organization_name
path: &host_csr_src host.csr
privatekey_path: *host_key_src
state: present
subject_alt_name: |-
DNS:shore.co.il,DNS:www.shore.co.il,DNS:nextcloud.shore.co.il,DNS:git.shore.co.il
register: acme_host_csr
tags:
- host01
- name: Create host challenge
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
acme_directory: |-
{{ acme_directory }}
acme_version: |
{{ acme_version }}
csr: *host_csr_src
fullchain_dest: &host_cert_src |-
{{ playbook_dir }}/host.crt
modify_account: false
remaining_days: 35
select_crypto_backend: *crypto_backend
register: acme_host_challenge
tags:
- host01
- name: Debug host challenge
debug:
var: acme_host_challenge
verbosity: 1
tags:
- host01
- name: Renew host cert
when: acme_host_challenge is changed
tags:
- host01
block:
- name: Create ACME challenge directory
delegate_to: host01
become: true
file:
path: /var/www/www.shore.co.il/.well-known/acme-challenge
state: directory
- name: Copy http-01 host challenge
delegate_to: host01
become: true
with_dict: |
{{ acme_host_challenge['challenge_data'] }}
copy:
content: |-
{{ item.value['http-01']['resource_value'] }}
# yamllint disable-line rule:line-length
dest: /var/www/www.shore.co.il/{{ item.value['http-01']['resource'] }}
group: www-data
mode: 0o0644
owner: root
- name: Validate host challenge
community.crypto.acme_certificate:
account_email: |-
{{ email }}
account_key_src: *account_key_src
acme_directory: |-
{{ acme_directory }}
acme_version: |
{{ acme_version }}
challenge: http-01
csr: *host_csr_src
data: "{{ acme_host_challenge }}"
fullchain_dest: *host_cert_src
modify_account: false
remaining_days: 35
select_crypto_backend: *crypto_backend
- name: Copy host key, certificate to server
delegate_to: host01
become: true
with_items:
- src: *host_key_src
dest: /var/ssl/site.key
mode: 0o0444
- src: *host_cert_src
dest: /var/ssl/site.crt
mode: 0o0444
copy:
src: |-
{{ item.src }}
dest: |-
{{ item.dest }}
mode: |-
{{ item.mode }}
owner: root
group: root
notify:
- Restart Nginx on host01
tags:
- mail
- name: Generate mail key - name: Generate mail key
openssl_privatekey: community.crypto.openssl_privatekey:
mode: *mode mode: *mode
path: &mail_key_src |- path: &mail_key_src |-
{{ playbook_dir }}/mail.key {{ playbook_dir }}/mail.key
size: *size size: *size
state: present state: present
type: *type type: *type
tags:
- mail
- name: Generate mail certificate signing request - name: Generate mail certificate signing request
openssl_csr: community.crypto.openssl_csr:
common_name: smtp.shore.co.il common_name: smtp.shore.co.il
country_name: *country_name country_name: *country_name
digest: *digest digest: *digest
...@@ -190,9 +326,11 @@ ...@@ -190,9 +326,11 @@
subject_alt_name: |- subject_alt_name: |-
DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il DNS:smtp.shore.co.il,DNS:imap.shore.co.il,DNS:mta-sts.shore.co.il
register: acme_mail_csr register: acme_mail_csr
tags:
- mail
- name: Create mail challenge - name: Create mail challenge
acme_certificate: community.crypto.acme_certificate:
account_email: |- account_email: |-
{{ email }} {{ email }}
account_key_src: *account_key_src account_key_src: *account_key_src
...@@ -207,25 +345,31 @@ ...@@ -207,25 +345,31 @@
remaining_days: 35 remaining_days: 35
select_crypto_backend: *crypto_backend select_crypto_backend: *crypto_backend
register: acme_mail_challenge register: acme_mail_challenge
tags:
- mail
- name: Debug mail challenge - name: Debug mail challenge
debug: debug:
var: acme_mail_challenge var: acme_mail_challenge
verbosity: 1 verbosity: 1
tags:
- mail
- name: Renew mail cert - name: Renew mail cert
when: acme_mail_challenge is changed or acme_mail_csr is changed when: acme_mail_challenge is changed
tags:
- mail
block: block:
- name: Create ACME challenge directory - name: Create ACME challenge directory
delegate_to: host01.shore.co.il delegate_to: host01
become: true become: true
file: file:
path: /var/www/mail.shore.co.il/.well-known/acme-challenge path: /var/www/mail.shore.co.il/.well-known/acme-challenge
state: directory state: directory
- name: Copy http-01 mail challenge - name: Copy http-01 mail challenge
delegate_to: host01.shore.co.il delegate_to: host01
become: true become: true
with_dict: | with_dict: |
{{ acme_mail_challenge['challenge_data'] }} {{ acme_mail_challenge['challenge_data'] }}
...@@ -239,7 +383,7 @@ ...@@ -239,7 +383,7 @@
owner: root owner: root
- name: Validate mail challenge - name: Validate mail challenge
acme_certificate: community.crypto.acme_certificate:
account_email: |- account_email: |-
{{ email }} {{ email }}
account_key_src: *account_key_src account_key_src: *account_key_src
...@@ -256,7 +400,7 @@ ...@@ -256,7 +400,7 @@
select_crypto_backend: *crypto_backend select_crypto_backend: *crypto_backend
- name: Copy mail key, certificate to server - name: Copy mail key, certificate to server
delegate_to: host01.shore.co.il delegate_to: host01
become: true become: true
with_items: with_items:
- src: *mail_key_src - src: *mail_key_src
...@@ -277,12 +421,14 @@ ...@@ -277,12 +421,14 @@
notify: notify:
- Reload Dovecot - Reload Dovecot
- Reload Exim - Reload Exim
- Restart Nginx - Restart Nginx on host01
tags:
- mail
- name: Generate Diffie-Hellman parameters - name: Generate Diffie-Hellman parameters on host01
become: true become: true
delegate_to: host01.shore.co.il delegate_to: host01
openssl_dhparam: community.crypto.openssl_dhparam:
force: true force: true
mode: 0o0644 mode: 0o0644
path: /var/ssl/dhparams path: /var/ssl/dhparams
...@@ -290,4 +436,21 @@ ...@@ -290,4 +436,21 @@
state: present state: present
notify: notify:
- Reload Dovecot - Reload Dovecot
- Restart Nginx - Restart Nginx on host01
tags:
- mail
- host01
- name: Generate Diffie-Hellman parameters on ns4
become: true
delegate_to: host01
community.crypto.openssl_dhparam:
force: true
mode: 0o0644
path: /var/ssl/dhparams
size: 4096
state: present
notify:
- Restart Nginx on ns4
tags:
- ns4
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment