flyingscorpio/self-hosting
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Move certificate creation for tunuifranken.info to generic role

Browse source
This commit is contained in:
flyingscorpio@clevo 2023-01-20 22:45:03 +01:00
parent ba3fd694dd
commit 9d08db6ae3
4 changed files with 57 additions and 54 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

82
roles/tunuifranken/tasks/letsencrypt.yml → roles/deploy_certificate/tasks/main.yml
View file

@ -1,13 +1,13 @@
---
- name: Get public IP
- name: Get local public IP
ansible.builtin.uri:
url: https://ipinfo.io/ip
return_content: true
register: local_public_ip
- name: Get tunuifranken.info public IP
- name: Get public IP of "{{ domain }}"
ansible.builtin.set_fact:
target_public_ip: "{{ lookup('community.general.dig', 'tunuifranken.info', '@1.1.1.1') }}"
target_public_ip: "{{ lookup('community.general.dig', domain, '@1.1.1.1') }}"
- name: Create needed directories
become: true
@ -20,9 +20,9 @@
with_items:
- /etc/letsencrypt/renewal
- /etc/letsencrypt/archive
- /etc/letsencrypt/archive/tunuifranken.info
- "/etc/letsencrypt/archive/{{ domain }}"
- /etc/letsencrypt/live
- /etc/letsencrypt/live/tunuifranken.info
- "/etc/letsencrypt/live/{{ domain }}"
- name: Add webroot configuration for letsencrypt
become: true
@ -30,11 +30,11 @@
path: /etc/letsencrypt/cli.ini
line: webroot-path = /var/www/acme
- name: Create renewal configuration for tunuifranken.info
- name: Create renewal configuration for "{{ domain }}"
become: true
ansible.builtin.copy:
src: renewal/tunuifranken.info.conf
dest: /etc/letsencrypt/renewal/tunuifranken.info.conf
ansible.builtin.template:
src: renewal.conf.j2
dest: "/etc/letsencrypt/renewal/{{ domain }}.conf"
mode: 0644
- name: Create private key for account
@ -45,14 +45,14 @@
- name: Create private key for challenge
become: true
community.crypto.openssl_privatekey:
path: /etc/letsencrypt/archive/tunuifranken.info/privkey1.pem
path: "/etc/letsencrypt/archive/{{ domain }}/privkey1.pem"
register: challenge_privkey
- name: Create csr for letsencrypt
become: true
community.crypto.openssl_csr_pipe:
privatekey_path: /etc/letsencrypt/archive/tunuifranken.info/privkey1.pem
common_name: tunuifranken.info
privatekey_path: "/etc/letsencrypt/archive/{{ domain }}/privkey1.pem"
common_name: "{{ domain }}"
register: csr
changed_when: challenge_privkey is changed
@ -69,16 +69,16 @@
terms_agreed: true
csr_content: "{{ csr.csr }}"
challenge: http-01
dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
register: letsencrypt_challenge
- name: Copy http-01 resource
ansible.builtin.copy:
dest: "/var/www/acme/{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource'] }}"
content: "{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource_value'] }}"
dest: "/var/www/acme/{{ letsencrypt_challenge['challenge_data'][domain]['http-01']['resource'] }}"
content: "{{ letsencrypt_challenge['challenge_data'][domain]['http-01']['resource_value'] }}"
mode: 0644
when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
- name: Validate the challenge and get the cert
community.crypto.acme_certificate:
acme_version: 2
@ -87,16 +87,16 @@
account_key_content: "{{ account_privkey.privatekey }}"
csr_content: "{{ csr.csr }}"
challenge: http-01
dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
data: "{{ letsencrypt_challenge }}"
when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
- name: Remove the http-01 resource
ansible.builtin.file:
path: "/var/www/acme/{{ letsencrypt_challenge['challenge_data']['tunuifranken.info']['http-01']['resource'] }}"
path: "/var/www/acme/{{ letsencrypt_challenge['challenge_data'][domain]['http-01']['resource'] }}"
state: absent
when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
- name: Do dns-01 challenge
become: true
@ -111,25 +111,25 @@
terms_agreed: true
csr_content: "{{ csr.csr }}"
challenge: dns-01
dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
register: letsencrypt_challenge
- name: Create dns-01 record
community.general.gandi_livedns:
api_key: "{{ gandi_livedns_api_key }}"
domain: tunuifranken.info
record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource }}"
domain: "{{ domain }}"
record: "{{ letsencrypt_challenge.challenge_data[domain]['dns-01'].resource }}"
values:
- "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource_value }}"
- "{{ letsencrypt_challenge.challenge_data[domain]['dns-01'].resource_value }}"
type: TXT
state: present
ttl: 300
when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
- name: Wait for DNS to propagate
ansible.builtin.pause:
seconds: 300
when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
- name: Validate the challenge and get the cert
community.crypto.acme_certificate:
acme_version: 2
@ -138,25 +138,25 @@
account_key_content: "{{ account_privkey.privatekey }}"
csr_content: "{{ csr.csr }}"
challenge: dns-01
dest: /etc/letsencrypt/archive/tunuifranken.info/cert1.pem
chain_dest: /etc/letsencrypt/archive/tunuifranken.info/chain1.pem
fullchain_dest: /etc/letsencrypt/archive/tunuifranken.info/fullchain1.pem
dest: "/etc/letsencrypt/archive/{{ domain }}/cert1.pem"
chain_dest: "/etc/letsencrypt/archive/{{ domain }}/chain1.pem"
fullchain_dest: "/etc/letsencrypt/archive/{{ domain }}/fullchain1.pem"
data: "{{ letsencrypt_challenge }}"
when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
- name: Remove dns-01 record
community.general.gandi_livedns:
api_key: "{{ gandi_livedns_api_key }}"
domain: tunuifranken.info
record: "{{ letsencrypt_challenge.challenge_data['tunuifranken.info']['dns-01'].resource }}"
domain: "{{ domain }}"
record: "{{ letsencrypt_challenge.challenge_data[domain]['dns-01'].resource }}"
type: TXT
state: absent
when: letsencrypt_challenge is changed and 'tunuifranken.info' in letsencrypt_challenge.challenge_data
when: letsencrypt_challenge is changed and domain in letsencrypt_challenge.challenge_data
- name: Create symlinks for the certificate
become: true
ansible.builtin.file:
path: "/etc/letsencrypt/live/tunuifranken.info/{{ item.dest }}"
src: "/etc/letsencrypt/archive/tunuifranken.info/{{ item.src }}"
path: "/etc/letsencrypt/live/{{ domain }}/{{ item.dest }}"
src: "/etc/letsencrypt/archive/{{ domain }}/{{ item.src }}"
state: link
with_items:
- {src: cert1.pem, dest: cert.pem}

10
roles/deploy_certificate/templates/renewal.conf.j2 Normal file
View file

@ -0,0 +1,10 @@
archive_dir = /etc/letsencrypt/archive/{{ domain }}
cert = /etc/letsencrypt/live/{{ domain }}/cert.pem
privkey = /etc/letsencrypt/live/{{ domain }}/privkey.pem
chain = /etc/letsencrypt/live/{{ domain }}/chain.pem
fullchain = /etc/letsencrypt/live/{{ domain }}/fullchain.pem
[renewalparams]
authenticator = webroot
installer = null
server = https://acme-v02.api.letsencrypt.org/directory

10
roles/tunuifranken/files/renewal/tunuifranken.info.conf
View file

@ -1,10 +0,0 @@
archive_dir = /etc/letsencrypt/archive/tunuifranken.info
cert = /etc/letsencrypt/live/tunuifranken.info/cert.pem
privkey = /etc/letsencrypt/live/tunuifranken.info/privkey.pem
chain = /etc/letsencrypt/live/tunuifranken.info/chain.pem
fullchain = /etc/letsencrypt/live/tunuifranken.info/fullchain.pem
[renewalparams]
authenticator = webroot
installer = null
server = https://acme-v02.api.letsencrypt.org/directory

9
roles/tunuifranken/tasks/main.yml
View file

@ -2,6 +2,12 @@
- name: Include vault variables
ansible.builtin.include_vars: vault.yml
- name: Deploy letsencrypt certificate
ansible.builtin.include_role:
name: deploy_certificate
vars:
domain: tunuifranken.info
- name: Create tunuifranken directory
become: true
ansible.builtin.file:
@ -11,9 +17,6 @@
state: directory
mode: 0775
- name: Deploy letsencrypt certificate
ansible.builtin.include_tasks: letsencrypt.yml
- name: Copy vHost conf
become: true
ansible.builtin.template: