misc/ansible-base
0
0
Fork 0
Code Issues Pull requests 1 Projects Releases Packages Wiki Activity Actions

[res]

Browse source
This commit is contained in:
roydfalk 2024-06-03 23:54:59 +02:00
parent a7794303ea
commit f62ffeeeb8
1 changed files with 58 additions and 76 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

134
roles/tlscert_acme_inwx/tasks/main.json
View file

@ -6,17 +6,19 @@
"update_cache": true,
"pkg": [
"openssl",
"python3-cryptography"
"python3-cryptography",
"certbot"
]
}
},
{
"name": "directories | ssl",
"name": "directories",
"become": true,
"loop": [
"{{var_tlscert_acme_inwx_ssl_directory}}/private",
"{{var_tlscert_acme_inwx_ssl_directory}}/csr",
"{{var_tlscert_acme_inwx_ssl_directory}}/certs",
"{{var_tlscert_acme_inwx_ssl_directory}}/chains",
"{{var_tlscert_acme_inwx_ssl_directory}}/fullchains"
],
"ansible.builtin.file": {
@ -25,54 +27,7 @@
}
},
{
"name": "directories | Let's Encrypt account key",
"become": true,
"ansible.builtin.file": {
"state": "directory",
"path": "{{var_tlscert_acme_inwx_acme_account_key_path | dirname}}"
}
},
{
"name": "key",
"become": true,
"community.crypto.openssl_privatekey": {
"path": "{{var_tlscert_acme_inwx_ssl_directory}}/private/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem"
}
},
{
"name": "csr",
"become": true,
"community.crypto.openssl_csr": {
"common_name": "{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}",
"privatekey_path": "{{var_tlscert_acme_inwx_ssl_directory}}/private/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem",
"path": "{{var_tlscert_acme_inwx_ssl_directory}}/csr/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem"
}
},
{
"name": "acme | account key",
"become": true,
"ansible.builtin.shell": {
"cmd": "test -f {{var_tlscert_acme_inwx_acme_account_key_path}} || openssl genrsa 4096 > {{var_tlscert_acme_inwx_acme_account_key_path}}"
}
},
{
"name": "acme | init",
"become": true,
"community.crypto.acme_certificate": {
"acme_version": 2,
"acme_directory": "https://acme-v02.api.letsencrypt.org/directory",
"account_email": "{{var_tlscert_acme_inwx_acme_account_email}}",
"account_key_src": "{{var_tlscert_acme_inwx_acme_account_key_path}}",
"terms_agreed": true,
"csr": "{{var_tlscert_acme_inwx_ssl_directory}}/csr/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem",
"challenge": "dns-01",
"dest": "{{var_tlscert_acme_inwx_ssl_directory}}/certs/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem",
"fullchain_dest": "{{var_tlscert_acme_inwx_ssl_directory}}/fullchains/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem"
},
"register": "temp_acme_data"
},
{
"name": "dns challenge | place script",
"name": "tools | inwx",
"become": true,
"ansible.builtin.copy": {
"src": "inwx",
@ -81,33 +36,60 @@
}
},
{
"name": "dns challenge | execute",
"when": "'challenge_data' in temp_acme_data",
"ansible.builtin.command": {
"cmd": "/usr/local/bin/inwx --username={{var_tlscert_acme_inwx_inwx_account_username}} --password={{var_tlscert_acme_inwx_inwx_account_password}} save {{var_tlscert_acme_inwx_domain_base}} _acme-challenge.{{var_tlscert_acme_inwx_domain_path}} TXT {{temp_acme_data['challenge_data'][var_tlscert_acme_inwx_domain_path + '.' + var_tlscert_acme_inwx_domain_base]['dns-01']['resource_value']}}"
}
},
{
"name": "dns challenge | wait",
"when": "'challenge_data' in temp_acme_data",
"ansible.builtin.pause": {
"seconds": 60
}
},
{
"name": "acme | finalize",
"name": "tools | tls-get | script",
"become": true,
"community.crypto.acme_certificate": {
"acme_version": 2,
"acme_directory": "https://acme-v02.api.letsencrypt.org/directory",
"account_email": "{{var_tlscert_acme_inwx_acme_account_email}}",
"account_key_src": "{{var_tlscert_acme_inwx_acme_account_key_path}}",
"terms_agreed": true,
"csr": "{{var_tlscert_acme_inwx_ssl_directory}}/csr/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem",
"challenge": "dns-01",
"dest": "{{var_tlscert_acme_inwx_ssl_directory}}/certs/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem",
"fullchain_dest": "{{var_tlscert_acme_inwx_ssl_directory}}/fullchains/{{var_tlscert_acme_inwx_domain_path}}.{{var_tlscert_acme_inwx_domain_base}}.pem",
"data": "{{temp_acme_data}}"
"ansible.builtin.copy": {
"src": "tls-get",
"dest": "/usr/local/bin/tls-get",
"mode": "a+x"
}
},
{
"name": "tools | tls-get | conf",
"become": true,
"ansible.builtin.template": {
"src": "tls-get-conf.json.j2",
"dest": "/root/.tls-get-conf.json"
}
},
{
"name": "tools | pseudo queue | setup",
"become": true,
"ansible.builtin.cron": {
"state": "present",
"disabled": false,
"name": "pseudo queue",
"special_time": "reboot",
"job": "bash -c \"(test -p /var/pseudoqueue || mkfifo --mode=0600 /var/pseudoqueue) && (while true ; do bash < /var/pseudoqueue ; done)\""
}
},
{
"name": "tools | pseudo queue | run",
"become": true,
"ansible.builtin.shell": {
"cmd": "bash -c \"test -p /var/pseudoqueue || (mkfifo --mode=0600 /var/pseudoqueue && (while true ; do bash < /var/pseudoqueue ; done))\" &"
}
},
{
"name": "setup auto renewal",
"become": true,
"ansible.builtin.cron": {
"state": "present",
"disabled": false,
"name": "TLS certificate for {{var_tlscert_acme_inwx_domain}}",
"minute": "0",
"hour": "2",
"day": "1",
"month": "*",
"weekday": "*",
"job": "echo '/usr/local/bin/tls-get {{var_tlscert_acme_inwx_domain}} --conf-path=/root/.tls-get-conf.json --target-directory={{var_tlscert_acme_inwx_ssl_directory}}' > /var/pseudoqueue"
}
},
{
"name": "run",
"become": true,
"ansible.builtin.shell": {
"cmd": "/usr/local/bin/tls-get {{var_tlscert_acme_inwx_domain}} --conf-path=/root/.tls-get-conf.json --target-directory={{var_tlscert_acme_inwx_ssl_directory}}"
}
}
]