133 lines
3.3 KiB
YAML
133 lines
3.3 KiB
YAML
---
|
||
# The home-server project produces a multi-purpose setup using Ansible.
|
||
# Copyright © 2018–2023 Y. Gablin, under the GPL-3.0-or-later license.
|
||
# Full licensing information in the LICENSE file, or gnu.org/licences/gpl-3.0.txt if the file is missing.
|
||
|
||
### UPSTREAM BEGIN ⇒ ###
|
||
- name: pull prerequisites from upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=upstream.yml
|
||
vars:
|
||
msg: ACME
|
||
### ⇐ UPSTREAM BEGIN ###
|
||
|
||
- name: install software (dev)
|
||
package:
|
||
# for Ansible crypto
|
||
name: python-cryptography
|
||
when: (env == 'dev')
|
||
|
||
- name: install dehydrated (Let’s Encrypt)
|
||
include_role:
|
||
name: aur.inc
|
||
allow_duplicates: true
|
||
vars:
|
||
packages:
|
||
- dehydrated-git
|
||
aur_user: git
|
||
|
||
### UPSTREAM END ⇒ ###
|
||
- name: merge upstream
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=merge.yml
|
||
vars:
|
||
msg: ACME
|
||
### ⇐ UPSTREAM END ###
|
||
|
||
- name: set Let’s Encrypt domains
|
||
copy:
|
||
content: |
|
||
{{acme_domains}}
|
||
dest: /etc/dehydrated/domains.txt
|
||
mode: 0644
|
||
|
||
- name: create Let’s Encrypt top directory
|
||
file:
|
||
path: /var/lib/acme
|
||
state: directory
|
||
mode: 0711
|
||
|
||
- name: create Let’s Encrypt accounts directory
|
||
file:
|
||
path: /var/lib/acme/accounts
|
||
state: directory
|
||
mode: 0700
|
||
|
||
- name: create Let’s Encrypt certs directory
|
||
file:
|
||
path: /var/lib/acme/certs
|
||
state: directory
|
||
mode: 0755
|
||
|
||
- name: set dehydrated settings
|
||
template:
|
||
src: templates/dehydrated.config.j2
|
||
dest: /etc/dehydrated/config
|
||
mode: 0600
|
||
|
||
- name: set dehydrated hooks
|
||
template:
|
||
src: templates/hook.sh.j2
|
||
dest: "/etc/dehydrated/{{nickname}}-hook.sh"
|
||
mode: 0700
|
||
|
||
- name: create dehydrated timer
|
||
copy:
|
||
src: files/dehydrated.timer
|
||
dest: /etc/systemd/system/dehydrated.timer
|
||
mode: 0644
|
||
when: (env == 'prod')
|
||
notify:
|
||
- restart dehydrated.service
|
||
|
||
- name: enable dehydrated
|
||
systemd:
|
||
daemon_reload: true
|
||
name: dehydrated.timer
|
||
enabled: true
|
||
when: (env == 'prod')
|
||
|
||
## DEV
|
||
|
||
#https://docs.ansible.com/ansible/latest/collections/community/crypto/docsite/guide_selfsigned.html
|
||
|
||
- name: create private key (dev)
|
||
community.crypto.openssl_privatekey:
|
||
path: /var/lib/acme/self-signed.key
|
||
when: (env == 'dev')
|
||
|
||
- name: create CSR (dev)
|
||
community.crypto.openssl_csr:
|
||
path: /var/lib/acme/self-signed.csr
|
||
privatekey_path: /var/lib/acme/self-signed.key
|
||
common_name: "{{net_soa}}"
|
||
organization_name: "{{nickname}}"
|
||
subject_alt_name: "{{acme_domains | split | map('regex_replace','^','DNS:')}}"
|
||
subject_alt_name_critical: true
|
||
when: (env == 'dev')
|
||
|
||
- name: create self-signed certificate (dev)
|
||
community.crypto.x509_certificate:
|
||
path: /var/lib/acme/self-signed.pem
|
||
privatekey_path: /var/lib/acme/self-signed.key
|
||
csr_path: /var/lib/acme/self-signed.csr
|
||
provider: selfsigned
|
||
when: (env == 'dev')
|
||
|
||
- name: deploy self-signed certificate (dev)
|
||
command: >
|
||
/etc/dehydrated/{{nickname}}-hook.sh deploy_cert
|
||
{{net_soa}}
|
||
/var/lib/acme/self-signed.key
|
||
/var/lib/acme/self-signed.pem
|
||
/var/lib/acme/self-signed.pem
|
||
/dev/null
|
||
{{ansible_date_time.epoch}}
|
||
when: (env == 'dev')
|
||
|
||
### LOCAL COMMIT ⇒ ###
|
||
- name: commit local changes
|
||
include_role: name=etckeeper.inc allow_duplicates=true tasks_from=local.yml
|
||
vars:
|
||
msg: ACME
|
||
### ⇐ LOCAL COMMIT ###
|
||
- meta: flush_handlers
|