move acmtool roles to use FQCN

author: Christian Pointner <equinox@spreadspace.org> 2021-06-09 14:11:30 +0200
committer: Christian Pointner <equinox@spreadspace.org> 2021-06-09 14:11:30 +0200
commit: a14a183e8181e6d3a8604822f6d0773328a79e13 (patch)
tree: d77fb3b6d6f5662140f586fa80cd65ed73a3ef41 /roles/acmetool
parent: ws cleanup (diff)
4 files changed, 48 insertions, 48 deletions
diff --git a/roles/acmetool/base/tasks/main.yml b/roles/acmetool/base/tasks/main.yml
index 5ad03257..5f2ae4ab 100644
--- a/roles/acmetool/base/tasks/main.yml
+++ b/roles/acmetool/base/tasks/main.yml
@@ -1,34 +1,34 @@
 ---
 - name: check if acmetool package is new enough
-  debug:
+  ansible.builtin.debug:
     msg: "Check distribution_release"
   failed_when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) < 9) or (ansible_distribution == 'Ubuntu' and (ansible_distribution_major_version | int) < 17) or (ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu')
 
 - name: install needed packages
-  apt:
+  ansible.builtin.apt:
     name:
     - acmetool
     - "{{ python_basename }}-openssl"
     state: present
 
 - name: create initial directory structure
-  command: acmetool --batch
+  ansible.builtin.command: acmetool --batch
   args:
     creates: /var/lib/acme/conf
 
 - name: create acmetool response file
-  template:
+  ansible.builtin.template:
     src: responses.j2
     dest: /var/lib/acme/conf/responses
 
 - name: create non-standard acmetool webroot path
-  file:
+  ansible.builtin.file:
     name: "{{ acmetool_challenge_webroot_path }}"
     state: directory
   when: acmetool_challenge_webroot_path is defined
 
 - name: run quickstart to create account and default target configuration
-  command: acmetool --batch quickstart
+  ansible.builtin.command: acmetool --batch quickstart
   environment:
     http_proxy: "{{ acmetool_http_proxy | default('') }}"
     https_proxy: "{{ acmetool_https_proxy | default('') }}"
@@ -36,10 +36,10 @@
     creates: /var/lib/acme/conf/target
 
 - name: generate selfsigned interim certificate
-  include_tasks: selfsigned.yml
+  ansible.builtin.include_tasks: selfsigned.yml
 
 - name: install service reload configuration
-  template:
+  ansible.builtin.template:
     src: acme-reload.j2
     dest: /etc/default/acme-reload
     owner: root
@@ -48,17 +48,17 @@
   when: acmetool_reload_services is defined
 
 - name: create system unit snippet directory
-  file:
+  ansible.builtin.file:
     path: /etc/systemd/system/acmetool.service.d/
     state: directory
 
 - name: install systemd unit snippet
-  template:
+  ansible.builtin.template:
     src: systemd-override.conf.j2
     dest: /etc/systemd/system/acmetool.service.d/override.conf
 
 - name: enable/start systemd timer for acmetool
-  systemd:
+  ansible.builtin.systemd:
     name: acmetool.timer
     state: started
     enabled: yes
diff --git a/roles/acmetool/base/tasks/selfsigned.yml b/roles/acmetool/base/tasks/selfsigned.yml
index 0d444b83..9c7d9b23 100644
--- a/roles/acmetool/base/tasks/selfsigned.yml
+++ b/roles/acmetool/base/tasks/selfsigned.yml
@@ -1,16 +1,16 @@
 ---
 - name: get id of existing selfsigned interim certificate
-  shell: cat /var/lib/acme/.selfsigned-interim-cert || true
+  ansible.builtin.shell: cat /var/lib/acme/.selfsigned-interim-cert || true
   changed_when: false
   check_mode: false
   register: existing_selfsigned_interim_cert_id
 
 - name: set existing_selfsigned_interim_cert_id variable
-  set_fact:
+  ansible.builtin.set_fact:
     existing_selfsigned_interim_cert_id: "{{ existing_selfsigned_interim_cert_id.stdout }}"
 
 - name: check if selfsigned interim certificate does exist
-  stat:
+  ansible.builtin.stat:
     path: "/var/lib/acme/certs/{{ existing_selfsigned_interim_cert_id }}"
   register: existing_selfsigned_interim_cert_stat
 
@@ -18,128 +18,128 @@
   when: not existing_selfsigned_interim_cert_id or not existing_selfsigned_interim_cert_stat.stat.exists
   block:
   - name: create temporary directory
-    tempfile:
+    ansible.builtin.tempfile:
       path: /var/lib/acme/tmp
       prefix: selfsigned-interim-cert-
       state: directory
     register: tmpdir
 
   - name: set tmpdir variable
-    set_fact:
+    ansible.builtin.set_fact:
       tmpdir: "{{ tmpdir.path }}"
 
   - name: generate private key for selfsigned interim certificate
-    openssl_privatekey:
+    ansible.builtin.openssl_privatekey:
       path: "{{ tmpdir }}/privkey"
       mode: 0600
 
   - name: generate csr for selfsigned interim certificate
-    openssl_csr:
-      path: "{{ tmpdir }}/csr"
+    community.crypto.openssl_csr_pipe:
       privatekey_path: "{{ tmpdir }}/privkey"
       common_name: "{{ ansible_fqdn }}"
+    register: selfsigned_interim_cert_req
 
 
   ### this is needed because strftime filter in ansible is exceptionally stupid
   ### see: https://github.com/ansible/ansible/issues/39835
   - name: get remote date-time 10s ago
-    command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
+    ansible.builtin.command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
     register: remote_datetime_10sago
 
   - name: get remote date-time now
-    command: date -u '+%Y%m%d%H%M%SZ'
+    ansible.builtin.command: date -u '+%Y%m%d%H%M%SZ'
     register: remote_datetime_now
 
   - name: generate selfsigned interim certificate
-    openssl_certificate:
-      path: "{{ tmpdir }}/cert"
+    community.crypto.x509_certificate_pipe:
       privatekey_path: "{{ tmpdir }}/privkey"
-      csr_path: "{{ tmpdir }}/csr"
+      csr_content: "{{ selfsigned_interim_cert_req.csr }}"
       provider: selfsigned
       ## make sure the certificate is not valid anymore to force acmetool to create a new cert
       selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
       selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
+    register: selfsigned_interim_cert
 
-  - name: remove csr for selfsigned interim certificate
-    file:
-      path: "{{ tmpdir }}/csr"
-      state: absent
-
-  - name: copy selfsigned interim certificate for fullchain
-    command: "cp '{{ tmpdir }}/cert' '{{ tmpdir }}/fullchain'"
+  - name: install selfsigned interim certificate and fullchain
+    loop:
+    - cert
+    - fullchein
+    ansible.builtin.copy:
+      content: "{{ selfsigned_interim_cert.certificate }}"
+      dest: "{{ tmpdir }}/{{ item }}"
 
   - name: create additional empty files
     loop:
     - chain
     - selfsigned
-    copy:
+    ansible.builtin.copy:
       content: ""
       dest: "{{ tmpdir }}/{{ item }}"
 
   ### TODO: remove this once acmetool respects it's own storage layout
   ###       see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates
   - name: generate fake url file
-    copy:
+    ansible.builtin.copy:
       content: "https://acme.example.com/acme/cert/self-signed\n"
       dest: "{{ tmpdir }}/url"
 
   - name: get key id
-    shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
+    ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
     register: selfsigned_interim_key_id
 
   - name: set selfsigned_interim_key_id variable
-    set_fact:
+    ansible.builtin.set_fact:
       selfsigned_interim_key_id: "{{ selfsigned_interim_key_id.stdout }}"
 
   - name: create directory for private key of selfsigned interim certificate
-    file:
+    ansible.builtin.file:
       path: "/var/lib/acme/keys/{{ selfsigned_interim_key_id }}"
       state: directory
       mode: 0700
 
   - name: move private key to its directory
-    command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'"
+    ansible.builtin.command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'"
 
   - name: create symlink to privkey
-    file:
+    ansible.builtin.file:
       src: "../../keys/{{ selfsigned_interim_key_id }}/privkey"
       dest: "{{ tmpdir }}/privkey"
       state: link
 
   # - name: get certificate id
-  #   shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
+  #   ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
   #   register: selfsigned_interim_cert_id
 
   # - name: set selfsigned_interim_cert_id variable
-  #   set_fact:
+  #   ansible.builtin.set_fact:
   #     selfsigned_interim_cert_id: "selfsigned-{{ selfsigned_interim_cert_id.stdout }}"
 
   ### TODO: replace with the above once acmetool respects it's own storage layout
   ###       see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates
   - name: get certificate id
-    shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
+    ansible.builtin.shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
     register: selfsigned_interim_cert_id
 
   - name: set selfsigned_interim_cert_id variable
-    set_fact:
+    ansible.builtin.set_fact:
       selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
 
   - name: set permissions for selfsigned interim certificate directory
-    file:
+    ansible.builtin.file:
       path: "{{ tmpdir }}"
       mode: 0755
       state: directory
 
   - name: move selfsigned interim certificate directory into place
-    command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'"
+    ansible.builtin.command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'"
 
   - name: write cert-id of selfsigned interim certificate to state directory
-    copy:
+    ansible.builtin.copy:
       content: "{{ selfsigned_interim_cert_id }}"
       dest: /var/lib/acme/.selfsigned-interim-cert
 
   rescue:
   - name: remove temporary directory for selfsigned interim certificate
-    file:
+    ansible.builtin.file:
       path: "{{ tmpdir }}"
       state: absent
diff --git a/roles/acmetool/cert/handlers/main.yml b/roles/acmetool/cert/handlers/main.yml
index a7fc43ed..08892c18 100644
--- a/roles/acmetool/cert/handlers/main.yml
+++ b/roles/acmetool/cert/handlers/main.yml
@@ -1,6 +1,6 @@
 ---
 - name: reconcile acmetool
   when: not acmetool_reconcile_disabled
-  systemd:
+  ansible.builtin.systemd:
     name: acmetool.service
     state: started
diff --git a/roles/acmetool/cert/tasks/main.yml b/roles/acmetool/cert/tasks/main.yml
index 09980dad..e97aab84 100644
--- a/roles/acmetool/cert/tasks/main.yml
+++ b/roles/acmetool/cert/tasks/main.yml
@@ -4,7 +4,7 @@
     acmetool_cert_satisfy:
       satisfy:
         names: "{{ acmetool_cert_hostnames | default([acmetool_cert_name]) }}"
-  copy:
+  ansible.builtin.copy:
     content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}"
     dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}"
   notify: reconcile acmetool
author	Christian Pointner <equinox@spreadspace.org>	2021-06-09 14:11:30 +0200
committer	Christian Pointner <equinox@spreadspace.org>	2021-06-09 14:11:30 +0200
commit	a14a183e8181e6d3a8604822f6d0773328a79e13 (patch)
tree	d77fb3b6d6f5662140f586fa80cd65ed73a3ef41 /roles/acmetool
parent	ws cleanup (diff)