diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/nginx/vhost/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/meta/main.yml | 1 | ||||
-rw-r--r-- | roles/x509/static/base/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/x509/static/cert/finalize/tasks/main.yml | 2 | ||||
-rw-r--r-- | roles/x509/static/cert/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/x509/static/cert/prepare/defaults/main.yml | 35 | ||||
-rw-r--r-- | roles/x509/static/cert/prepare/tasks/main.yml | 81 |
7 files changed, 127 insertions, 0 deletions
diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml index c5e68732..55544733 100644 --- a/roles/nginx/vhost/tasks/main.yml +++ b/roles/nginx/vhost/tasks/main.yml @@ -7,6 +7,7 @@ vars: x509_certificate_name: "{{ nginx_vhost.name }}" x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" + x509_notify_on_change: reload nginx - name: install nginx configs from template when: "'template' in nginx_vhost" @@ -43,3 +44,4 @@ vars: x509_certificate_name: "{{ nginx_vhost.name }}" x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" + x509_notify_on_change: reload nginx diff --git a/roles/x509/acmetool/cert/meta/main.yml b/roles/x509/acmetool/cert/meta/main.yml index 8e6ac88d..472f5a8c 100644 --- a/roles/x509/acmetool/cert/meta/main.yml +++ b/roles/x509/acmetool/cert/meta/main.yml @@ -1,3 +1,4 @@ +--- dependencies: - role: x509/acmetool/cert/prepare - role: x509/acmetool/cert/finalize diff --git a/roles/x509/static/base/tasks/main.yml b/roles/x509/static/base/tasks/main.yml new file mode 100644 index 00000000..c5b6cafe --- /dev/null +++ b/roles/x509/static/base/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# nothing to do here diff --git a/roles/x509/static/cert/finalize/tasks/main.yml b/roles/x509/static/cert/finalize/tasks/main.yml new file mode 100644 index 00000000..c5b6cafe --- /dev/null +++ b/roles/x509/static/cert/finalize/tasks/main.yml @@ -0,0 +1,2 @@ +--- +# nothing to do here diff --git a/roles/x509/static/cert/meta/main.yml b/roles/x509/static/cert/meta/main.yml new file mode 100644 index 00000000..c619208c --- /dev/null +++ b/roles/x509/static/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/static/cert/prepare + - role: x509/static/cert/finalize diff --git a/roles/x509/static/cert/prepare/defaults/main.yml b/roles/x509/static/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..d632a5de --- /dev/null +++ b/roles/x509/static/cert/prepare/defaults/main.yml @@ -0,0 +1,35 @@ +--- +static_cert_hostnames: "{{ x509_certificate_hostnames }}" +static_cert_name: "{{ x509_certificate_name | default(static_cert_hostnames[0]) }}" + +static_cert_base_dir: "/etc/ssl" + +# static_cert_config: +# path: "{{ static_cert_base_dir }}/{{ static_cert_name }}" +# mode: "0750" +# owner: root +# group: www-data +# key: +# mode: "0640" +# owner: root +# group: www-data +# content: | +# -----BEGIN RSA PRIVATE KEY----- +# ... +# -----END RSA PRIVATE KEY----- +# cert: +# mode: "0644" +# owner: root +# group: www-data +# content: | +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- +# chain: +# mode: "0644" +# owner: root +# group: www-data +# content: | +# -----BEGIN CERTIFICATE----- +# ... +# -----END CERTIFICATE----- diff --git a/roles/x509/static/cert/prepare/tasks/main.yml b/roles/x509/static/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..1327c3b3 --- /dev/null +++ b/roles/x509/static/cert/prepare/tasks/main.yml @@ -0,0 +1,81 @@ +--- +- name: compute path to static certificate directory + set_fact: + static_cert_path: "{{ static_cert_config.path | default([static_cert_base_dir, static_cert_name] | path_join) }}" + +- name: create directory for static certificate + file: + path: "{{ static_cert_path }}" + state: directory + mode: "{{ static_cert_config.mode | default('0700') }}" + owner: "{{ static_cert_config.owner | default(omit) }}" + group: "{{ static_cert_config.group | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + +- name: install key for static certificate + copy: + content: "{{ static_cert_config.key.content }}" + dest: "{{ static_cert_path }}/{{ static_cert_name }}-key.pem" + mode: "{{ static_cert_config.key.mode | default('0600') }}" + owner: "{{ static_cert_config.key.owner | default(omit) }}" + group: "{{ static_cert_config.key.group | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + +- name: install static certificate + copy: + content: "{{ static_cert_config.cert.content }}" + dest: "{{ static_cert_path }}/{{ static_cert_name }}-crt.pem" + mode: "{{ static_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_cert_config.cert.owner | default(omit) }}" + group: "{{ static_cert_config.cert.group | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + +- name: export paths to basic certificate files + set_fact: + x509_certificate_path_key: "{{ static_cert_path }}/{{ static_cert_name }}-key.pem" + x509_certificate_path_fullchain: "{{ static_cert_path }}/{{ static_cert_name }}-crt.pem" + x509_certificate_path_cert: "{{ static_cert_path }}/{{ static_cert_name }}-crt.pem" + +- name: install chain and fullchain for static certificate + when: "'chain' in static_cert_config" + block: + - name: install chain for static certificate + copy: + content: "{{ static_cert_config.chain.content }}" + dest: "{{ static_cert_path }}/{{ static_cert_name }}-chain.pem" + mode: "{{ static_cert_config.chain.mode | default('0644') }}" + owner: "{{ static_cert_config.chain.owner | default(omit) }}" + group: "{{ static_cert_config.chain.group | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + + - name: install fullchain for static certificate + copy: + content: | + {{ static_cert_config.cert.content | trim }} + {{ static_cert_config.chain.content }} + dest: "{{ static_cert_path }}/{{ static_cert_name }}-fullchain.pem" + mode: "{{ static_cert_config.cert.mode | default('0644') }}" + owner: "{{ static_cert_config.cert.owner | default(omit) }}" + group: "{{ static_cert_config.cert.group | default(omit) }}" + notify: "{{ x509_notify_on_change | default(omit) }}" + + - name: export paths to additional certificate files + set_fact: + x509_certificate_path_chain: "{{ static_cert_path }}/{{ static_cert_name }}-chain.pem" + x509_certificate_path_fullchain: "{{ static_cert_path }}/{{ static_cert_name }}-fullchain.pem" + +- name: make sure chain and fullchain files are removed + when: "'chain' not in static_cert_config" + block: + - name: remove chain/fullchain files + loop: + - chain + - fullchain + file: + path: "{{ static_cert_path }}/{{ static_cert_name }}-{{ item }}.pem" + state: absent + notify: "{{ x509_notify_on_change | default(omit) }}" + + - name: make sure variable that points to the chain certificate file is unset + set_fact: + x509_certificate_path_chain: "" |