From 6132ae855f999b70092552a9ceed4fec451cc8f7 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 23 Dec 2022 03:35:46 +0100 Subject: some initial tests with uacme --- roles/x509/uacme/base/defaults/main.yml | 6 ++++ roles/x509/uacme/base/tasks/main.yml | 51 +++++++++++++++++++++++++++++++++ 2 files changed, 57 insertions(+) create mode 100644 roles/x509/uacme/base/defaults/main.yml create mode 100644 roles/x509/uacme/base/tasks/main.yml (limited to 'roles/x509/uacme') diff --git a/roles/x509/uacme/base/defaults/main.yml b/roles/x509/uacme/base/defaults/main.yml new file mode 100644 index 00000000..50ac8019 --- /dev/null +++ b/roles/x509/uacme/base/defaults/main.yml @@ -0,0 +1,6 @@ +--- +uacme_account_email: "{{ acme_account_email }}" +uacme_directory_server: "{{ acme_directory_server }}" + +### this defaults to '/var/run/acme/acme-challenge' +# uacme_challenge_webroot_path: "/path/to/acme-challenge" diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml new file mode 100644 index 00000000..b40c52b5 --- /dev/null +++ b/roles/x509/uacme/base/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: install needed packages + apt: + name: + - uacme + - "{{ python_basename }}-openssl" + state: present + +- name: create acme account key + command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y new '{{ uacme_account_email }}'" + args: + creates: /var/lib/uacme.d/private/key.pem + +- name: create standard uacme webroot path + when: uacme_challenge_webroot_path is not defined + block: + - name: install systemd tmpfiles config + copy: + dest: /usr/lib/tmpfiles.d/uacme.conf + content: | + d /var/run/acme/acme-challenge 0755 root root - - + register: uacme_systemd_tmpfiles_config + + - name: trigger systemd-tmpfiles + when: uacme_systemd_tmpfiles_config is changed + command: systemd-tmpfiles --create + +- name: create non-standard uacme webroot path + when: uacme_challenge_webroot_path is defined + file: + name: "{{ uacme_challenge_webroot_path }}" + state: directory + +- name: make sure nginx snipped directory exists + file: + path: /etc/nginx/snippets + state: directory + +- name: generate nginx snippet for webroot challenges + copy: + dest: /etc/nginx/snippets/uacme.conf + content: | + location /.well-known/acme-challenge/ { + alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge/') }}; + } + +## TODO: implement this +# - name: generate selfsigned interim certificate +# include_tasks: selfsigned.yml + +## TODO: add global automatic refresher? -- cgit v1.2.3