public_git
/
ansibleguy.infra_mariadb
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

remove 'Debian' from task-names, config-check tags

This commit is contained in:
AnsibleGuy 2023-05-13 22:21:46 +02:00
parent 8c1ca9c1a7
commit 73cc205da2
No known key found for this signature in database
GPG Key ID: 52984C069F5AD3CD
13 changed files with 49 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
tasks/debian/letsencrypt/apache.yml
View File

@ -1,17 +1,17 @@
---
- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Install package
- name: Certificates | LetsEncrypt Certbot | Apache | Install package
ansible.builtin.package:
name: ['python3-certbot-apache']
state: present
- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Checking sites
- name: Certificates | LetsEncrypt Certbot | Apache | Checking sites
ansible.builtin.command: 'ls /etc/apache2/sites-enabled/'
changed_when: false
register: enabled_apache_sites
check_mode: false
- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Deploying temporary apache site
- name: Certificates | LetsEncrypt Certbot | Apache | Deploying temporary apache site
ansible.builtin.template:
src: 'templates/etc/apache2/sites-enabled/le_dummy.conf.j2'
dest: '/etc/apache2/sites-enabled/tmp_le_dummy.conf'
@ -21,7 +21,7 @@
register: tmp_site_enable
when: enabled_apache_sites.stdout_lines | length == 0
- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Reloading apache
- name: Certificates | LetsEncrypt Certbot | Apache | Reloading apache
ansible.builtin.systemd:
name: 'apache2.service'
state: reloaded

4
tasks/debian/letsencrypt/apache_cleanup.yml
View File

@ -1,12 +1,12 @@
---
- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Disable temporary site
- name: Certificates | LetsEncrypt Certbot | Apache | Disable temporary site
ansible.builtin.file:
state: absent
path: '/etc/apache2/sites-enabled/tmp_le_dummy.conf'
register: tmp_site_disable
- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Reloading apache
- name: Certificates | LetsEncrypt Certbot | Apache | Reloading apache
ansible.builtin.systemd:
name: 'apache2.service'
state: reloaded

6
tasks/debian/letsencrypt/apache_dependencies.yml
View File

@ -1,6 +1,6 @@
---
- name: Apache | Debian | LetsEncrypt Certbot | Dependencies | Deploying temporary apache site
- name: Apache | LetsEncrypt Certbot | Dependencies | Deploying temporary apache site
ansible.builtin.template:
src: 'templates/etc/apache2/sites-available/le_dummy.conf.j2'
dest: '/etc/apache2/sites-available/tmp_le_dummy.conf'
@ -8,7 +8,7 @@
group: 'root'
mode: 0644
- name: Apache | Debian | LetsEncrypt Certbot | Dependencies | Enable apache site
- name: Apache | LetsEncrypt Certbot | Dependencies | Enable apache site
ansible.builtin.file:
state: link
src: '/etc/apache2/sites-available/tmp_le_dummy.conf'
@ -17,7 +17,7 @@
group: 'root'
mode: 0644
- name: Apache | Debian | LetsEncrypt Certbot | Dependencies | Reload apache
- name: Apache | LetsEncrypt Certbot | Dependencies | Reload apache
ansible.builtin.systemd:
name: 'apache2.service'
state: reloaded

19
tasks/debian/letsencrypt/cert.yml
View File

@ -1,12 +1,12 @@
---
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Showing debug info"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Showing debug info"
ansible.builtin.debug:
var: le_cert
when: debug | bool
# ToDo: path validation
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Checking config"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Checking config"
ansible.builtin.assert:
that:
- CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
@ -16,15 +16,16 @@
- le_cert.email | validate_email or CERT_CONFIG.cert.email | validate_email
ignore_errors: true
register: le_cnf_check
tags: always
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Invalid config"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Invalid config"
ansible.builtin.fail:
msg: "LetsEncrypt-CONFIG: {{ CERT_CONFIG.letsencrypt }} | {{ le_cert }}"
when:
- le_cnf_check.failed is defined
- le_cnf_check.failed
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Creating directory"
ansible.builtin.file:
path: "{{ item }}"
state: directory
@ -36,7 +37,7 @@
- "{{ le_path }}"
changed_when: false
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Certbot command (FYI)"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Certbot command (FYI)"
ansible.builtin.debug:
msg: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
--{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
@ -47,7 +48,7 @@
{% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}"
when: le_changed
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Running certbot"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Running certbot"
ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %}
--{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }}
-{{ CERT_CONFIG.letsencrypt.verbosity }}
@ -58,11 +59,11 @@
when: le_changed
changed_when: false
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Adding dummy certs"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Adding dummy certs"
ansible.builtin.include_tasks: test.yml
when: testing
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking cert"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Linking cert"
ansible.builtin.file:
state: link
src: "{{ item.src }}"
@ -77,7 +78,7 @@
- {'dst': "{{ CERT_CONFIG.path }}/{{ le_name }}.chain.{{ CERT_CONFIG.extension_cert }}", 'src': "{{ le_path }}/chain.pem"}
- {'dst': "{{ CERT_CONFIG.path }}/{{ le_name }}.fullchain.{{ CERT_CONFIG.extension_cert }}", 'src': "{{ le_path }}/fullchain.pem"}
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking key"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Linking key"
ansible.builtin.file:
state: link
src: "{{ le_path }}/privkey.pem"

27
tasks/debian/letsencrypt/main.yml
View File

@ -1,34 +1,35 @@
---
- name: Certificates | Debian | LetsEncrypt Certbot | Checking config
- name: Certificates | LetsEncrypt Certbot | Checking config
ansible.builtin.assert:
that:
- CERT_CONFIG.letsencrypt.certs | length > 0
- CERT_CONFIG.letsencrypt.service | default(false, true)
- CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email
- CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
tags: always
- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2
- name: Certificates | LetsEncrypt Certbot | Configure for Apache2
ansible.builtin.import_tasks: apache.yml
when: CERT_CONFIG.letsencrypt.service == 'apache'
- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Nginx
- name: Certificates | LetsEncrypt Certbot | Configure for Nginx
ansible.builtin.import_tasks: nginx.yml
when: CERT_CONFIG.letsencrypt.service == 'nginx'
- name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs (this can take some time)
- name: Certificates | LetsEncrypt Certbot | Pulling existing certs (this can take some time)
ansible.builtin.command: "certbot certificates --config-dir {{ CERT_CONFIG.letsencrypt.path }}{% if debug or testing %} --staging{% endif %}"
register: existing_certs_raw
changed_when: false
check_mode: false
timeout: 120
- name: Certificates | Debian | LetsEncrypt Certbot | Existing certificates
- name: Certificates | LetsEncrypt Certbot | Existing certificates
ansible.builtin.debug:
var: existing_certs_raw.stdout
when: debug | bool
- name: Certificates | Debian | LetsEncrypt Certbot | Adding certificates
- name: Certificates | LetsEncrypt Certbot | Adding certificates
ansible.builtin.include_tasks: cert.yml
when:
- le_cert.domains | length > 0
@ -44,7 +45,7 @@
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
# todo: task gets stuck
- name: Certificates | Debian | LetsEncrypt Certbot | Revoking certificates
- name: Certificates | LetsEncrypt Certbot | Revoking certificates
ansible.builtin.command: "certbot revoke --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}"
changed_when: false
when:
@ -57,7 +58,7 @@
loop_var: cert_item
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
- name: Certificates | Debian | LetsEncrypt Certbot | Deleting certificates
- name: Certificates | LetsEncrypt Certbot | Deleting certificates
ansible.builtin.command: "certbot delete --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}"
changed_when: false
when:
@ -70,15 +71,15 @@
loop_var: cert_item
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Apache2
- name: Certificates | LetsEncrypt Certbot | Cleanup for Apache2
ansible.builtin.import_tasks: apache_cleanup.yml
when: CERT_CONFIG.letsencrypt.service == 'apache'
- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Nginx
- name: Certificates | LetsEncrypt Certbot | Cleanup for Nginx
ansible.builtin.import_tasks: nginx_cleanup.yml
when: CERT_CONFIG.letsencrypt.service == 'nginx'
- name: Certificates | Debian | LetsEncrypt Certbot | Adding service for certbot renewal
- name: Certificates | LetsEncrypt Certbot | Adding service for certbot renewal
ansible.builtin.template:
src: "templates/etc/systemd/system/{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
@ -89,7 +90,7 @@
- 'ansibleguy.infra_certs.LetsEncryptCertbot.service'
- 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
- name: Certificates | Debian | LetsEncrypt Certbot | Enabling cert-renewal timer
- name: Certificates | LetsEncrypt Certbot | Enabling cert-renewal timer
ansible.builtin.systemd:
daemon_reload: yes
name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
@ -97,7 +98,7 @@
state: started
# Renew all previously obtained certificates that are near expiry
- name: Certificates | Debian | LetsEncrypt Certbot | Running renewal
- name: Certificates | LetsEncrypt Certbot | Running renewal
ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}"
when: CERT_CONFIG.letsencrypt.renew
changed_when: false

8
tasks/debian/letsencrypt/nginx.yml
View File

@ -1,17 +1,17 @@
---
- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Install package
- name: Certificates | LetsEncrypt Certbot | Nginx | Install package
ansible.builtin.package:
name: ['python3-certbot-nginx']
state: present
- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Checking sites
- name: Certificates | LetsEncrypt Certbot | Nginx | Checking sites
ansible.builtin.command: 'ls /etc/nginx/sites-enabled/'
changed_when: false
register: enabled_nginx_sites
check_mode: false
- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Deploying temporary nginx site
- name: Certificates | LetsEncrypt Certbot | Nginx | Deploying temporary nginx site
ansible.builtin.template:
src: 'templates/etc/nginx/sites-enabled/le_dummy.j2'
dest: '/etc/nginx/sites-enabled/tmp_le_dummy'
@ -21,7 +21,7 @@
register: tmp_site_enable
when: enabled_nginx_sites.stdout_lines | length == 0
- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Reloading apache
- name: Certificates | LetsEncrypt Certbot | Nginx | Reloading apache
ansible.builtin.systemd:
name: 'nginx.service'
state: reloaded

4
tasks/debian/letsencrypt/nginx_cleanup.yml
View File

@ -1,12 +1,12 @@
---
- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Disable temporary site
- name: Certificates | LetsEncrypt Certbot | Nginx | Disable temporary site
ansible.builtin.file:
state: absent
path: '/etc/nginx/sites-enabled/tmp_le_dummy'
register: tmp_site_disable
- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Reloading apache
- name: Certificates | LetsEncrypt Certbot | Nginx | Reloading apache
ansible.builtin.systemd:
name: 'nginx.service'
state: reloaded

8
tasks/debian/letsencrypt/test.yml
View File

@ -2,7 +2,7 @@
# adding dummy certificates for ansible-molecule testing
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Setting dummy config"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Setting dummy config"
ansible.builtin.set_fact:
dummy_cert:
path: "{{ le_path }}"
@ -15,16 +15,16 @@
cn: 'Molecule Dummy CA'
email: "{{ le_cert.email }}"
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Installing dependencies"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Installing dependencies"
ansible.builtin.package:
pkg: ['python3-cryptography']
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy CA"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy CA"
ansible.builtin.include_tasks: internal/ca_minimal.yml
vars:
config_ca: "{{ CERT_CONFIG | combine(dummy_cert, recursive=true) }}"
- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy Certificate"
- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy Certificate"
ansible.builtin.include_tasks: internal/cert.yml
vars:
config_cert: "{{ CERT_CONFIG | combine(dummy_cert, recursive=true) }}"

2
tasks/debian/pki.yml
View File

@ -3,7 +3,7 @@
# creating ca with full pki
# to be continued (;
- name: Certificates | Debian | Internal | CA | Not yet implemented
- name: Certificates | Internal | CA | Not yet implemented
ansible.builtin.debug:
msg: "The certificate mode 'pki' is not yet implemented!"
tags: ca

1
tasks/internal/ca_minimal.yml
View File

@ -9,6 +9,7 @@
- config_ca.ca.email | default(none, true) is none or config_ca.ca.email | validate_email
ignore_errors: true
register: ca_cnf_check
tags: always
- name: Certificates | Internal | Minimal CA | Invalid config
ansible.builtin.fail:

1
tasks/internal/cert.yml
View File

@ -7,6 +7,7 @@
- config_cert.cert.email | default(none, true) is none or config_cert.cert.email | validate_email
ignore_errors: true
register: crt_cnf_check
tags: always
- name: Certificates | Internal | Minimal CA | Invalid config
ansible.builtin.fail:

1
tasks/internal/main.yml
View File

@ -6,6 +6,7 @@
- CERT_CONFIG.cert.name or name
- CERT_CONFIG.cert.cn
- CERT_CONFIG.mode != 'ca' or CERT_CONFIG.ca.cn
tags: always
- name: Certificates | Internal | Installing dependencies
ansible.builtin.package:

3
tasks/main.yml
View File

@ -6,6 +6,7 @@
ansible.builtin.assert:
that:
- certs is defined
tags: always
- name: Certificates | Showing debug info - user provided config
ansible.builtin.debug:
@ -33,7 +34,7 @@
ansible.builtin.include_tasks: debian/pki.yml
when: CERT_CONFIG.mode == 'pki'
- name: Certificates | Debian | Letsencrypt
- name: Certificates | Letsencrypt
ansible.builtin.include_tasks: debian/letsencrypt/main.yml
when:
- CERT_CONFIG.mode == 'le_certbot'