diff --git a/tasks/debian/letsencrypt/apache.yml b/tasks/debian/letsencrypt/apache.yml index 0673718..54d8abc 100644 --- a/tasks/debian/letsencrypt/apache.yml +++ b/tasks/debian/letsencrypt/apache.yml @@ -1,17 +1,17 @@ --- -- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Install package +- name: Certificates | LetsEncrypt Certbot | Apache | Install package ansible.builtin.package: name: ['python3-certbot-apache'] state: present -- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Checking sites +- name: Certificates | LetsEncrypt Certbot | Apache | Checking sites ansible.builtin.command: 'ls /etc/apache2/sites-enabled/' changed_when: false register: enabled_apache_sites check_mode: false -- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Deploying temporary apache site +- name: Certificates | LetsEncrypt Certbot | Apache | Deploying temporary apache site ansible.builtin.template: src: 'templates/etc/apache2/sites-enabled/le_dummy.conf.j2' dest: '/etc/apache2/sites-enabled/tmp_le_dummy.conf' @@ -21,7 +21,7 @@ register: tmp_site_enable when: enabled_apache_sites.stdout_lines | length == 0 -- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Reloading apache +- name: Certificates | LetsEncrypt Certbot | Apache | Reloading apache ansible.builtin.systemd: name: 'apache2.service' state: reloaded diff --git a/tasks/debian/letsencrypt/apache_cleanup.yml b/tasks/debian/letsencrypt/apache_cleanup.yml index 7245415..b1f1ebb 100644 --- a/tasks/debian/letsencrypt/apache_cleanup.yml +++ b/tasks/debian/letsencrypt/apache_cleanup.yml @@ -1,12 +1,12 @@ --- -- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Disable temporary site +- name: Certificates | LetsEncrypt Certbot | Apache | Disable temporary site ansible.builtin.file: state: absent path: '/etc/apache2/sites-enabled/tmp_le_dummy.conf' register: tmp_site_disable -- name: Certificates | Debian | LetsEncrypt Certbot | Apache | Reloading apache +- name: Certificates | LetsEncrypt Certbot | Apache | Reloading apache ansible.builtin.systemd: name: 'apache2.service' state: reloaded diff --git a/tasks/debian/letsencrypt/apache_dependencies.yml b/tasks/debian/letsencrypt/apache_dependencies.yml index bf562cc..191900b 100644 --- a/tasks/debian/letsencrypt/apache_dependencies.yml +++ b/tasks/debian/letsencrypt/apache_dependencies.yml @@ -1,6 +1,6 @@ --- -- name: Apache | Debian | LetsEncrypt Certbot | Dependencies | Deploying temporary apache site +- name: Apache | LetsEncrypt Certbot | Dependencies | Deploying temporary apache site ansible.builtin.template: src: 'templates/etc/apache2/sites-available/le_dummy.conf.j2' dest: '/etc/apache2/sites-available/tmp_le_dummy.conf' @@ -8,7 +8,7 @@ group: 'root' mode: 0644 -- name: Apache | Debian | LetsEncrypt Certbot | Dependencies | Enable apache site +- name: Apache | LetsEncrypt Certbot | Dependencies | Enable apache site ansible.builtin.file: state: link src: '/etc/apache2/sites-available/tmp_le_dummy.conf' @@ -17,7 +17,7 @@ group: 'root' mode: 0644 -- name: Apache | Debian | LetsEncrypt Certbot | Dependencies | Reload apache +- name: Apache | LetsEncrypt Certbot | Dependencies | Reload apache ansible.builtin.systemd: name: 'apache2.service' state: reloaded diff --git a/tasks/debian/letsencrypt/cert.yml b/tasks/debian/letsencrypt/cert.yml index a661b5f..e490871 100644 --- a/tasks/debian/letsencrypt/cert.yml +++ b/tasks/debian/letsencrypt/cert.yml @@ -1,12 +1,12 @@ --- -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Showing debug info" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Showing debug info" ansible.builtin.debug: var: le_cert when: debug | bool # ToDo: path validation -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Checking config" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Checking config" ansible.builtin.assert: that: - CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service @@ -16,15 +16,16 @@ - le_cert.email | validate_email or CERT_CONFIG.cert.email | validate_email ignore_errors: true register: le_cnf_check + tags: always -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Invalid config" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Invalid config" ansible.builtin.fail: msg: "LetsEncrypt-CONFIG: {{ CERT_CONFIG.letsencrypt }} | {{ le_cert }}" when: - le_cnf_check.failed is defined - le_cnf_check.failed -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Creating directory" ansible.builtin.file: path: "{{ item }}" state: directory @@ -36,7 +37,7 @@ - "{{ le_path }}" changed_when: false -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Certbot command (FYI)" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Certbot command (FYI)" ansible.builtin.debug: msg: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %} --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }} @@ -47,7 +48,7 @@ {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}" when: le_changed -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Running certbot" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Running certbot" ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect{% if debug or testing %} --staging{% endif %} --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }} -{{ CERT_CONFIG.letsencrypt.verbosity }} @@ -58,11 +59,11 @@ when: le_changed changed_when: false -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Adding dummy certs" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Adding dummy certs" ansible.builtin.include_tasks: test.yml when: testing -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking cert" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Linking cert" ansible.builtin.file: state: link src: "{{ item.src }}" @@ -77,7 +78,7 @@ - {'dst': "{{ CERT_CONFIG.path }}/{{ le_name }}.chain.{{ CERT_CONFIG.extension_cert }}", 'src': "{{ le_path }}/chain.pem"} - {'dst': "{{ CERT_CONFIG.path }}/{{ le_name }}.fullchain.{{ CERT_CONFIG.extension_cert }}", 'src': "{{ le_path }}/fullchain.pem"} -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking key" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | Linking key" ansible.builtin.file: state: link src: "{{ le_path }}/privkey.pem" diff --git a/tasks/debian/letsencrypt/main.yml b/tasks/debian/letsencrypt/main.yml index 2e7f235..3f3c3bc 100644 --- a/tasks/debian/letsencrypt/main.yml +++ b/tasks/debian/letsencrypt/main.yml @@ -1,34 +1,35 @@ --- -- name: Certificates | Debian | LetsEncrypt Certbot | Checking config +- name: Certificates | LetsEncrypt Certbot | Checking config ansible.builtin.assert: that: - CERT_CONFIG.letsencrypt.certs | length > 0 - CERT_CONFIG.letsencrypt.service | default(false, true) - CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email - CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service + tags: always -- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2 +- name: Certificates | LetsEncrypt Certbot | Configure for Apache2 ansible.builtin.import_tasks: apache.yml when: CERT_CONFIG.letsencrypt.service == 'apache' -- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Nginx +- name: Certificates | LetsEncrypt Certbot | Configure for Nginx ansible.builtin.import_tasks: nginx.yml when: CERT_CONFIG.letsencrypt.service == 'nginx' -- name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs (this can take some time) +- name: Certificates | LetsEncrypt Certbot | Pulling existing certs (this can take some time) ansible.builtin.command: "certbot certificates --config-dir {{ CERT_CONFIG.letsencrypt.path }}{% if debug or testing %} --staging{% endif %}" register: existing_certs_raw changed_when: false check_mode: false timeout: 120 -- name: Certificates | Debian | LetsEncrypt Certbot | Existing certificates +- name: Certificates | LetsEncrypt Certbot | Existing certificates ansible.builtin.debug: var: existing_certs_raw.stdout when: debug | bool -- name: Certificates | Debian | LetsEncrypt Certbot | Adding certificates +- name: Certificates | LetsEncrypt Certbot | Adding certificates ansible.builtin.include_tasks: cert.yml when: - le_cert.domains | length > 0 @@ -44,7 +45,7 @@ with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}" # todo: task gets stuck -- name: Certificates | Debian | LetsEncrypt Certbot | Revoking certificates +- name: Certificates | LetsEncrypt Certbot | Revoking certificates ansible.builtin.command: "certbot revoke --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}" changed_when: false when: @@ -57,7 +58,7 @@ loop_var: cert_item with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}" -- name: Certificates | Debian | LetsEncrypt Certbot | Deleting certificates +- name: Certificates | LetsEncrypt Certbot | Deleting certificates ansible.builtin.command: "certbot delete --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}" changed_when: false when: @@ -70,15 +71,15 @@ loop_var: cert_item with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}" -- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Apache2 +- name: Certificates | LetsEncrypt Certbot | Cleanup for Apache2 ansible.builtin.import_tasks: apache_cleanup.yml when: CERT_CONFIG.letsencrypt.service == 'apache' -- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Nginx +- name: Certificates | LetsEncrypt Certbot | Cleanup for Nginx ansible.builtin.import_tasks: nginx_cleanup.yml when: CERT_CONFIG.letsencrypt.service == 'nginx' -- name: Certificates | Debian | LetsEncrypt Certbot | Adding service for certbot renewal +- name: Certificates | LetsEncrypt Certbot | Adding service for certbot renewal ansible.builtin.template: src: "templates/etc/systemd/system/{{ item }}.j2" dest: "/etc/systemd/system/{{ item }}" @@ -89,7 +90,7 @@ - 'ansibleguy.infra_certs.LetsEncryptCertbot.service' - 'ansibleguy.infra_certs.LetsEncryptCertbot.timer' -- name: Certificates | Debian | LetsEncrypt Certbot | Enabling cert-renewal timer +- name: Certificates | LetsEncrypt Certbot | Enabling cert-renewal timer ansible.builtin.systemd: daemon_reload: yes name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer' @@ -97,7 +98,7 @@ state: started # Renew all previously obtained certificates that are near expiry -- name: Certificates | Debian | LetsEncrypt Certbot | Running renewal +- name: Certificates | LetsEncrypt Certbot | Running renewal ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}" when: CERT_CONFIG.letsencrypt.renew changed_when: false diff --git a/tasks/debian/letsencrypt/nginx.yml b/tasks/debian/letsencrypt/nginx.yml index 3476ec9..d1db0b6 100644 --- a/tasks/debian/letsencrypt/nginx.yml +++ b/tasks/debian/letsencrypt/nginx.yml @@ -1,17 +1,17 @@ --- -- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Install package +- name: Certificates | LetsEncrypt Certbot | Nginx | Install package ansible.builtin.package: name: ['python3-certbot-nginx'] state: present -- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Checking sites +- name: Certificates | LetsEncrypt Certbot | Nginx | Checking sites ansible.builtin.command: 'ls /etc/nginx/sites-enabled/' changed_when: false register: enabled_nginx_sites check_mode: false -- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Deploying temporary nginx site +- name: Certificates | LetsEncrypt Certbot | Nginx | Deploying temporary nginx site ansible.builtin.template: src: 'templates/etc/nginx/sites-enabled/le_dummy.j2' dest: '/etc/nginx/sites-enabled/tmp_le_dummy' @@ -21,7 +21,7 @@ register: tmp_site_enable when: enabled_nginx_sites.stdout_lines | length == 0 -- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Reloading apache +- name: Certificates | LetsEncrypt Certbot | Nginx | Reloading apache ansible.builtin.systemd: name: 'nginx.service' state: reloaded diff --git a/tasks/debian/letsencrypt/nginx_cleanup.yml b/tasks/debian/letsencrypt/nginx_cleanup.yml index cd750e6..78a6664 100644 --- a/tasks/debian/letsencrypt/nginx_cleanup.yml +++ b/tasks/debian/letsencrypt/nginx_cleanup.yml @@ -1,12 +1,12 @@ --- -- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Disable temporary site +- name: Certificates | LetsEncrypt Certbot | Nginx | Disable temporary site ansible.builtin.file: state: absent path: '/etc/nginx/sites-enabled/tmp_le_dummy' register: tmp_site_disable -- name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Reloading apache +- name: Certificates | LetsEncrypt Certbot | Nginx | Reloading apache ansible.builtin.systemd: name: 'nginx.service' state: reloaded diff --git a/tasks/debian/letsencrypt/test.yml b/tasks/debian/letsencrypt/test.yml index d16d735..5691dc2 100644 --- a/tasks/debian/letsencrypt/test.yml +++ b/tasks/debian/letsencrypt/test.yml @@ -2,7 +2,7 @@ # adding dummy certificates for ansible-molecule testing -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Setting dummy config" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Setting dummy config" ansible.builtin.set_fact: dummy_cert: path: "{{ le_path }}" @@ -15,16 +15,16 @@ cn: 'Molecule Dummy CA' email: "{{ le_cert.email }}" -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Installing dependencies" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Installing dependencies" ansible.builtin.package: pkg: ['python3-cryptography'] -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy CA" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy CA" ansible.builtin.include_tasks: internal/ca_minimal.yml vars: config_ca: "{{ CERT_CONFIG | combine(dummy_cert, recursive=true) }}" -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy Certificate" +- name: "Certificates | LetsEncrypt Certbot | {{ le_name }} | DUMMY | Creating dummy Certificate" ansible.builtin.include_tasks: internal/cert.yml vars: config_cert: "{{ CERT_CONFIG | combine(dummy_cert, recursive=true) }}" diff --git a/tasks/debian/pki.yml b/tasks/debian/pki.yml index aed7ef7..ff3017f 100644 --- a/tasks/debian/pki.yml +++ b/tasks/debian/pki.yml @@ -3,7 +3,7 @@ # creating ca with full pki # to be continued (; -- name: Certificates | Debian | Internal | CA | Not yet implemented +- name: Certificates | Internal | CA | Not yet implemented ansible.builtin.debug: msg: "The certificate mode 'pki' is not yet implemented!" tags: ca diff --git a/tasks/internal/ca_minimal.yml b/tasks/internal/ca_minimal.yml index 2a081a1..acee325 100644 --- a/tasks/internal/ca_minimal.yml +++ b/tasks/internal/ca_minimal.yml @@ -9,6 +9,7 @@ - config_ca.ca.email | default(none, true) is none or config_ca.ca.email | validate_email ignore_errors: true register: ca_cnf_check + tags: always - name: Certificates | Internal | Minimal CA | Invalid config ansible.builtin.fail: diff --git a/tasks/internal/cert.yml b/tasks/internal/cert.yml index 9008b4f..401a54c 100644 --- a/tasks/internal/cert.yml +++ b/tasks/internal/cert.yml @@ -7,6 +7,7 @@ - config_cert.cert.email | default(none, true) is none or config_cert.cert.email | validate_email ignore_errors: true register: crt_cnf_check + tags: always - name: Certificates | Internal | Minimal CA | Invalid config ansible.builtin.fail: diff --git a/tasks/internal/main.yml b/tasks/internal/main.yml index 2a32fd4..1306149 100644 --- a/tasks/internal/main.yml +++ b/tasks/internal/main.yml @@ -6,6 +6,7 @@ - CERT_CONFIG.cert.name or name - CERT_CONFIG.cert.cn - CERT_CONFIG.mode != 'ca' or CERT_CONFIG.ca.cn + tags: always - name: Certificates | Internal | Installing dependencies ansible.builtin.package: diff --git a/tasks/main.yml b/tasks/main.yml index 1e5acc7..c6ee21e 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -6,6 +6,7 @@ ansible.builtin.assert: that: - certs is defined + tags: always - name: Certificates | Showing debug info - user provided config ansible.builtin.debug: @@ -33,7 +34,7 @@ ansible.builtin.include_tasks: debian/pki.yml when: CERT_CONFIG.mode == 'pki' -- name: Certificates | Debian | Letsencrypt +- name: Certificates | Letsencrypt ansible.builtin.include_tasks: debian/letsencrypt/main.yml when: - CERT_CONFIG.mode == 'le_certbot'