initial commit

2020-04-13 14:46:45 +02:00
commit 961498e32b
76 changed files with 2715 additions and 0 deletions
--- a/roles/acme/tasks/acme.yml
+++ b/roles/acme/tasks/acme.yml
@@ -0,0 +1,76 @@
+- name: Install ACME dependencies
+  apt:
+    name: python3-acme
+    state: present
+  tags: acme_install
+
+- name: Create Let's Encrypt config directories
+  file:
+    path: "{{ config_dir }}"
+    state: directory
+    owner: root
+    group: "{{ acme_ssl_group }}"
+    mode: "711"
+  loop:
+  - "{{ acme_config_dir }}"
+  - "{{ acme_keys_dir }}"
+  - "{{ acme_accounts_dir }}"
+  - "{{ acme_csr_dir }}"
+  loop_control:
+    loop_var: config_dir
+  tags: acme_install
+
+- name: Create challenge directory
+  file:
+    path: "{{ acme_challenge_dir }}/.well-known/acme-challenge"
+    state: directory
+    owner: root
+    group: root
+    mode: "755"
+  tags: acme_install
+
+- name: Perform ACME challenge for each domain
+  include_tasks:
+    file: challenge.yml
+    apply:
+      tags: acme_challenge
+  loop: "{{ acme_domains | unique }}"
+  loop_control:
+    loop_var: domain_name
+  tags: acme_challenge
+
+- name: Create directory for certificate renewal tool
+  file:
+    path: /opt/acme
+    owner: root
+    group: root
+    mode: "755"
+    state: directory
+  tags: acme_renew
+
+- name: Copy script to renew ACME certificates
+  copy:
+    src: acme_renew_cert.py
+    dest: /opt/acme/acme_renew_cert.py
+    owner: root
+    group: root
+    mode: "755"
+  tags: acme_renew
+  
+- name: Setup cron job for ACME certificates renewal of {{ domain_name }}
+  cron:
+    name: acme renew {{ domain_name }} cert
+    job: >-
+      sleep $((RANDOM % 3600)) && /opt/acme/acme_renew_cert.py {{ domain_name }} -q
+      -a {{ (acme_accounts_dir + '/' + acme_account_key) | quote }}
+      -p {{ acme_keys_dir | quote }}/{domain}.pem
+      -r {{ acme_csr_dir | quote }}/{domain}.csr
+      -o {{ acme_certs_dir | quote }}/{domain}.d
+      -c {{ acme_challenge_dir | quote }}/.well-known/acme-challenge
+    minute: "30"
+    hour: "2"
+    state: present
+  loop: "{{ acme_domains | unique }}"
+  loop_control:
+    loop_var: domain_name
+  tags: acme_renew
--- a/roles/acme/tasks/challenge.yml
+++ b/roles/acme/tasks/challenge.yml
@@ -0,0 +1,91 @@
+- name: Create {{ domain_name }} certificates directory
+  file:
+    path: "{{ acme_certs_dir }}/{{ domain_name }}.d"
+    state: directory
+    owner: root
+    group: "{{ acme_ssl_group }}"
+    mode: "755"
+  tags: acme_install
+
+- name: Generate Let's Encrypt account key
+  openssl_privatekey:
+    path: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
+    owner: root
+    group: root
+    mode: "600"
+    type: RSA
+    size: 4096
+  tags: acme_account
+
+- name: Generate Let's Encrypt private key for {{ domain_name }}
+  openssl_privatekey:
+    path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
+    owner: root
+    group: "{{ acme_ssl_group }}"
+    mode: "640"
+    type: RSA
+    size: 4096
+
+- name: Generate Let's Encrypt CSR for {{ domain_name }}
+  openssl_csr:
+    path: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
+    owner: root
+    group: "{{ acme_ssl_group }}"
+    mode: "644"
+    privatekey_path: "{{ acme_keys_dir }}/{{ domain_name }}.pem"
+    common_name: "{{ domain_name }}"
+
+# - name: Check if Let's Encrypt certificate already exists for {{ domain_name }}
+#   stat:
+#     path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
+#   register: _acme_cert_file
+
+# - name: Check Let's Encrypt certificate expiration date for {{ domain_name }}
+#   openssl_certificate_info:
+#     path: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
+#     valid_at: 
+#       thirty_days: "+30d"
+#   register: _acme_cert_validity
+#   when: _acme_cert_file.stat.isreg is defined and _acme_cert_file.stat.isreg
+
+- name: Begin Let's Encrypt challenges for {{ domain_name }}
+  acme_certificate:
+    acme_directory: "{{ acme_directory }}"
+    acme_version: "{{ acme_version }}"
+    account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
+    account_email: "{{ acme_email }}"
+    terms_agreed: yes
+    challenge: http-01
+    csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
+    dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
+    fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
+    remaining_days: 30
+  register: _acme_challenge
+  # when: _acme_cert_validity is skipped or not _acme_cert_validity.valid_at.thirty_days
+
+- debug:
+    var: _acme_challenge
+
+# - name: Implement and complete Let's Encrypt challenge for {{ domain_name }}
+#   when: _acme_challenge is not skipped
+#   block:
+#   - name: Implement http-01 challenge files for {{ domain_name }}
+#     copy:
+#       content: "{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource_value }}"
+#       dest: "{{ acme_challenge_dir }}/{{ _acme_challenge.challenge_data[domain_name]['http-01'].resource }}"
+#       owner: root
+#       group: root
+#       mode: "644"
+  
+#   - name: Complete Let's Encrypt challenges for {{ domain_name }}
+#     acme_certificate:
+#       acme_directory: "{{ acme_directory }}"
+#       acme_version: "{{ acme_version }}"
+#       account_key_src: "{{ acme_accounts_dir }}/{{ acme_account_key }}"
+#       account_email: "{{ acme_email }}"
+#       challenge: http-01
+#       csr: "{{ acme_csr_dir }}/{{ domain_name }}.csr"
+#       dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/cert.pem"
+#       chain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/chain.pem"
+#       fullchain_dest: "{{ acme_certs_dir }}/{{ domain_name }}.d/fullchain.pem"
+#       data: "{{ _acme_challenge }}"
--- a/roles/acme/tasks/main.yml
+++ b/roles/acme/tasks/main.yml
@@ -0,0 +1,2 @@
+- import_tasks: acme.yml
+  tags: acme