Sign upLogin

rubyforgood/babywearing

View on GitHub
Star
deploy/ansible/certs/tasks/main.yml

Summary

Maintainability
Test Coverage
---
# TLS
- name: Install crypto library for python
  become: yes
  pip:
    name: cryptography
    state: latest

- name: Create SSH keypair for CSR
  become: yes
  openssh_keypair:
    path: "{{ cert_key_path }}"

- name: Create directory for CSR
  become: yes
  file:
    path: "{{ csr_directory }}"
    state: directory
    mode: '0755'

- name: Generate CSR
  become: yes
  openssl_csr:
    path: "{{ csr_path }}"
    privatekey_path: "{{ cert_key_path }}"
    common_name: "*.{{ ansible_host }}"

- name: Generate account key
  become: yes
  openssl_privatekey:
    path: "{{ account_key_path }}"

- name: Create directory for cert
  become: yes
  file:
    path: "{{ cert_directory }}"
    state: directory
    mode: '0755'

- name: Create a challenge using account key file.
  become: yes
  acme_certificate:
    account_key_src: "{{ account_key_path }}"
    account_email: "{{ account_email }}"
    acme_version: 2
    csr: "{{ csr_path }}"
    dest: "{{ cert_path }}"
    challenge: dns-01
    acme_directory: https://acme-v02.api.letsencrypt.org/directory
    # Renew if the certificate is at least 30 days old
    remaining_days: 60
    terms_agreed: yes
  register: cert_challenge

- name: Enter DNS TXT Record
  delegate_to: localhost
  azure.azcollection.azure_rm_dnsrecordset:
    resource_group: "{{azure_dns_resource_group}}"
    record_type: "TXT"
    relative_name: "{{txt_record_name}}"
    zone_name: "{{azure_dns_zone_name}}"
    records:
      - entry: "{{ cert_challenge.challenge_data[dns_ansible_host]['dns-01'].resource_value }}"
  when: cert_challenge is changed and dns_ansible_host in cert_challenge.challenge_data

- name: Let the challenge be validated and retrieve the cert and intermediate certificate
  become: yes
  acme_certificate:
    account_key_src: "{{ account_key_path }}"
    account_email: "{{ account_email }}"
    acme_version: 2
    csr: "{{ csr_path }}"
    cert: "{{ cert_path }}"
    fullchain: "{{ fullchain }}"
    chain: "{{ chain }}"
    challenge: dns-01
    acme_directory: https://acme-v02.api.letsencrypt.org/directory
    remaining_days: 60
    data: "{{ cert_challenge }}"
  when: cert_challenge is changed

- name: Restart nginx
  become: yes
  service: name=nginx state=restarted
  when: cert_challenge is changed