From c407f93b0a6b07dddaaada5f9405fa2241c20dc5 Mon Sep 17 00:00:00 2001 From: yuri Date: Tue, 25 Apr 2023 13:49:45 +0200 Subject: [PATCH] Add initial cert role --- playbooks/roles/cert/defaults/main.yml | 3 + playbooks/roles/cert/meta/argument_specs.yml | 46 ++++++++ playbooks/roles/cert/meta/main.yml | 7 ++ playbooks/roles/cert/tasks/deploy_cert.yml | 110 +++++++++++++++++++ playbooks/roles/cert/tasks/main.yml | 3 + 5 files changed, 169 insertions(+) create mode 100644 playbooks/roles/cert/defaults/main.yml create mode 100644 playbooks/roles/cert/meta/argument_specs.yml create mode 100644 playbooks/roles/cert/meta/main.yml create mode 100644 playbooks/roles/cert/tasks/deploy_cert.yml create mode 100644 playbooks/roles/cert/tasks/main.yml diff --git a/playbooks/roles/cert/defaults/main.yml b/playbooks/roles/cert/defaults/main.yml new file mode 100644 index 0000000..bcff4d3 --- /dev/null +++ b/playbooks/roles/cert/defaults/main.yml @@ -0,0 +1,3 @@ +cert__handlers: [] +cert__owner: root +cert__group: root diff --git a/playbooks/roles/cert/meta/argument_specs.yml b/playbooks/roles/cert/meta/argument_specs.yml new file mode 100644 index 0000000..c79ff1a --- /dev/null +++ b/playbooks/roles/cert/meta/argument_specs.yml @@ -0,0 +1,46 @@ +--- +argument_specs: + main: + short_description: Orders and renews certificates from Let's Encrypt + options: + cert__domains: + description: Domains for which to issue a certificate. Must be in the same DNS zone. + required: true + type: list + elements: str + cert__owner: + description: Owner of the certificate files. + required: false + type: str + default: root + cert__group: + description: Group of the certificate files. + required: false + type: str + default: root + cert__acme_account: + description: ACME account details + required: true + type: dict + options: + email: + description: E-mail address to send certificate expiary notifications to + required: true + type: str + key: + description: Private RSA or Elliptic Curve key of the ACME account + required: true + type: str + cert__cloudflare_dns: + description: Cloudflare DNS API details + required: true + type: dict + options: + api_token: + description: Cloudflare API token + required: true + type: str + zone: + description: DNS zone the domain is in + required: true + type: str diff --git a/playbooks/roles/cert/meta/main.yml b/playbooks/roles/cert/meta/main.yml new file mode 100644 index 0000000..f730c82 --- /dev/null +++ b/playbooks/roles/cert/meta/main.yml @@ -0,0 +1,7 @@ +dependencies: # noqa meta-no-info + - role: distribution_check + vars: + distribution_check__supported_distributions: + - name: Debian + versions: + - "11" diff --git a/playbooks/roles/cert/tasks/deploy_cert.yml b/playbooks/roles/cert/tasks/deploy_cert.yml new file mode 100644 index 0000000..eeb5e30 --- /dev/null +++ b/playbooks/roles/cert/tasks/deploy_cert.yml @@ -0,0 +1,110 @@ +- name: Ensure certs directory exists + ansible.builtin.file: + path: /certs + state: directory + owner: root + group: root + mode: "755" +- name: Ensure sub-directory for the certificate exists + ansible.builtin.file: + path: "/certs/{{ item }}" + state: directory + owner: "{{ cert__owner }}" + group: "{{ cert__group }}" + mode: "755" +- name: Ensure private key is generated + community.crypto.openssl_privatekey: + path: "/certs/{{ item }}/key.pem" + size: 4096 + type: RSA + owner: "{{ cert__owner }}" + group: "{{ cert__group }}" + mode: "0600" +- name: Ensure certificate signing request is created + community.crypto.openssl_csr: + path: "/certs/{{ item }}/csr.pem" + privatekey_path: "/certs/{{ item }}/key.pem" + common_name: "{{ item }}" + owner: "{{ cert__owner }}" + group: "{{ cert__group }}" + mode: "0660" + register: cert__csr_result +- name: Check certificate status and create ACME challenge if needed + community.crypto.acme_certificate: + account_email: "{{ cert__acme_account.email }}" + account_key_content: "{{ cert__acme_account.key }}" + acme_directory: https://acme-v02.api.letsencrypt.org/directory + acme_version: 2 + remaining_days: 28 + terms_agreed: true + challenge: dns-01 + csr: "/certs/{{ item }}/csr.pem" + dest: "/certs/{{ item }}/cert.pem" + fullchain_dest: "/certs/{{ item }}/fullchain.pem" + register: cert__acme_challenge +- name: Retrieve certificate and fulfill challenge if needed # noqa no-handler + when: cert__acme_challenge.changed # Can't be put in a handler, because then the block "always" tasks won't be executed for some reason + block: + - name: Set DNS record via Cloudflare API to fulfill the challenge + when: not cert__acme_challenge.authorizations[item].status == "valid" + community.general.cloudflare_dns: + api_token: "{{ cert__cloudflare_dns.api_token }}" + zone: "{{ cert__cloudflare_dns.zone }}" + record: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}" + value: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}" + type: TXT + ttl: 60 + solo: true + state: present + - name: Retrieve certificate + community.crypto.acme_certificate: + account_email: "{{ cert__acme_account.email }}" + account_key_content: "{{ cert__acme_account.key }}" + acme_directory: https://acme-v02.api.letsencrypt.org/directory + acme_version: 2 + terms_agreed: true + remaining_days: 28 + challenge: dns-01 + csr: "/certs/{{ item }}/csr.pem" + dest: "/certs/{{ item }}/cert.pem" + fullchain_dest: "/certs/{{ item }}/fullchain.pem" + data: "{{ cert__acme_challenge }}" + notify: "{{ cert__handlers }}" + always: + - name: Ensure DNS record is removed + when: not cert__acme_challenge.authorizations[item].status == "valid" + community.general.cloudflare_dns: + api_token: "{{ cert__cloudflare_dns.api_token }}" + zone: "{{ cert__cloudflare_dns.zone }}" + record: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].record }}" + value: "{{ cert__acme_challenge.challenge_data[item]['dns-01'].resource_value }}" + type: TXT + ttl: 60 + state: absent +- name: Ensure correct permissions for certificate are set + ansible.builtin.file: + path: "/certs/{{ item }}/cert.pem" + owner: "{{ cert__owner }}" + group: "{{ cert__group }}" + mode: "0660" +- name: Ensure correct permissions for fullchain cert are set + ansible.builtin.file: + path: "/certs/{{ item }}/fullchain.pem" + owner: "{{ cert__owner }}" + group: "{{ cert__group }}" + mode: "0660" +- name: Get content of cert.pem + ansible.builtin.slurp: + src: "/certs/{{ item }}/cert.pem" + register: cert__cert_slurp +- name: Get content of fullchain.pem + ansible.builtin.slurp: + src: "/certs/{{ item }}/fullchain.pem" + register: cert__fullchain_slurp +- name: Ensure ca.pem is created + ansible.builtin.copy: + content: "{{ cert__fullchain_slurp.content | b64decode | replace(cert__cert_slurp.content | b64decode, '') }}" + dest: "/certs/{{ item }}/ca.pem" + owner: "{{ cert__owner }}" + group: "{{ cert__group }}" + mode: "0660" diff --git a/playbooks/roles/cert/tasks/main.yml b/playbooks/roles/cert/tasks/main.yml new file mode 100644 index 0000000..5141e00 --- /dev/null +++ b/playbooks/roles/cert/tasks/main.yml @@ -0,0 +1,3 @@ +- name: Deploy cert + ansible.builtin.include_tasks: deploy_cert.yml + loop: "{{ cert__domains }}"