Use /etc/ansible_certs
instead of /certs
directory
This commit is contained in:
parent
c407f93b0a
commit
f8d89c9742
1 changed files with 16 additions and 16 deletions
|
@ -1,20 +1,20 @@
|
|||
- name: Ensure certs directory exists
|
||||
ansible.builtin.file:
|
||||
path: /certs
|
||||
path: /etc/ansible_certs
|
||||
state: directory
|
||||
owner: root
|
||||
group: root
|
||||
mode: "755"
|
||||
- name: Ensure sub-directory for the certificate exists
|
||||
ansible.builtin.file:
|
||||
path: "/certs/{{ item }}"
|
||||
path: "/etc/ansible_certs/{{ item }}"
|
||||
state: directory
|
||||
owner: "{{ cert__owner }}"
|
||||
group: "{{ cert__group }}"
|
||||
mode: "755"
|
||||
- name: Ensure private key is generated
|
||||
community.crypto.openssl_privatekey:
|
||||
path: "/certs/{{ item }}/key.pem"
|
||||
path: "/etc/ansible_certs/{{ item }}/key.pem"
|
||||
size: 4096
|
||||
type: RSA
|
||||
owner: "{{ cert__owner }}"
|
||||
|
@ -22,8 +22,8 @@
|
|||
mode: "0600"
|
||||
- name: Ensure certificate signing request is created
|
||||
community.crypto.openssl_csr:
|
||||
path: "/certs/{{ item }}/csr.pem"
|
||||
privatekey_path: "/certs/{{ item }}/key.pem"
|
||||
path: "/etc/ansible_certs/{{ item }}/csr.pem"
|
||||
privatekey_path: "/etc/ansible_certs/{{ item }}/key.pem"
|
||||
common_name: "{{ item }}"
|
||||
owner: "{{ cert__owner }}"
|
||||
group: "{{ cert__group }}"
|
||||
|
@ -38,9 +38,9 @@
|
|||
remaining_days: 28
|
||||
terms_agreed: true
|
||||
challenge: dns-01
|
||||
csr: "/certs/{{ item }}/csr.pem"
|
||||
dest: "/certs/{{ item }}/cert.pem"
|
||||
fullchain_dest: "/certs/{{ item }}/fullchain.pem"
|
||||
csr: "/etc/ansible_certs/{{ item }}/csr.pem"
|
||||
dest: "/etc/ansible_certs/{{ item }}/cert.pem"
|
||||
fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
|
||||
register: cert__acme_challenge
|
||||
- name: Retrieve certificate and fulfill challenge if needed # noqa no-handler
|
||||
when: cert__acme_challenge.changed # Can't be put in a handler, because then the block "always" tasks won't be executed for some reason
|
||||
|
@ -65,9 +65,9 @@
|
|||
terms_agreed: true
|
||||
remaining_days: 28
|
||||
challenge: dns-01
|
||||
csr: "/certs/{{ item }}/csr.pem"
|
||||
dest: "/certs/{{ item }}/cert.pem"
|
||||
fullchain_dest: "/certs/{{ item }}/fullchain.pem"
|
||||
csr: "/etc/ansible_certs/{{ item }}/csr.pem"
|
||||
dest: "/etc/ansible_certs/{{ item }}/cert.pem"
|
||||
fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
|
||||
data: "{{ cert__acme_challenge }}"
|
||||
notify: "{{ cert__handlers }}"
|
||||
always:
|
||||
|
@ -83,28 +83,28 @@
|
|||
state: absent
|
||||
- name: Ensure correct permissions for certificate are set
|
||||
ansible.builtin.file:
|
||||
path: "/certs/{{ item }}/cert.pem"
|
||||
path: "/etc/ansible_certs/{{ item }}/cert.pem"
|
||||
owner: "{{ cert__owner }}"
|
||||
group: "{{ cert__group }}"
|
||||
mode: "0660"
|
||||
- name: Ensure correct permissions for fullchain cert are set
|
||||
ansible.builtin.file:
|
||||
path: "/certs/{{ item }}/fullchain.pem"
|
||||
path: "/etc/ansible_certs/{{ item }}/fullchain.pem"
|
||||
owner: "{{ cert__owner }}"
|
||||
group: "{{ cert__group }}"
|
||||
mode: "0660"
|
||||
- name: Get content of cert.pem
|
||||
ansible.builtin.slurp:
|
||||
src: "/certs/{{ item }}/cert.pem"
|
||||
src: "/etc/ansible_certs/{{ item }}/cert.pem"
|
||||
register: cert__cert_slurp
|
||||
- name: Get content of fullchain.pem
|
||||
ansible.builtin.slurp:
|
||||
src: "/certs/{{ item }}/fullchain.pem"
|
||||
src: "/etc/ansible_certs/{{ item }}/fullchain.pem"
|
||||
register: cert__fullchain_slurp
|
||||
- name: Ensure ca.pem is created
|
||||
ansible.builtin.copy:
|
||||
content: "{{ cert__fullchain_slurp.content | b64decode | replace(cert__cert_slurp.content | b64decode, '') }}"
|
||||
dest: "/certs/{{ item }}/ca.pem"
|
||||
dest: "/etc/ansible_certs/{{ item }}/ca.pem"
|
||||
owner: "{{ cert__owner }}"
|
||||
group: "{{ cert__group }}"
|
||||
mode: "0660"
|
||||
|
|
Loading…
Reference in a new issue