Use /etc/ansible_certs instead of /certs directory

2023-04-25 16:57:34 +02:00 · 2023-04-25 16:57:34 +02:00 · f8d89c9742
parent c407f93b0a
commit f8d89c9742
1 changed files with 16 additions and 16 deletions
--- a/playbooks/roles/cert/tasks/deploy_cert.yml
+++ b/playbooks/roles/cert/tasks/deploy_cert.yml
@ -1,20 +1,20 @@
 - name: Ensure certs directory exists
  ansible.builtin.file:
-    path: /certs
+    path: /etc/ansible_certs
    state: directory
    owner: root
    group: root
    mode: "755"
 - name: Ensure sub-directory for the certificate exists
  ansible.builtin.file:
-    path: "/certs/{{ item }}"
+    path: "/etc/ansible_certs/{{ item }}"
    state: directory
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "755"
 - name: Ensure private key is generated
  community.crypto.openssl_privatekey:
-    path: "/certs/{{ item }}/key.pem"
+    path: "/etc/ansible_certs/{{ item }}/key.pem"
    size: 4096
    type: RSA
    owner: "{{ cert__owner }}"
@ -22,8 +22,8 @@
    mode: "0600"
 - name: Ensure certificate signing request is created
  community.crypto.openssl_csr:
-    path: "/certs/{{ item }}/csr.pem"
+    path: "/etc/ansible_certs/{{ item }}/csr.pem"
-    privatekey_path: "/certs/{{ item }}/key.pem"
+    privatekey_path: "/etc/ansible_certs/{{ item }}/key.pem"
    common_name: "{{ item }}"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
@ -38,9 +38,9 @@
    remaining_days: 28
    terms_agreed: true
    challenge: dns-01
-    csr: "/certs/{{ item }}/csr.pem"
+    csr: "/etc/ansible_certs/{{ item }}/csr.pem"
-    dest: "/certs/{{ item }}/cert.pem"
+    dest: "/etc/ansible_certs/{{ item }}/cert.pem"
-    fullchain_dest: "/certs/{{ item }}/fullchain.pem"
+    fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
  register: cert__acme_challenge
 - name: Retrieve certificate and fulfill challenge if needed # noqa no-handler
  when: cert__acme_challenge.changed # Can't be put in a handler, because then the block "always" tasks won't be executed for some reason
@ -65,9 +65,9 @@
        terms_agreed: true
        remaining_days: 28
        challenge: dns-01
-        csr: "/certs/{{ item }}/csr.pem"
+        csr: "/etc/ansible_certs/{{ item }}/csr.pem"
-        dest: "/certs/{{ item }}/cert.pem"
+        dest: "/etc/ansible_certs/{{ item }}/cert.pem"
-        fullchain_dest: "/certs/{{ item }}/fullchain.pem"
+        fullchain_dest: "/etc/ansible_certs/{{ item }}/fullchain.pem"
        data: "{{ cert__acme_challenge }}"
      notify: "{{ cert__handlers }}"
  always:
@ -83,28 +83,28 @@
        state: absent
 - name: Ensure correct permissions for certificate are set
  ansible.builtin.file:
-    path: "/certs/{{ item }}/cert.pem"
+    path: "/etc/ansible_certs/{{ item }}/cert.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "0660"
 - name: Ensure correct permissions for fullchain cert are set
  ansible.builtin.file:
-    path: "/certs/{{ item }}/fullchain.pem"
+    path: "/etc/ansible_certs/{{ item }}/fullchain.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "0660"
 - name: Get content of cert.pem
  ansible.builtin.slurp:
-    src: "/certs/{{ item }}/cert.pem"
+    src: "/etc/ansible_certs/{{ item }}/cert.pem"
  register: cert__cert_slurp
 - name: Get content of fullchain.pem
  ansible.builtin.slurp:
-    src: "/certs/{{ item }}/fullchain.pem"
+    src: "/etc/ansible_certs/{{ item }}/fullchain.pem"
  register: cert__fullchain_slurp
 - name: Ensure ca.pem is created
  ansible.builtin.copy:
    content: "{{ cert__fullchain_slurp.content | b64decode | replace(cert__cert_slurp.content | b64decode, '') }}"
-    dest: "/certs/{{ item }}/ca.pem"
+    dest: "/etc/ansible_certs/{{ item }}/ca.pem"
    owner: "{{ cert__owner }}"
    group: "{{ cert__group }}"
    mode: "0660"