132 lines
3.4 KiB
YAML
132 lines
3.4 KiB
YAML
---
|
|
- name: Install dehydrated dependencies
|
|
apt: name={{ dehydrated_dependencies }}
|
|
|
|
- name: Checkout dehydrated from github
|
|
git:
|
|
repo: "{{ dehydrated_repo_url }}"
|
|
update: "{{ dehydrated_update }}"
|
|
dest: "{{ dehydrated_install_root }}"
|
|
version: "{{ dehydrated_version }}"
|
|
|
|
- name: Checkout pdns_api.sh from github
|
|
git:
|
|
repo: "{{ pdns_api_repo_url }}"
|
|
update: "{{ pdns_api_update }}"
|
|
dest: "{{ dehydrated_install_root }}/pdns_api"
|
|
version: "{{ pdns_api_version }}"
|
|
|
|
- name: Create /etc/dehydrated
|
|
file: dest=/etc/dehydrated state=directory owner=root group=root mode=0700
|
|
|
|
- name: Generate dehydrated config
|
|
template:
|
|
dest: /etc/dehydrated/config
|
|
src: config.j2
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
|
|
- name: Generate dehydrated domains.txt
|
|
copy:
|
|
dest: /etc/dehydrated/domains.txt
|
|
content: "{{ dehydrated_domains }}"
|
|
owner: root
|
|
group: root
|
|
mode: 0600
|
|
notify: run dehydrated
|
|
|
|
- import_tasks: domain_config.yml
|
|
|
|
- name: Generate hookwrapper.sh
|
|
template:
|
|
src: hookwrapper.j2
|
|
dest: /etc/dehydrated/hookwrapper.sh
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
when: dehydrated_deploycert is defined
|
|
|
|
- name: Generate deploycert.sh
|
|
template:
|
|
src: deploycert.j2
|
|
dest: /etc/dehydrated/deploycert.sh
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
when: dehydrated_deploycert is defined
|
|
|
|
- name: Remove deploycert.sh
|
|
file: dest=/etc/dehydrated/deploycert.sh state=absent
|
|
when: dehydrated_deploycert is not defined
|
|
|
|
- name: Remove hookwrapper.sh
|
|
file: dest=/etc/dehydrated/hookwrapper.sh state=absent
|
|
when: dehydrated_deploycert is not defined
|
|
|
|
- name: Install cronjob
|
|
cron:
|
|
name: dehydrated-renew
|
|
minute: "{{ 59|random(seed=inventory_hostname) }}"
|
|
hour: "{{ 4|random(seed=inventory_hostname) }}"
|
|
user: root
|
|
job: "{{ dehydrated_install_root }}/dehydrated -c > /dev/null"
|
|
cron_file: dehydrated
|
|
state: "{{ 'present' if dehydrated_cronjob else 'absent' }}"
|
|
|
|
- import_tasks: systemd.yml
|
|
|
|
# /opt/dehydrated/dehydrated --register --accept-terms
|
|
- name: Check if already registered
|
|
stat:
|
|
path: "/etc/dehydrated/accounts/{{ ((dehydrated_ca + '\n')|b64encode).rstrip('=').replace('+', '-').replace('/', '_') }}"
|
|
register: ca_stat
|
|
|
|
- block:
|
|
- name: "assert dehydrated_accept_letsencrypt_terms is true"
|
|
assert:
|
|
that: dehydrated_accept_letsencrypt_terms
|
|
|
|
- name: Register to CA
|
|
command: "{{ dehydrated_install_root }}/dehydrated --register --accept-terms"
|
|
# \end block register
|
|
when: "not ca_stat.stat.exists or (ca_stat.stat.isdir is defined and not ca_stat.stat.isdir)"
|
|
|
|
- meta: flush_handlers
|
|
|
|
|
|
- name: Add the cert user for distributing certs
|
|
user:
|
|
name: cert
|
|
|
|
- name: Create cert/bin directory if it does not exist
|
|
file:
|
|
path: /home/cert/bin
|
|
state: directory
|
|
owner: cert
|
|
group: cert
|
|
mode: '0700'
|
|
|
|
- name: Create certificates directory if it does not exist
|
|
file:
|
|
path: /home/cert/certificates
|
|
state: directory
|
|
owner: cert
|
|
group: cert
|
|
mode: '0700'
|
|
|
|
- name: generate authorized_keys
|
|
authorized_key:
|
|
key: "{{ dehydrated_authorized_keys }}"
|
|
key_options: command="$HOME/bin/rrsync -ro ~/certificates",no-agent-forwarding,no-port-forwarding,no-pty,no-user-rc,no-X11-forwarding
|
|
user: cert
|
|
exclusive: true
|
|
|
|
- name: Download rrsync
|
|
get_url:
|
|
url: http://ftp.samba.org/pub/unpacked/rsync/support/rrsync
|
|
dest: /home/cert/bin/rrsync
|
|
owner: cert
|
|
group: cert
|
|
mode: '0700'
|