diff --git a/flake.nix b/flake.nix index 5349a7b..6381636 100644 --- a/flake.nix +++ b/flake.nix @@ -35,6 +35,7 @@ ansible-lint certbot dig + openssl ]; }; }); diff --git a/new/playbooks/basic-setup.yml b/new/playbooks/basic-setup.yml index a84931d..cf1ace0 100644 --- a/new/playbooks/basic-setup.yml +++ b/new/playbooks/basic-setup.yml @@ -2,6 +2,17 @@ - name: Basic Server setup hosts: all gather_facts: false + vars: + acme_challenge_type: http-01 + acme_directory: https://acme-v02.api.letsencrypt.org/directory + acme_version: 2 + acme_email: nilstrieb@gmail.com # don't spam me pls :( + letsencrypt_dir: /etc/letsencrypt + letsencrypt_keys_dir: /etc/letsencrypt/keys + letsencrypt_csrs_dir: /etc/letsencrypt/csrs + letsencrypt_certs_dir: /etc/letsencrypt/certs + letsencrypt_account_key: /etc/letsencrypt/account/account.key + domain_name: vps2.nilstrieb.dev tasks: - name: Test ping ansible.builtin.ping: @@ -34,3 +45,6 @@ mode: u=rw,g=r,o=r + - name: Acquire certificates + ansible.builtin.include_tasks: ./letsencrypt.yml + when: true # disable it by default. diff --git a/new/playbooks/letsencrypt.yml b/new/playbooks/letsencrypt.yml new file mode 100644 index 0000000..7e18663 --- /dev/null +++ b/new/playbooks/letsencrypt.yml @@ -0,0 +1,83 @@ +- name: "Create required directories in /etc/letsencrypt" + ansible.builtin.file: + path: "/etc/letsencrypt/{{ item }}" + state: directory + owner: root + group: root + mode: u=rwx,g=x,o=x + with_items: + - account + - certs + - csrs + - keys +- name: "Generate a Let's Encrypt account key" + ansible.builtin.shell: | + set -euo pipefail + if [ ! -f {{ letsencrypt_account_key }} ]; then + openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }}; + echo "changed" + fi + args: + executable: /bin/bash + register: key_output + changed_when: key_output.stdout == "changed" # this is probably wrong? +- name: "Generate Let's Encrypt private key" + ansible.builtin.shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ domain_name }}.key" +- name: "Generate Let's Encrypt CSR" + ansible.builtin.shell: | + set -euo pipefail + + CSR_PATH=/etc/letsencrypt/csrs/{{ domain_name }}.csr + + if [ ! -f "$CSR_PATH" ]; then + + SANS=$(printf "\n[SAN]\nsubjectAltName=DNS:vps2.{{ domain_name }}") + + openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ domain_name }}.key -subj "/CN={{ domain_name }}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(echo $SANS)) | sudo tee "$CSR_PATH" + echo "changed" + fi + args: + executable: /bin/bash + register: key_output + changed_when: key_output.stdout == "changed" # this is probably wrong? +- name: "Begin Let's Encrypt challenges" + acme_certificate: + acme_directory: "{{ acme_directory }}" + acme_version: "{{ acme_version }}" + account_key_src: "{{ letsencrypt_account_key }}" + account_email: "{{ acme_email }}" + terms_agreed: 1 + challenge: "{{ acme_challenge_type }}" + csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr" + dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt" + fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}.crt" + remaining_days: 91 + register: acme_challenge_nilstrieb_dev +- name: "Create .well-known/acme-challenge directory" + ansible.builtin.file: + path: /var/www/html/.well-known/acme-challenge + state: directory + owner: root + group: root + mode: u=rwx,g=rx,o=rx +- name: "Implement http-01 challenge files" + ansible.builtin.copy: + content: "{{ acme_challenge_nilstrieb_dev['challenge_data'][item]['http-01']['resource_value'] }}" + dest: "/var/www/html/{{ acme_challenge_nilstrieb_dev['challenge_data'][item]['http-01']['resource'] }}" + owner: root + group: root + mode: u=rw,g=r,o=r + with_items: + - "vps2.{{ domain_name }}" +- name: "Complete Let's Encrypt challenges" + acme_certificate: + acme_directory: "{{ acme_directory }}" + acme_version: "{{ acme_version }}" + account_key_src: "{{ letsencrypt_account_key }}" + account_email: "{{ acme_email }}" + challenge: "{{ acme_challenge_type }}" + csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr" + dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt" + chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ domain_name }}.crt" + fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}" + data: "{{ acme_challenge_nilstrieb_dev }}"