Noratrieb/vps
1
0
Fork 0
mirror of https://github.com/Noratrieb/vps.git synced 2026-01-16 01:25:09 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

try letsencrpyptetep

Browse source
This commit is contained in:
nora 2023-08-25 23:02:33 +02:00
parent 6bb17f9c65
commit df75f381f0
3 changed files with 98 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
flake.nix
View file

@ -35,6 +35,7 @@
ansible-lint ansible-lint
certbot certbot
dig dig
openssl
]; ];
}; };
}); });

14
new/playbooks/basic-setup.yml
View file

@ -2,6 +2,17 @@
- name: Basic Server setup - name: Basic Server setup
hosts: all hosts: all
gather_facts: false gather_facts: false
vars:
acme_challenge_type: http-01
acme_directory: https://acme-v02.api.letsencrypt.org/directory
acme_version: 2
acme_email: nilstrieb@gmail.com # don't spam me pls :(
letsencrypt_dir: /etc/letsencrypt
letsencrypt_keys_dir: /etc/letsencrypt/keys
letsencrypt_csrs_dir: /etc/letsencrypt/csrs
letsencrypt_certs_dir: /etc/letsencrypt/certs
letsencrypt_account_key: /etc/letsencrypt/account/account.key
domain_name: vps2.nilstrieb.dev
tasks: tasks:
- name: Test ping - name: Test ping
ansible.builtin.ping: ansible.builtin.ping:
@ -34,3 +45,6 @@
</body> </body>
</html> </html>
mode: u=rw,g=r,o=r mode: u=rw,g=r,o=r
- name: Acquire certificates
ansible.builtin.include_tasks: ./letsencrypt.yml
when: true # disable it by default.

83
new/playbooks/letsencrypt.yml Normal file
View file

@ -0,0 +1,83 @@
- name: "Create required directories in /etc/letsencrypt"
ansible.builtin.file:
path: "/etc/letsencrypt/{{ item }}"
state: directory
owner: root
group: root
mode: u=rwx,g=x,o=x
with_items:
- account
- certs
- csrs
- keys
- name: "Generate a Let's Encrypt account key"
ansible.builtin.shell: |
set -euo pipefail
if [ ! -f {{ letsencrypt_account_key }} ]; then
openssl genrsa 4096 | sudo tee {{ letsencrypt_account_key }};
echo "changed"
fi
args:
executable: /bin/bash
register: key_output
changed_when: key_output.stdout == "changed" # this is probably wrong?
- name: "Generate Let's Encrypt private key"
ansible.builtin.shell: "openssl genrsa 4096 | sudo tee /etc/letsencrypt/keys/{{ domain_name }}.key"
- name: "Generate Let's Encrypt CSR"
ansible.builtin.shell: |
set -euo pipefail
CSR_PATH=/etc/letsencrypt/csrs/{{ domain_name }}.csr
if [ ! -f "$CSR_PATH" ]; then
SANS=$(printf "\n[SAN]\nsubjectAltName=DNS:vps2.{{ domain_name }}")
openssl req -new -sha256 -key /etc/letsencrypt/keys/{{ domain_name }}.key -subj "/CN={{ domain_name }}" -reqexts SAN -config <(cat /etc/ssl/openssl.cnf <(echo $SANS)) | sudo tee "$CSR_PATH"
echo "changed"
fi
args:
executable: /bin/bash
register: key_output
changed_when: key_output.stdout == "changed" # this is probably wrong?
- name: "Begin Let's Encrypt challenges"
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ acme_email }}"
terms_agreed: 1
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}.crt"
remaining_days: 91
register: acme_challenge_nilstrieb_dev
- name: "Create .well-known/acme-challenge directory"
ansible.builtin.file:
path: /var/www/html/.well-known/acme-challenge
state: directory
owner: root
group: root
mode: u=rwx,g=rx,o=rx
- name: "Implement http-01 challenge files"
ansible.builtin.copy:
content: "{{ acme_challenge_nilstrieb_dev['challenge_data'][item]['http-01']['resource_value'] }}"
dest: "/var/www/html/{{ acme_challenge_nilstrieb_dev['challenge_data'][item]['http-01']['resource'] }}"
owner: root
group: root
mode: u=rw,g=r,o=r
with_items:
- "vps2.{{ domain_name }}"
- name: "Complete Let's Encrypt challenges"
acme_certificate:
acme_directory: "{{ acme_directory }}"
acme_version: "{{ acme_version }}"
account_key_src: "{{ letsencrypt_account_key }}"
account_email: "{{ acme_email }}"
challenge: "{{ acme_challenge_type }}"
csr: "{{ letsencrypt_csrs_dir }}/{{ domain_name }}.csr"
dest: "{{ letsencrypt_certs_dir }}/{{ domain_name }}.crt"
chain_dest: "{{ letsencrypt_certs_dir }}/chain_{{ domain_name }}.crt"
fullchain_dest: "{{ letsencrypt_certs_dir }}/fullchain_{{ domain_name }}"
data: "{{ acme_challenge_nilstrieb_dev }}"