| 1 | # If a service requires read access to a cert, the system user that |
|---|
| 2 | # the service runs as should be a member of the "ssl-cert" group. |
|---|
| 3 | |
|---|
| 4 | - name: Add stretch-backports |
|---|
| 5 | apt_repository: |
|---|
| 6 | repo: "deb http://mirror.bytemark.co.uk/debian stretch-backports main" |
|---|
| 7 | |
|---|
| 8 | - name: Install ssl-cert package |
|---|
| 9 | apt: |
|---|
| 10 | name: ssl-cert |
|---|
| 11 | state: present |
|---|
| 12 | update_cache: yes |
|---|
| 13 | cache_valid_time: 10800 # 3 hours |
|---|
| 14 | |
|---|
| 15 | - name: Install CertBot from backports |
|---|
| 16 | apt: |
|---|
| 17 | name: certbot |
|---|
| 18 | default_release: stretch-backports |
|---|
| 19 | state: present |
|---|
| 20 | update_cache: yes |
|---|
| 21 | cache_valid_time: 10800 # 3 hours |
|---|
| 22 | |
|---|
| 23 | - name: Create certbot www directory |
|---|
| 24 | file: |
|---|
| 25 | path: /usr/share/certbot |
|---|
| 26 | owner: root |
|---|
| 27 | group: www-data |
|---|
| 28 | state: directory |
|---|
| 29 | mode: 0755 |
|---|
| 30 | |
|---|
| 31 | - name: Ensure private directories for TLS certs have correct permissions |
|---|
| 32 | file: |
|---|
| 33 | path: "{{ item }}" |
|---|
| 34 | state: directory |
|---|
| 35 | owner: root |
|---|
| 36 | group: ssl-cert |
|---|
| 37 | mode: 0710 |
|---|
| 38 | with_items: |
|---|
| 39 | - "/etc/ssl/private" |
|---|
| 40 | - "/etc/letsencrypt/archive/{{ domain }}" |
|---|
| 41 | - "/etc/letsencrypt/live/{{ domain }}" |
|---|
| 42 | |
|---|
| 43 | - name: Check for already installed certificate |
|---|
| 44 | stat: |
|---|
| 45 | path: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem" |
|---|
| 46 | register: tls_cert |
|---|
| 47 | |
|---|
| 48 | - name: Install self-signed TLS certificate |
|---|
| 49 | copy: |
|---|
| 50 | src: "../../tls/files/ssl/{{ domain_name }}.pem" |
|---|
| 51 | dest: "/etc/letsencrypt/live/{{ domain }}/fullchain.pem" |
|---|
| 52 | owner: root |
|---|
| 53 | group: ssl-cert |
|---|
| 54 | mode: 0640 |
|---|
| 55 | when: not tls_cert.stat.exists |
|---|
| 56 | |
|---|
| 57 | - name: Check for already installed key |
|---|
| 58 | stat: |
|---|
| 59 | path: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" |
|---|
| 60 | register: tls_key |
|---|
| 61 | |
|---|
| 62 | - name: Install self-signed TLS certificate key |
|---|
| 63 | copy: |
|---|
| 64 | src: "../../tls/files/ssl/{{ domain_name }}.key" |
|---|
| 65 | dest: "/etc/letsencrypt/live/{{ domain }}/privkey.pem" |
|---|
| 66 | owner: root |
|---|
| 67 | group: ssl-cert |
|---|
| 68 | mode: 0640 |
|---|
| 69 | when: not tls_key.stat.exists |
|---|
| 70 | |
|---|
| 71 | - name: Install symlinks to TLS certificate and key |
|---|
| 72 | file: |
|---|
| 73 | src: "/etc/letsencrypt/live/{{ item.src }}" |
|---|
| 74 | dest: "/etc/ssl/private/{{ item.dest }}" |
|---|
| 75 | owner: root |
|---|
| 76 | group: ssl-cert |
|---|
| 77 | state: link |
|---|
| 78 | force: yes |
|---|
| 79 | with_items: |
|---|
| 80 | - { src: "{{ domain }}/fullchain.pem", dest: "{{ domain }}.pem" } |
|---|
| 81 | - { src: "{{ domain }}/privkey.pem", dest: "{{ domain }}.key" } |
|---|
| 82 | |
|---|
