source: darkpeak-services/roles/tls/tasks/configure-tls-cert.yml @ 47aa50ab

ansiblekeycloakmatrixpleroma
Last change on this file since 47aa50ab was 47aa50ab, checked in by Mat Booth <mat.booth@…>, 2 years ago

Install the TLS cert key, too

  • Property mode set to 100644
File size: 2.5 KB
Line 
1# If a service requires read access to a cert, the system user that
2# the service runs as should be a member of the "ssl-cert" group.
3
4- name: Add stretch-backports
5  apt_repository:
6    repo: "deb http://mirror.bytemark.co.uk/debian stretch-backports main"
7
8- name: Install ssl-cert package
9  apt:
10    name: ssl-cert
11    state: present
12    update_cache: yes
13    cache_valid_time: 10800   # 3 hours
14
15- name: Install CertBot from backports
16  apt:
17    name: certbot
18    default_release: stretch-backports
19    state: present
20    update_cache: yes
21    cache_valid_time: 10800   # 3 hours
22
23- name: Create certbot www directory
24  file:
25    path: /usr/share/certbot
26    owner: root
27    group: www-data
28    state: directory
29    mode: 0755
30
31- name: Ensure private directory for TLS certs
32  file:
33    path: /etc/ssl/private
34    state: directory
35    owner: root
36    group: ssl-cert
37    mode: 0710
38
39- name: Ensure letsencrypt cert directory
40  file:
41    path: "/etc/letsencrypt/live/{{ domain_name if service_name == 'default' else domain }}"
42    owner: root
43    group: ssl-cert
44    state: directory
45    mode: 0710
46
47- name: Check for already installed certificate
48  stat:
49    path: "/etc/letsencrypt/live/{{ domain_name if service_name == 'default' else domain }}/fullchain.pem"
50  register: tls_cert
51
52- name: Install self-signed TLS certificate
53  copy:
54    src: "../../tls/files/ssl/{{ domain_name }}.pem"
55    dest: "/etc/letsencrypt/live/{{ domain_name if service_name == 'default' else domain }}/fullchain.pem"
56    owner: root
57    group: ssl-cert
58    mode: 0640
59  when: not tls_cert.stat.exists
60
61- name: Install self-signed TLS certificate key
62  copy:
63    src: "../../tls/files/ssl/{{ domain_name }}.key"
64    dest: "/etc/letsencrypt/live/{{ domain_name if service_name == 'default' else domain }}/privkey.pem"
65    owner: root
66    group: ssl-cert
67    mode: 0640
68  when: not tls_cert.stat.exists
69
70- name: Install symlink to TLS certificate
71  file:
72    src: "/etc/letsencrypt/live/{{ domain_name if service_name == 'default' else domain }}/fullchain.pem"
73    dest: "/etc/ssl/private/{{ domain_name if service_name == 'default' else domain }}.pem"
74    owner: root
75    group: ssl-cert
76    state: link
77    force: yes
78
79- name: Install symlink to TLS certificate key
80  file:
81    src: "/etc/letsencrypt/live/{{ domain_name if service_name == 'default' else domain }}/privkey.pem"
82    dest: "/etc/ssl/private/{{ domain_name if service_name == 'default' else domain }}.key"
83    owner: root
84    group: ssl-cert
85    state: link
86    force: yes
Note: See TracBrowser for help on using the repository browser.