From 793f41cb4d288cbf356b959d474657dea23ee9c8 2023-10-09 19:52:27
From: x <xbr@c3l.lu>
Date: 2023-10-09 19:52:27
Subject: [PATCH] feat: add generic cert issuing task list

---

diff --git a/web/tasks/issue_cert.yml b/web/tasks/issue_cert.yml
new file mode 100644
index 0000000000000000000000000000000000000000..56caebd9061b999e76e2b72d123d9243269cf5ad
--- /dev/null
+++ b/web/tasks/issue_cert.yml
@@ -0,0 +1,55 @@
+---
+# Inputs:
+# - domain_name (e.g. freifunk.lu)
+# - all_domain_names (e.g. -d freifunk.lu -d www.freifunk.lu)
+# - reload_command (e.g. systemctl reload nginx)
+- name: Make sure bogus certificate + group exists
+  ansible.builtin.apt:
+    name: ssl-cert
+    state: present
+- name: Check if certificate already exists
+  ansible.builtin.stat:
+    path: "/root/.acme.sh/{{ domain_name }}_ecc"
+  register: acme_cert_dir
+- name: Pre-copy cert files
+  ansible.builtin.copy:
+    src: "/etc/ssl/certs/ssl-cert-snakeoil.pem"
+    dest: "/etc/ssl/certs/ssl-{{ item }}-{{ domain_name }}.pem"
+    mode: '644'
+    owner: 'root'
+    group: 'root'
+  become: true
+  loop:
+    - cert
+    - ca
+    - fullchain
+  when: not acme_cert_dir.exists
+- name: Pre-copy key file
+  ansible.builtin.copy:
+    src: "/etc/ssl/private/ssl-cert-snakeoil.key"
+    dest: "/etc/ssl/private/ssl-cert-{{ domain_name }}.pem"
+    mode: '640'
+    owner: 'root'
+    group: 'ssl-cert'
+  become: true
+  when: not acme_cert_dir.exists
+- name: Issue certificate
+  ansible.builtin.command:
+    cmd: "/root/.acme.sh/acme.sh --issue --keylength ec-384
+      -w /var/www/acme_root/ {{ all_domain_names }}"
+  become: true
+  when: not acme_cert_dir.exists
+  register: cert_issued
+  changed_when: cert_issued.rc == 0
+- name: Deploy certs and keys
+  ansible.builtin.command:
+    cmd: "/root/.acme.sh/acme.sh --install-cert --ecc
+      -d {{ domain_name }}
+      --cert-file \"/etc/ssl/certs/ssl-cert-{{ domain_name }}.pem\"
+      --key-file \"/etc/ssl/private/ssl-cert-{{ domain_name }}.pem\"
+      --ca-file \"/etc/ssl/certs/ssl-ca-{{ domain_name }}.pem\"
+      --fullchain-file \"/etc/ssl/certs/ssl-fullchain-{{ domain_name }}.pem\"
+      --reloadcmd \"{{ reload_command }}\""
+  become: true
+  register: cert_deployed
+  changed_when: cert_deployed.rc == 0