diff --git a/evoacme/defaults/main.yml b/evoacme/defaults/main.yml index 4d7fc9df..0cdffca9 100644 --- a/evoacme/defaults/main.yml +++ b/evoacme/defaults/main.yml @@ -1,15 +1,15 @@ --- -ssl_key_dir: /etc/ssl/private -ssl_key_size: 2048 -dhparam_size: 2048 -acme_dir: /var/lib/letsencrypt -csr_dir: /etc/ssl/requests -crt_dir: /etc/letsencrypt -log_dir: /var/log/evoacme -ssl_minday: 15 -ssl_ct: 'FR' -ssl_state: 'France' -ssl_loc: 'Marseille' -ssl_org: 'Evolix' -ssl_ou: 'Security' -ssl_email: 'security@evolix.net' +evoacme_ssl_key_dir: /etc/ssl/private +evoacme_ssl_key_size: 2048 +evoacme_dhparam_size: 2048 +evoacme_acme_dir: /var/lib/letsencrypt +evoacme_csr_dir: /etc/ssl/requests +evoacme_crt_dir: /etc/letsencrypt +evoacme_log_dir: /var/log/evoacme +evoacme_ssl_minday: 15 +evoacme_ssl_ct: 'FR' +evoacme_ssl_state: 'France' +evoacme_ssl_loc: 'Marseille' +evoacme_ssl_org: 'Evolix' +evoacme_ssl_ou: 'Security' +evoacme_ssl_email: 'security@evolix.net' diff --git a/evoacme/handlers/main.yml b/evoacme/handlers/main.yml index e5538908..844cf8f7 100644 --- a/evoacme/handlers/main.yml +++ b/evoacme/handlers/main.yml @@ -1,11 +1,11 @@ - name: newaliases - shell: newaliases + command: newaliases - name: Test Apache conf shell: apache2ctl -t notify: "Reload Apache conf" -- name: Reload Apache conf +- name: reload apache2 service: - name=apache2 - state=reloaded + name: apache2 + state: reloaded diff --git a/evoacme/tasks/acme.yml b/evoacme/tasks/acme.yml index 80cbb2c0..e3763697 100644 --- a/evoacme/tasks/acme.yml +++ b/evoacme/tasks/acme.yml @@ -10,12 +10,12 @@ group: acme state: present createhome: no - home: "{{ crt_dir }}" + home: "{{ evoacme_crt_dir }}" shell: /bin/false - name: Fix crt dir's right file: - path: "{{ crt_dir }}" + path: "{{ evoacme_crt_dir }}" mode: 0755 owner: acme group: acme @@ -23,7 +23,7 @@ - name: Fix log dir's right file: - path: "{{ log_dir }}" + path: "{{ evoacme_log_dir }}" mode: 0755 owner: acme group: acme @@ -31,7 +31,7 @@ - name: Fix challenge dir's right file: - path: "{{ acme_dir }}" + path: "{{ evoacme_acme_dir }}" mode: 0755 owner: acme group: acme diff --git a/evoacme/tasks/apache.yml b/evoacme/tasks/apache.yml index d0c3e478..532545ae 100644 --- a/evoacme/tasks/apache.yml +++ b/evoacme/tasks/apache.yml @@ -5,7 +5,8 @@ owner: root group: root mode: 0644 - notify: "Test Apache conf" + validate: apache2ctl -t + notify: reload apache2 - name: Enable acme challenge conf file: @@ -14,4 +15,5 @@ state: link owner: root group: root - notify: "Test Apache conf" + validate: apache2ctl -t + notify: reload apache2 diff --git a/evoacme/tasks/certbot.yml b/evoacme/tasks/certbot.yml index 4ff6072c..7ab98be5 100644 --- a/evoacme/tasks/certbot.yml +++ b/evoacme/tasks/certbot.yml @@ -1,6 +1,7 @@ --- - name: Set certbot release to Debian stable - set_fact: release="stable" + set_fact: + evoacme_certbot_release: stable when: - ansible_distribution is defined - ansible_distribution == "Debian" @@ -8,8 +9,9 @@ - ansible_distribution_major_version|int > 8 - name: Set certbot relase to jessie-backports - set_fact: release="jessie-backports" - when: + set_fact: + evoacme_certbot_release: jessie-backports + when: - ansible_distribution is defined - ansible_distribution == "Debian" - ansible_distribution_major_version is defined @@ -21,13 +23,13 @@ dest: /etc/apt/sources.list line: 'deb http://mirror.evolix.org/debian jessie-backports main' state: present - when: release == "jessie-backports" + when: evoacme_certbot_release == "jessie-backports" - name: Install certbot with apt apt: name: certbot state: latest - default_release: "{{release}}" + default_release: "{{ evoacme_certbot_release }}" update_cache: yes - name: Mount /usr in rw @@ -57,7 +59,9 @@ - name: Install certbot symlink for source install copy: dest: /usr/local/bin/certbot - content: '#!/bin/sh\nsudo /opt/certbot/certbot-auto $@' + content: | + #!/bin/sh + sudo /opt/certbot/certbot-auto $@ mode: 0755 - name: Add sudo right for source install @@ -66,7 +70,7 @@ dest: /etc/sudoers.d/certbot mode: 0440 validate: '/usr/sbin/visudo -cf %s' - when: release is undefined + when: release is undefined - name: Remove certbot dpkg cron file: diff --git a/evoacme/tasks/conf.yml b/evoacme/tasks/conf.yml index 1b137302..e7ef336d 100644 --- a/evoacme/tasks/conf.yml +++ b/evoacme/tasks/conf.yml @@ -5,7 +5,7 @@ option: "{{ item.name }}" value: "{{ item.var }}" with_items: - - { name: 'default_bits', var: "{{ ssl_key_size }}" } + - { name: 'default_bits', var: "{{ evoacme_ssl_key_size }}" } - { name: 'encrypt_key', var: 'yes' } - { name: 'distinguished_name', var: 'req_dn' } - { name: 'prompt', var: 'no' } @@ -17,17 +17,17 @@ option: "{{ item.name }}" value: "{{ item.var }}" with_items: - - { name: 'C', var: "{{ ssl_ct }}" } - - { name: 'ST', var: "{{ ssl_state }}" } - - { name: 'L', var: "{{ ssl_loc }}" } - - { name: 'O', var: "{{ ssl_org }}" } - - { name: 'OU', var: "{{ ssl_ou }}" } - - { name: 'emailAddress', var: "{{ ssl_email }}" } + - { name: 'C', var: "{{ evoacme_ssl_ct }}" } + - { name: 'ST', var: "{{ evoacme_ssl_state }}" } + - { name: 'L', var: "{{ evoacme_ssl_loc }}" } + - { name: 'O', var: "{{ evoacme_ssl_org }}" } + - { name: 'OU', var: "{{ evoacme_ssl_ou }}" } + - { name: 'emailAddress', var: "{{ evoacme_ssl_email }}" } - name: Copy new evoacme conf - template: + template: src: templates/evoacme.conf.j2 - dest: /etc/default/evoacme - owner: root - group: root + dest: /etc/default/evoacme + owner: root + group: root mode: 0644 diff --git a/evoacme/tasks/dhparam.yml b/evoacme/tasks/dhparam.yml index 599efe23..347c352f 100644 --- a/evoacme/tasks/dhparam.yml +++ b/evoacme/tasks/dhparam.yml @@ -1,3 +1,4 @@ - name: Generate DH paramaters - shell: openssl dhparam -rand - {{dhparam_size}} -out /etc/ssl/dhparam.pem - creates=/etc/ssl/dhparam.pem + command: openssl dhparam -rand - {{ evoacme_dhparam_size }} -out /etc/ssl/dhparam.pem + args: + creates: /etc/ssl/dhparam.pem diff --git a/evoacme/tasks/main.yml b/evoacme/tasks/main.yml index 25fcdebf..f6264b76 100644 --- a/evoacme/tasks/main.yml +++ b/evoacme/tasks/main.yml @@ -1,12 +1,19 @@ --- - include: tasks/certbot.yml + - include: tasks/acme.yml + - include: tasks/conf.yml + - include: tasks/scripts.yml + - include: tasks/webserver.yml + - include: tasks/apache.yml - when: sta.stat.isreg is defined and sta.stat.isreg == True + when: sta.stat.isreg is defined and sta.stat.isreg + - include: tasks/nginx.yml - when: stn.stat.isreg is defined and stn.stat.isreg == True + when: stn.stat.isreg is defined and stn.stat.isreg + - include: tasks/dhparam.yml - when: stn.stat.isreg is defined and stn.stat.isreg == True + when: stn.stat.isreg is defined and stn.stat.isreg diff --git a/evoacme/tasks/scripts.yml b/evoacme/tasks/scripts.yml index 92bfba63..052f22db 100644 --- a/evoacme/tasks/scripts.yml +++ b/evoacme/tasks/scripts.yml @@ -1,7 +1,7 @@ --- - name: Create CSR dir file: - path: "{{ csr_dir }}" + path: "{{ evoacme_csr_dir }}" state: directory owner: root group: root diff --git a/evoacme/tasks/webserver.yml b/evoacme/tasks/webserver.yml index e628b674..b3f416df 100644 --- a/evoacme/tasks/webserver.yml +++ b/evoacme/tasks/webserver.yml @@ -1,8 +1,10 @@ --- - name: Determine Nginx presence - stat: path=/etc/nginx/nginx.conf + stat: + path: /etc/nginx/nginx.conf register: stn - name: Determine Apache presence - stat: path=/etc/apache2/apache2.conf + stat: + path: /etc/apache2/apache2.conf register: sta diff --git a/evoacme/templates/apache.conf.j2 b/evoacme/templates/apache.conf.j2 index bad9f9c9..7820c161 100644 --- a/evoacme/templates/apache.conf.j2 +++ b/evoacme/templates/apache.conf.j2 @@ -1,6 +1,6 @@ SetEnvIf Request_URI "/.well-known/acme-challenge/*" no-jk -Alias /.well-known/acme-challenge {{ acme_dir }}/.well-known/acme-challenge - +Alias /.well-known/acme-challenge {{ evoacme_acme_dir }}/.well-known/acme-challenge + Options -Indexes Allow from all Require all granted diff --git a/evoacme/templates/evoacme.conf.j2 b/evoacme/templates/evoacme.conf.j2 index b397159f..08ead2f1 100644 --- a/evoacme/templates/evoacme.conf.j2 +++ b/evoacme/templates/evoacme.conf.j2 @@ -1,8 +1,8 @@ ### File generated by Ansible ### -SSL_KEY_DIR={{ssl_key_dir}} -ACME_DIR={{acme_dir}} -CSR_DIR={{csr_dir}} -CRT_DIR={{crt_dir}} -LOG_DIR={{log_dir}} -SSL_MINDAY={{ssl_minday}} +SSL_KEY_DIR={{ evoacme_ssl_key_dir }} +ACME_DIR={{ evoacme_acme_dir }} +CSR_DIR={{ evoacme_csr_dir }} +CRT_DIR={{ evoacme_crt_dir }} +LOG_DIR={{ evoacme_log_dir }} +SSL_MINDAY={{ evoacme_ssl_minday }} diff --git a/evoacme/templates/nginx.conf.j2 b/evoacme/templates/nginx.conf.j2 index 3ec7e3f3..c3a13a3b 100644 --- a/evoacme/templates/nginx.conf.j2 +++ b/evoacme/templates/nginx.conf.j2 @@ -1,4 +1,4 @@ location /.well-known/acme-challenge { - alias {{ acme_dir }}/.well-known/acme-challenge; + alias {{ evoacme_acme_dir }}/.well-known/acme-challenge; try_files $uri =404; }