410a915a8a
This paves the way for installing other roles into `roles/galaxy` using `ansible-galaxy`, similar to how it's done in: - https://github.com/spantaleev/gitea-docker-ansible-deploy - https://github.com/spantaleev/nextcloud-docker-ansible-deploy In the near future, we'll be removing a lot of the shared role code from here and using upstream roles for it. Some of the core `matrix-*` roles have already been extracted out into other reusable roles: - https://github.com/devture/com.devture.ansible.role.postgres - https://github.com/devture/com.devture.ansible.role.systemd_docker_base - https://github.com/devture/com.devture.ansible.role.timesync - https://github.com/devture/com.devture.ansible.role.vars_preserver - https://github.com/devture/com.devture.ansible.role.playbook_runtime_messages - https://github.com/devture/com.devture.ansible.role.playbook_help We just need to migrate to those.
50 lines
1.9 KiB
YAML
50 lines
1.9 KiB
YAML
---
|
|
|
|
- ansible.builtin.set_fact:
|
|
matrix_ssl_certificate_csr_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/csr.csr"
|
|
matrix_ssl_certificate_cert_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/fullchain.pem"
|
|
matrix_ssl_certificate_cert_key_path: "{{ matrix_ssl_config_dir_path }}/live/{{ domain_name }}/privkey.pem"
|
|
|
|
- name: Check if SSL certificate file exists
|
|
ansible.builtin.stat:
|
|
path: "{{ matrix_ssl_certificate_cert_path }}"
|
|
register: matrix_ssl_certificate_cert_path_stat_result
|
|
|
|
# In order to do any sort of generation (below), we need to ensure the directory exists first
|
|
- name: Ensure SSL certificate directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ matrix_ssl_certificate_csr_path | dirname }}"
|
|
state: directory
|
|
mode: 0750
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_groupname }}"
|
|
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
|
|
|
|
# The proper way to do this is by using a sequence of
|
|
# `openssl_privatekey`, `openssl_csr` and `openssl_certificate`.
|
|
#
|
|
# Unfortunately, `openssl_csr` and `openssl_certificate` require `PyOpenSSL>=0.15` to work,
|
|
# which is not available on CentOS 7 (at least).
|
|
#
|
|
# We'll do it in a more manual way.
|
|
- name: Generate SSL certificate
|
|
ansible.builtin.command: |
|
|
openssl req -x509 \
|
|
-sha256 \
|
|
-newkey rsa:4096 \
|
|
-nodes \
|
|
-subj "/CN={{ domain_name }}" \
|
|
-keyout {{ matrix_ssl_certificate_cert_key_path }} \
|
|
-out {{ matrix_ssl_certificate_cert_path }} \
|
|
-days 3650
|
|
when: "not matrix_ssl_certificate_cert_path_stat_result.stat.exists"
|
|
|
|
- name: Adjust SSL certificate file ownership
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
owner: "{{ matrix_user_username }}"
|
|
group: "{{ matrix_user_groupname }}"
|
|
with_items:
|
|
- "{{ matrix_ssl_certificate_cert_key_path }}"
|
|
- "{{ matrix_ssl_certificate_cert_path }}"
|