diff --git a/README.md b/README.md index ae95aed..ec4694f 100644 --- a/README.md +++ b/README.md @@ -56,6 +56,12 @@ san: [] # services to restart if this certificate changes depending_services: [] + +# which backend to use, can be 'selfsigned' or 'letsencrypt' +backend: 'selfsigned' + +# overwrite a backend setting for this certificate +backend_override: {} ``` ### Backends diff --git a/defaults/main.yml b/defaults/main.yml index f5fe661..7658ade 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -15,4 +15,5 @@ certificates: cn: ~ san: [] depending_services: [] + backend: 'letsencrypt' certs: {} diff --git a/tasks/common_cert.yml b/tasks/common_cert.yml index 8fa17a7..6e29850 100644 --- a/tasks/common_cert.yml +++ b/tasks/common_cert.yml @@ -8,11 +8,16 @@ chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}" fullpath: "{{ basepath + '/private/' + certname + '.complete.pem' }}" - set_fact: - cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname} ) }}" + cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname}, recursive=True ) }}" +- set_fact: + cert_backend: "{{ {}|combine(certificates.backends[cert.backend], cert.backend_override|d({}), recursive=True) }}" - debug: verbosity: 1 var: cert +- debug: + verbosity: 1 + var: cert_backend - name: "generate key for {{ certname }}" openssl_privatekey: diff --git a/tasks/letsencrypt_cert.yml b/tasks/letsencrypt_cert.yml index c0bef52..5a4bee7 100644 --- a/tasks/letsencrypt_cert.yml +++ b/tasks/letsencrypt_cert.yml @@ -1,7 +1,7 @@ - include_tasks: common_cert.yml - set_fact: - external_challange_type: "{{ map_challange_type_letsencrypt[certificates.backends.letsencrypt.challange]|d(certificates.backends.letsencrypt.challange) }}" + external_challange_type: "{{ map_challange_type_letsencrypt[cert_backend.challange]|d(cert_backend.challange) }}" - name: "get challange for {{ certname }}" acme_certificate: &acmetask @@ -13,7 +13,7 @@ csr: "{{ cert.csrpath }}" dest: "{{ cert.certpath }}" fullchain_dest: "{{ cert.chainpath }}" - remaining_days: "{{ certificates.backends.letsencrypt.remainingdays }}" + remaining_days: "{{ cert_backend.remainingdays }}" challenge: "{{ external_challange_type }}" deactivate_authzs: yes register: challenge @@ -21,9 +21,9 @@ - name: "setup challenge server for {{ certname }} (dns challange)" when: - challenge is changed - - certificates.backends.letsencrypt.challange == "dns-01" + - cert_backend.challange == "dns-01" delegate_to: "{{ item.0 }}" - loop: "{{ certificates.backends.letsencrypt.challangeserver|product(challenge.challenge_data.keys()|list)|list }}" + loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}" command: argv: - "/usr/local/bin/pdns.py" @@ -33,24 +33,24 @@ - name: "setup challenge server for {{ certname }} (manual dns challange)" when: - challenge is changed - - certificates.backends.letsencrypt.challange == "dns-01-manual" + - cert_backend.challange == "dns-01-manual" loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}" debug: - msg: "add the following dns record: '{{ item.key }}.': { TXT: '{{ item.value[0] }}' }" + msg: "add the following dns record: '{{ item.key }}.': { TXT: {{ item.value }} }" - name: wait for challenges in dns (manual dns challange) pause: prompt: "When the relevant lines were added to dns and synced, press enter" when: - challenge is changed - - certificates.backends.letsencrypt.challange == "dns-01-manual" + - cert_backend.challange == "dns-01-manual" - name: "setup challenge server for {{ certname }} (http challange)" when: - challenge is changed - - certificates.backends.letsencrypt.challange == "http-01" + - cert_backend.challange == "http-01" delegate_to: "{{ item.0 }}" - loop: "{{ certificates.backends.letsencrypt.challangeserver|product(challenge.challenge_data.keys()|list)|list }}" + loop: "{{ cert_backend.challangeserver|product(challenge.challenge_data.keys()|list)|list }}" copy: dest: "/var/www/letsencrypt/{{ challenge.challenge_data[item.1]['http-01'].resource | basename }}" content: "{{ challenge.challenge_data[item.1]['http-01'].resource_value }}"