From aa1de02b8c6564f5136488f2a5c1b211644d9786 Mon Sep 17 00:00:00 2001 From: nd Date: Fri, 16 Jul 2021 20:50:05 +0200 Subject: [PATCH] fix linter errors --- tasks/common_cert.yml | 21 ++++++++++++++------- tasks/letsencrypt_cert.yml | 14 ++++++++------ tasks/letsencrypt_setup.yml | 2 +- tasks/main.yml | 5 +++-- tasks/ownca_cert.yml | 18 +++++++++++++++--- tasks/selfsigned_cert.yml | 3 ++- 6 files changed, 43 insertions(+), 20 deletions(-) diff --git a/tasks/common_cert.yml b/tasks/common_cert.yml index 9fc9281..72146d6 100644 --- a/tasks/common_cert.yml +++ b/tasks/common_cert.yml @@ -1,6 +1,8 @@ -- set_fact: +- name: store base cert path + set_fact: basepath: "/etc/ssl" -- set_fact: +- name: store cert path + set_fact: cert_paths: csrpath: "{{ basepath + '/' + certname + '.csr' }}" capath: "{{ basepath + '/' + certname + '.ca' }}" @@ -8,18 +10,23 @@ certpath: "{{ basepath + '/' + certname + '.crt' }}" chainpath: "{{ basepath + '/' + certname + '.chain.crt' }}" fullpath: "{{ basepath + '/private/' + certname + '.complete.pem' }}" -- set_fact: +- name: store cert object + set_fact: cert: "{{ {}|combine(certificates.defaults, cert_paths, certificates.certs[certname]|d({}), {'name': certname}, recursive=True ) }}" -- set_fact: +- name: store cert_backend object + set_fact: cert_backend: "{{ {}|combine(certificates.backends[cert.backend], cert.backend_override|d({}), recursive=True) }}" -- debug: +- name: debug cert object + debug: verbosity: 1 var: cert -- debug: +- name: debug cert_backend object + debug: verbosity: 1 var: cert_backend -- debug: +- name: debug inventory certs object + debug: verbosity: 1 var: certificates.certs[certname] diff --git a/tasks/letsencrypt_cert.yml b/tasks/letsencrypt_cert.yml index 9d3aa45..6eadcf7 100644 --- a/tasks/letsencrypt_cert.yml +++ b/tasks/letsencrypt_cert.yml @@ -1,6 +1,7 @@ - include_tasks: common_cert.yml -- set_fact: +- name: store challenge type + set_fact: external_challenge_type: "{{ map_challenge_type_letsencrypt[cert_backend.challenge]|d(cert_backend.challenge) }}" - name: "get challenge for {{ certname }}" @@ -75,7 +76,7 @@ - name: "setup challenge server for {{ certname }} (dns challenge)" when: - - challenge is changed + - challenge is changed # noqa no-handler - cert_backend.challenge == "dns-01" delegate_to: "{{ serverchallengepair.0 }}" loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}" @@ -91,7 +92,7 @@ - name: "setup challenge server for {{ certname }} (manual dns challenge)" when: - - challenge is changed + - challenge is changed # noqa no-handler - cert_backend.challenge == "dns-01-manual" loop: "{{ challenge.challenge_data_dns|d({})|dict2items }}" loop_control: @@ -103,12 +104,12 @@ pause: prompt: "When the relevant lines were added to dns and synced, press enter" when: - - challenge is changed + - challenge is changed # noqa no-handler - cert_backend.challenge == "dns-01-manual" - name: "setup challenge server for {{ certname }} (http challenge)" when: - - challenge is changed + - challenge is changed # noqa no-handler - cert_backend.challenge == "http-01" delegate_to: "{{ serverchallengepair.0 }}" loop: "{{ cert_backend.challengeserver|product(challenge.challenge_data.keys()|list)|list }}" @@ -124,7 +125,8 @@ <<: *acmetask data: "{{ challenge }}" -- set_fact: +- name: store if the cert was changed + set_fact: certchanged: "{{ challenge is changed }}" - name: handle postflight include: common_post.yml diff --git a/tasks/letsencrypt_setup.yml b/tasks/letsencrypt_setup.yml index 49b1b93..f03b5a7 100644 --- a/tasks/letsencrypt_setup.yml +++ b/tasks/letsencrypt_setup.yml @@ -9,7 +9,7 @@ - name: register letsencrypt account when: - - letsencrypt_account_key is changed + - letsencrypt_account_key is changed # noqa no-handler - not certificates.disable_letsencrypt_account_registration acme_account: account_key_src: /etc/ssl/letsencrypt_account.key diff --git a/tasks/main.yml b/tasks/main.yml index 607033d..63263da 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -18,8 +18,9 @@ owner: root group: ssl-cert -- debug: - verbosity: 2 +- name: debug certificate object + debug: + verbosity: 1 var: certificates - import_tasks: letsencrypt_setup.yml diff --git a/tasks/ownca_cert.yml b/tasks/ownca_cert.yml index b33c312..e0cef76 100644 --- a/tasks/ownca_cert.yml +++ b/tasks/ownca_cert.yml @@ -1,8 +1,10 @@ - include_tasks: common_cert.yml -- set_fact: +- name: store ca base path + set_fact: capath: "{{ cert_backend.basepath }}/{{ cert_backend.name }}" -- set_fact: +- name: store ca sub paths + set_fact: cacertpath: "{{ capath }}/ca.crt" cakeypath: "{{ capath }}/ca.key" cacsrpath: "{{ capath }}/ca.csr" @@ -81,6 +83,9 @@ copy: content: "{{ csrfile.content | b64decode }}" dest: "{{ remotecsrpath }}" + mode: 0644 + owner: root + group: root - name: "sign certificate for {{ certname }}" register: casignedsign openssl_certificate: @@ -100,10 +105,16 @@ copy: content: "{{ crtfile.content | b64decode }}" dest: "{{ cert.certpath }}" + mode: 0644 + owner: root + group: root - name: "write ca ({{ certname }})" copy: content: "{{ cafile.content | b64decode }}" dest: "{{ cert.capath }}" + mode: 0644 + owner: root + group: root - name: "generate concatinated versions (chain) for {{ certname }}" copy: content: "{{ crtfile.content | b64decode }}{{ cafile.content | b64decode }}" @@ -119,7 +130,8 @@ owner: root group: ssl-cert -- set_fact: +- name: store if the cert was changed + set_fact: certchanged: "{{ casignedsign is changed }}" - name: handle postflight include: common_post.yml diff --git a/tasks/selfsigned_cert.yml b/tasks/selfsigned_cert.yml index 7c8a81f..ddf3d28 100644 --- a/tasks/selfsigned_cert.yml +++ b/tasks/selfsigned_cert.yml @@ -33,7 +33,8 @@ owner: root group: ssl-cert -- set_fact: +- name: store if the cert was changed + set_fact: certchanged: "{{ selfsignedsign is changed }}" - name: handle postflight include: common_post.yml