Update OpenSSL tasks in Deployer tasks

files/nginx/conf/000-default.conf

@@ -19,7 +19,7 @@ server {
         root   /usr/share/nginx/html;
         index  index.html index.htm;
 
-        #return 301 https://$host$request_uri;
+        return 301 https://$host$request_uri;
     }
 
     if ($request_method !~ ^(GET|HEAD|POST)$ )
@@ -28,43 +28,43 @@ server {
     }
 }
 
-# server {
+server {
 
-#     listen  443 ssl default_server;
+    listen  443 ssl default_server;
-#     listen  [::]:443 ssl default_server;
+    listen  [::]:443 ssl default_server;
 
-#     server_name _;
+    server_name _;
 
-#     http2 on;
+    http2 on;
 
-#     ssl_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/fullchain.pem;
+    ssl_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/fullchain.pem;
-#     ssl_certificate_key /etc/nginx/certs/pvjjk-1vos-niinisalo/privkey.pem;
+    ssl_certificate_key /etc/nginx/certs/pvjjk-1vos-niinisalo/privkey.pem;
-#     ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_protocols TLSv1.2 TLSv1.3;
-#     ssl_ecdh_curve X25519:prime256v1:secp384r1;
+    ssl_ecdh_curve X25519:prime256v1:secp384r1;
-#     ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
+    ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
-#     ssl_prefer_server_ciphers off;
+    ssl_prefer_server_ciphers off;
-#     ssl_session_cache shared:SSL:20m;
+    ssl_session_cache shared:SSL:20m;
-#     ssl_session_timeout 180m;
+    ssl_session_timeout 180m;
 
-#     ssl_trusted_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/chain.pem;
+    ssl_trusted_certificate /etc/nginx/certs/pvjjk-1vos-niinisalo/chain.pem;
 
-#     expires off;
+    expires off;
-#     etag off;
+    etag off;
-#     if_modified_since off;
+    if_modified_since off;
 
-#     gzip on;
+    gzip on;
-#     gzip_min_length 1000;
+    gzip_min_length 1000;
-#     gzip_proxied any;
+    gzip_proxied any;
-#     gzip_types *;
+    gzip_types *;
-#     gunzip on;
+    gunzip on;
 
-#     location / {
+    location / {
-#         root   /usr/share/nginx/html;
+        root   /usr/share/nginx/html;
-#         index  index.html index.htm;
+        index  index.html index.htm;
-#     }
+    }
 
-#     if ($request_method !~ ^(GET|HEAD|POST)$ )
+    if ($request_method !~ ^(GET|HEAD|POST)$ )
-#     {
+    {
-#        return 405;
+       return 405;
-#     }
+    }
-# }
+}

tasks/deployer.yml

@@ -467,7 +467,7 @@
 
 - name: "Deployer - OpenSSL - Configure - Generate Private Key"
   community.crypto.openssl_privatekey:
-    path: "/root/data/openssl/{{ cert }}/privatekey.pem"
+    path: "/root/data/openssl/{{ cert }}/privkey.pem"
     type: ECC
     curve: secp384r1
   loop: "{{ config.openssl.certificates.keys() | list }}"
@@ -481,7 +481,7 @@
 - name: "Deployer - OpenSSL - Configure - Generate Certificate Signing Request / Root"
   community.crypto.openssl_csr:
     path: "/root/data/openssl/{{ cert }}/csr.pem"
-    privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
+    privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
     commonName: "{{ config.openssl.certificates[cert].commonName }}"
     organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
     organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
@@ -501,7 +501,7 @@
 - name: "Deployer - OpenSSL - Configure - Generate Certificate Signing Request / Intermediate"
   community.crypto.openssl_csr:
     path: "/root/data/openssl/{{ cert }}/csr.pem"
-    privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
+    privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
     commonName: "{{ config.openssl.certificates[cert].commonName }}"
     organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
     organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
@@ -523,14 +523,14 @@
 - name: "Deployer - OpenSSL - Configure - Generate Certificate Signing Request / Service"
   community.crypto.openssl_csr:
     path: "/root/data/openssl/{{ cert }}/csr.pem"
-    privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
+    privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
     commonName: "{{ config.openssl.certificates[cert].commonName }}"
     organizationName: "{{ config.openssl.certificates[cert].organization.name }}"
     organizationalUnitName: "{{ config.openssl.certificates[cert].organization.unit }}"
     stateOrProvinceName: "{{ config.openssl.certificates[cert].location.providence | default(None) }}"
     localityName: "{{ config.openssl.certificates[cert].location.city | default(None) }}"
     countryName: FI
-    subjectAltName: "{{ config.openssl.certificates[cert].domains }}"
+    subjectAltName: "{{ ['DNS:'] | product(config.openssl.certificates[cert].domains) | map('join') | list }}"
   loop: "{{ config.openssl.certificates.keys() | list }}"
   loop_control:
     label: "{{ cert }}"
@@ -541,15 +541,16 @@
     - openssl
     - www
 
-- name: "Deployer - OpenSSL - Configure - Generate Certificate"
+- name: "Deployer - OpenSSL - Configure - Generate Certificate / Root"
   community.crypto.x509_certificate:
     path: "/root/data/openssl/{{ cert }}/cert.pem"
-    privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
+    privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
     csr_path: "/root/data/openssl/{{ cert }}/csr.pem"
     provider: "ownca"
     ownca_path: /etc/ssl/crt/ansible_CA.crt
     ownca_privatekey_path: /etc/ssl/private/ansible_CA.pem
     provider: selfsigned
+    selfsigned_not_after: "+7300d"
   loop: "{{ config.openssl.certificates.keys() | list }}"
   loop_control:
     label: "{{ cert }}"
@@ -557,20 +558,40 @@
   when:
     - config.openssl.certificates[cert].issuer is undefined
 
-- name: "Deployer - OpenSSL - Configure - Generate Certificate"
+- name: "Deployer - OpenSSL - Configure - Generate Certificate / Intermediate"
   community.crypto.x509_certificate:
     path: "/root/data/openssl/{{ cert }}/cert.pem"
-    privatekey_path: "/root/data/openssl/{{ cert }}/privatekey.pem"
+    privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
     csr_path: "/root/data/openssl/{{ cert }}/csr.pem"
     provider: "ownca"
     ownca_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/cert.pem"
-    ownca_privatekey_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/privatekey.pem"
+    ownca_privatekey_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/privkey.pem"
     provider: ownca
+    ownca_not_after: "+365d"
   loop: "{{ config.openssl.certificates.keys() | list }}"
   loop_control:
     label: "{{ cert }}"
     loop_var: "cert"
   when:
+    - config.openssl.certificates[cert].domains is undefined
+    - config.openssl.certificates[cert].issuer is defined
+
+- name: "Deployer - OpenSSL - Configure - Generate Certificate / Service"
+  community.crypto.x509_certificate:
+    path: "/root/data/openssl/{{ cert }}/cert.pem"
+    privatekey_path: "/root/data/openssl/{{ cert }}/privkey.pem"
+    csr_path: "/root/data/openssl/{{ cert }}/csr.pem"
+    provider: "ownca"
+    ownca_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/cert.pem"
+    ownca_privatekey_path: "/root/data/openssl/{{ config.openssl.certificates[cert].issuer }}/privkey.pem"
+    provider: ownca
+    ownca_not_after: "+30d"
+  loop: "{{ config.openssl.certificates.keys() | list }}"
+  loop_control:
+    label: "{{ cert }}"
+    loop_var: "cert"
+  when:
+    - config.openssl.certificates[cert].domains is defined
     - config.openssl.certificates[cert].issuer is defined
 
 - name: "Deployer - Nginx - Configure - Create Folder"