Build Windows Templates in RHV

roles/felixfontein.acme_certificate/tasks/dns-dme-cleanup.yml

@@ -0,0 +1,18 @@
+---
+# Clean up DNS challenges for DNS provider DNSMadeEasy 
+- name: Cleaning up challenge DNS entries for domains {{ ', '.join(domains) }} via DNSMadeEasy
+  connection: local
+  community.general.dnsmadeeasy:
+    account_key: "{{ dme_account_key }}"
+    account_secret: "{{ dme_account_secret }}"
+    domain: "{{ item.key |regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    record_ttl: 60
+    record_type: TXT
+    record_name: "{{ item.key |regex_replace('^(.*)(\\.[^.]+\\.[^.]+)$', '\\1') }}" 
+    record_value: "{{ item.value|first }}"
+    state: absent
+  run_once: True
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs

roles/felixfontein.acme_certificate/tasks/dns-dme-create.yml

@@ -0,0 +1,32 @@
+---
+# Create DNS challenges for DNS provider Amazon Route53
+- name: Creating challenge DNS entries for domains {{ ', '.join(domains) }} via DNSMadeEasy
+  connection: local
+  community.general.dnsmadeeasy:
+    account_key: "{{ dme_account_key }}"
+    account_secret: "{{ dme_account_secret }}"
+    # This is fragile, and will only work for 2-level domain (eg: corp.com, NOT corp.co.uk )
+    domain: "{{ item.key | regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    record_ttl: 60
+    record_type: TXT
+    record_name: "{{ item.key |regex_replace('^(.*)(\\.[^.]+\\.[^.]+)$', '\\1') }}" 
+    record_value: "{{ item.value|first }}"
+    state: present
+  # Need dnsmadeeasy module fixed (https://github.com/ansible/ansible/issues/58305)
+  run_once: True
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs
+
+- name: Wait for DNS entries to become available
+  shell: "dig txt {{ item.key }} +short @8.8.8.8"
+  register: dig_result
+  until: "item.value|first in dig_result.stdout"
+  retries: 60
+  delay: 5
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns }}"
+
+- name: Pause for 60s for more propagation
+  pause:
+    minutes: 1  

roles/felixfontein.acme_certificate/tasks/dns-hosttech-cleanup.yml

@@ -0,0 +1,19 @@
+---
+# Clean up DNS challenges for DNS provider HostTech
+- name: Cleaning up challenge DNS entries for domains {{ ', '.join(acme_certificate_domains) }} via HostTech API
+  hosttech_dns_record:
+    state: absent
+    zone: "{{ item.key | regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    record: "{{ item.key }}"
+    type: TXT
+    ttl: 300
+    value: "{{ item.value }}"
+    overwrite: true
+    hosttech_username: "{{ acme_certificate_hosttech_username }}"
+    hosttech_password: "{{ acme_certificate_hosttech_password }}"
+  delegate_to: localhost
+  run_once: true
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.get('challenge_data_dns', {}) }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs

roles/felixfontein.acme_certificate/tasks/dns-hosttech-create.yml

@@ -0,0 +1,23 @@
+---
+# Create DNS challenges for DNS provider HostTech
+- name: Creating challenge DNS entries for domains {{ ', '.join(acme_certificate_domains) }} via HostTech API
+  hosttech_dns_record:
+    state: present
+    zone: "{{ item.key | regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    record: "{{ item.key }}"
+    type: TXT
+    ttl: 300
+    value: "{{ item.value }}"
+    overwrite: true
+    hosttech_username: "{{ acme_certificate_hosttech_username }}"
+    hosttech_password: "{{ acme_certificate_hosttech_password }}"
+  delegate_to: localhost
+  run_once: true
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs
+
+- name: Wait for DNS entries to propagate
+  pause:
+    seconds: 10

roles/felixfontein.acme_certificate/tasks/dns-ns1-cleanup.yml

@@ -0,0 +1,16 @@
+---
+- name: Cleaning up challenge DNS entries for domains {{ ', '.join(acme_certificate_domains) }} via NS1 API
+  ns1_record:
+    apiKey: "{{ acme_certificate_ns1_secret_key }}"
+    name: "{{ item.key }}"
+    zone: "{{ item.key | regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    state: absent
+    type: TXT
+    answers: []
+  delegate_to: localhost
+  run_once: true
+  when: "'_acme-challenge' in item.key"
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.get('challenge_data_dns', {}) }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs

roles/felixfontein.acme_certificate/tasks/dns-ns1-create.yml

@@ -0,0 +1,27 @@
+---
+- name: Creating challenge DNS entries for domains {{ ', '.join(acme_certificate_domains) }} via NS1 DNS
+  ns1_record:
+    apiKey: "{{ acme_certificate_ns1_secret_key }}"
+    name: "{{ item.key }}"
+    zone: "{{ item.key | regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    state: present
+    type: TXT
+    answers:
+      - answer:
+          - "{{ item.value[0] }}"
+        meta:
+          up: true
+  delegate_to: localhost
+  when: "'_acme-challenge' in item.key"
+  run_once: true
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns }}"
+
+- name: Check if DNS changes propagated at dns1.p01.nsone.net with 10-seconds intervals
+  command: "dig TXT {{ item.key }} +short @dns1.p01.nsone.net"
+  register: dig
+  until: "item.value[0] in dig.stdout"
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns }}"
+  retries: 6
+  delay: 10
+  changed_when: false
+  ignore_errors: yes

roles/felixfontein.acme_certificate/tasks/dns-route53-cleanup.yml

@@ -0,0 +1,19 @@
+---
+# Clean up DNS challenges for DNS provider Amazon Route53
+- name: Cleaning up challenge DNS entries for domains {{ ', '.join(acme_certificate_domains) }} via Route53
+  route53:
+    state: absent
+    zone: "{{ item.key | regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    record: "{{ item.key }}"
+    type: TXT
+    ttl: 60
+    value: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}"
+    overwrite: true
+    aws_access_key: "{{ acme_certificate_aws_access_key }}"
+    aws_secret_key: "{{ acme_certificate_aws_secret_key }}"
+  delegate_to: localhost
+  run_once: true
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.get('challenge_data_dns', {}) }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs

roles/felixfontein.acme_certificate/tasks/dns-route53-create.yml

@@ -0,0 +1,20 @@
+---
+# Create DNS challenges for DNS provider Amazon Route53
+- name: Creating challenge DNS entries for domains {{ ', '.join(acme_certificate_domains) }} via Route53
+  route53:
+    state: present
+    zone: "{{ item.key | regex_replace('^(?:.*\\.|)([^.]+\\.[^.]+)$', '\\1') }}"
+    record: "{{ item.key }}"
+    type: TXT
+    ttl: 60
+    value: "{{ item.value | map('regex_replace', '^(.*)$', '\"\\1\"' ) | list }}"
+    overwrite: true
+    aws_access_key: "{{ acme_certificate_aws_access_key }}"
+    aws_secret_key: "{{ acme_certificate_aws_secret_key }}"
+    wait: true
+  delegate_to: localhost
+  run_once: true
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data_dns }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs

roles/felixfontein.acme_certificate/tasks/http-cleanup.yml

@@ -0,0 +1,15 @@
+---
+# Clean up challenge files on server.
+- name: "Cleaning up challenge files for domains {{ ', '.join(acme_certificate_domains) }}"
+  file:
+    path: >-
+      {{ [
+        acme_certificate_server_location,
+        item.value[acme_certificate_challenge].resource[('.well-known/acme-challenge/'|length):]
+      ] | path_join }}"
+    state: absent
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.get('acme_certificate_challenge_data', {}) }}"
+  become: "{{ acme_certificate_http_become }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs

roles/felixfontein.acme_certificate/tasks/http-create.yml

@@ -0,0 +1,31 @@
+---
+# Create up challenge files directory on server.
+- name: Creating challenge destination directory
+  file:
+    dest: "{{ acme_certificate_server_location }}"
+    state: directory
+    owner: "{{ acme_certificate_http_challenge_user }}"
+    group: "{{ acme_certificate_http_challenge_group }}"
+    mode: "{{ acme_certificate_http_challenge_folder_mode }}"
+  become: "{{ acme_certificate_http_become }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs
+
+# Create challenge files on server.
+- name: "Copying challenge files for domains {{ ', '.join(acme_certificate_domains) }}"
+  copy:
+    dest: >-
+      {{ [
+        acme_certificate_server_location,
+        item.value[acme_certificate_challenge].resource[('.well-known/acme-challenge/'|length):]
+      ] | path_join }}
+    content: "{{ item.value[acme_certificate_challenge].resource_value }}"
+    owner: "{{ acme_certificate_http_challenge_user }}"
+    group: "{{ acme_certificate_http_challenge_group }}"
+    mode: "{{ acme_certificate_http_challenge_file_mode }}"
+  with_dict: "{{ acme_certificate_INTERNAL_challenge.challenge_data }}"
+  become: "{{ acme_certificate_http_become }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs

roles/felixfontein.acme_certificate/tasks/main.yml

@@ -0,0 +1,189 @@
+---
+- name: Determine whether to force private key regeneration (1/2)
+  set_fact:
+    acme_certificate_INTERNAL_force_regenerate_private_key: no
+
+- name: Determine whether to force private key regeneration (2/2)
+  set_fact:
+    acme_certificate_INTERNAL_force_regenerate_private_key: yes
+  tags:
+  - issue-tls-certs-newkey
+
+- block:
+  - name: Ansible version check
+    assert:
+      that: "ansible_version.string is version('2.8.3', '>=')"
+      msg: "This version of the acme-certificate role must be used with Ansible 2.8.3 or later."
+    run_once: yes
+
+  - name: Sanity checks
+    assert:
+      that: "acme_certificate_challenge != 'dns-01' or acme_certificate_dns_provider is not undefined"
+      msg: "acme_certificate_dns_provider must be defined for dns-01 DNS challenge"
+    run_once: yes
+
+  - name: "Test whether old certificate files for domains {{ ', '.join(acme_certificate_domains) }} exist"
+    stat:
+      path: "{{ [acme_certificate_keys_path, acme_certificate_key_name] | path_join }}.pem"
+    delegate_to: localhost
+    register: acme_certificate_INTERNAL_old_certificate_exists
+    when: "acme_certificate_keys_old_store"
+    run_once: yes
+
+  - name: "Copying old certificate files for domains {{ ', '.join(acme_certificate_domains) }}"
+    copy:
+      src: "{{ [acme_certificate_keys_path, acme_certificate_key_name] | path_join }}{{ item }}"
+      dest: >-
+        {{ [
+          acme_certificate_keys_old_path,
+          (
+            (ansible_date_time.date ~ '-' ~ ansible_date_time.hour ~ ansible_date_time.minute ~ ansible_date_time.second ~ '-')
+            if acme_certificate_keys_old_prepend_timestamp else ''
+          ) ~ acme_certificate_key_name ~ item
+        ] | path_join }}
+    delegate_to: localhost
+    with_items:
+    - "-chain.pem"
+    - "-fullchain.pem"
+    - "-rootchain.pem"
+    - "-root.pem"
+    - ".key"
+    - ".pem"
+    when: "acme_certificate_keys_old_store and acme_certificate_INTERNAL_old_certificate_exists.stat.exists"
+    run_once: yes
+
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs
+
+- block:
+  - name: "Creating private key for domains {{ ', '.join(acme_certificate_domains) }} (RSA)"
+    openssl_privatekey:
+      path: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.key'] | path_join }}"
+      mode: "{{ acme_certificate_privatekey_mode }}"
+      type: "{{ 'RSA' if acme_certificate_algorithm == 'rsa' else 'ECC' }}"
+      size: "{{ acme_certificate_key_length if acme_certificate_algorithm == 'rsa' else omit }}"
+      curve: >-
+        {{ omit if acme_certificate_algorithm == 'rsa' else
+           'secp256r1' if acme_certificate_algorithm == 'p-256' else
+           'secp384r1' if acme_certificate_algorithm == 'p-384' else
+           'secp521r1' if acme_certificate_algorithm == 'p-521' else
+           'invalid value for acme_certificate_algorithm!' }}
+      force: "{{ acme_certificate_INTERNAL_force_regenerate_private_key }}"
+    delegate_to: localhost
+    run_once: yes
+
+  - name: "Creating CSR for domains {{ ', '.join(acme_certificate_domains) }}"
+    openssl_csr:
+      path: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.csr'] | path_join }}"
+      privatekey_path: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.key'] | path_join }}"
+      subject_alt_name: |
+          {{ acme_certificate_domains | map('regex_replace', '^(.*)$', 'DNS:\1' ) | list }}
+      ocsp_must_staple: "{{ acme_certificate_ocsp_must_staple }}"
+      use_common_name_for_san: no
+      force: yes
+    delegate_to: localhost
+    run_once: yes
+
+  - name: "Get root certificate for domains {{ ', '.join(acme_certificate_domains) }}"
+    get_url:
+      url: "{{ acme_certificate_root_certificate }}"
+      dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-root.pem'] | path_join }}"
+      force: yes
+      validate_certs: "{{ acme_certificate_validate_certs }}"
+    delegate_to: localhost
+    run_once: yes
+
+  - block:
+    - name: "Preparing challenges for domains {{ ', '.join(acme_certificate_domains) }}"
+      acme_certificate:
+        account_key: "{{ acme_certificate_acme_account }}"
+        modify_account: "{{ acme_certificate_modify_account }}"
+        csr: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.csr'] | path_join }}"
+        dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.pem'] | path_join }}"
+        fullchain_dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-fullchain.pem'] | path_join }}"
+        chain_dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-chain.pem'] | path_join }}"
+        account_email: "{{ acme_certificate_acme_email }}"
+        terms_agreed: "{{ acme_certificate_terms_agreed }}"
+        challenge: "{{ acme_certificate_challenge }}"
+        acme_directory: "{{ acme_certificate_acme_directory }}"
+        acme_version: "{{ acme_certificate_acme_version }}"
+        force: yes
+        validate_certs: "{{ acme_certificate_validate_certs }}"
+      delegate_to: localhost
+      run_once: yes
+      register: acme_certificate_INTERNAL_challenge
+
+    always:
+    - debug:
+        msg: >-
+          account URI: {{ acme_certificate_INTERNAL_challenge.get('account_uri') }};
+          order URI: {{ acme_certificate_INTERNAL_challenge.get('order_uri') }}
+      run_once: yes
+
+  - block:
+    # Set up HTTP challenges
+    - include_tasks: http-create.yml
+      when: "acme_certificate_challenge == 'http-01'"
+
+    # Set up DNS challenges
+    - include_tasks: dns-{{ acme_certificate_dns_provider }}-create.yml
+      when: "acme_certificate_challenge == 'dns-01'"
+
+    - name: "Getting certificates for domains {{ ', '.join(acme_certificate_domains) }}"
+      acme_certificate:
+        account_key: "{{ acme_certificate_acme_account }}"
+        modify_account: "{{ acme_certificate_modify_account }}"
+        csr: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.csr'] | path_join }}"
+        dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.pem'] | path_join }}"
+        fullchain_dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-fullchain.pem'] | path_join }}"
+        chain_dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-chain.pem'] | path_join }}"
+        account_email: "{{ acme_certificate_acme_email }}"
+        terms_agreed: "{{ acme_certificate_terms_agreed }}"
+        challenge: "{{ acme_certificate_challenge }}"
+        acme_directory: "{{ acme_certificate_acme_directory }}"
+        acme_version: "{{ acme_certificate_acme_version }}"
+        force: yes
+        data: "{{ acme_certificate_INTERNAL_challenge }}"
+        deactivate_authzs: "{{ acme_certificate_deactivate_authzs }}"
+        validate_certs: "{{ acme_certificate_validate_certs }}"
+      delegate_to: localhost
+      run_once: yes
+
+    - name: "Form root chain for domains {{ ', '.join(acme_certificate_domains) }}"
+      copy:
+        dest: "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-rootchain.pem'] | path_join }}"
+        content: |
+          {{ lookup('file', [acme_certificate_keys_path, acme_certificate_key_name ~ '-root.pem'] | path_join) }}
+          {{ lookup('file', [acme_certificate_keys_path, acme_certificate_key_name ~ '-chain.pem'] | path_join) }}
+      delegate_to: localhost
+      run_once: yes
+    always:
+    # Clean up HTTP challenges
+    - include_tasks: http-cleanup.yml
+      when: "acme_certificate_challenge == 'http-01'"
+
+    # Clean up DNS challenges
+    - include_tasks: dns-{{ acme_certificate_dns_provider }}-cleanup.yml
+      when: "acme_certificate_challenge == 'dns-01'"
+
+    when: acme_certificate_INTERNAL_challenge is changed
+
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs
+
+- name: "Verifying certificate for domains {{ ', '.join(acme_certificate_domains) }}"
+  command: >-
+    openssl verify
+    -CAfile "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-root.pem'] | path_join }}"
+    -untrusted "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '-chain.pem'] | path_join }}"
+    "{{ [acme_certificate_keys_path, acme_certificate_key_name ~ '.pem'] | path_join }}"
+  changed_when: no
+  delegate_to: localhost
+  run_once: yes
+  ignore_errors: "{{ not acme_certificate_verify_certs }}"
+  tags:
+  - issue-tls-certs-newkey
+  - issue-tls-certs
+  - verify-tls-certs