--- - name: Check for existing cert hosts: rhv.mgmt.toal.ca connection: local vars: ansible_python_interpreter: "/usr/bin/python3" tasks: - name: Information from existing key community.crypto.x509_certificate_info: path: "keys/{{ acme_certificate_domains|first }}.pem" ignore_errors: yes register: key_info - set_fact: have_valid_cert=false - set_fact: have_valid_cert: "{{ (key_info.not_after|to_datetime('%Y%m%d%H%M%SZ')).timestamp() > ansible_date_time.epoch|int + 2592000 }}" when: - not key_info.failed # Probably want to split this out into a proper certificate management role for Toal.ca - name: Request TLS Certificate from LetsEncrypt hosts: rhv.mgmt.toal.ca connection: local gather_facts: false # This doesn't belong here #vars: # acme_certificate_root_certificate: https://letsencrypt.org/certs/trustid-x3-root.pem.txt pre_tasks: - name: Ensure Let's Encrypt Account Exists acme_account: state: present acme_directory: "{{ acme_directory }}" terms_agreed: true allow_creation: true contact: - mailto:ptoal@takeflight.ca account_key_content: "{{ acme_key }}" acme_version: 2 - name: tmpfile for Account Key tempfile: state: file register: acme_tmp_key - name: Account Key to File copy: dest: "{{ acme_tmp_key.path }}" content: "{{ acme_key }}" mode: "600" - set_fact: acme_certificate_acme_account: "{{ acme_tmp_key.path }}" roles: - name: felixfontein.acme_certificate when: have_valid_cert is defined and not have_valid_cert post_tasks: - name: Remove tempfile file: path: "{{ acme_tmp_key.path }}" state: absent - name: Install custom CA Certificate in RHV-M hosts: rhv.mgmt.toal.ca become: true vars: key_files_prefix: "keys/{{ acme_certificate_domains|first }}" ansible_python_interpreter: "/usr/bin/python3" tasks: - name: Certificate trust in store copy: src: "{{ key_files_prefix}}-rootchain.pem" dest: /etc/pki/ca-trust/source/anchors/ register: rootchain_result notify: - update ca-trust - restart httpd - name: Certificate store updated command: /usr/bin/update-ca-trust when: rootchain_result.changed notify: restart httpd - name: Apache CA is file, not link file: path: /etc/pki/ovirt-engine/apache-ca.pem state: file register: apache_ca_stat - name: Apache CA link is removed file: path: /etc/pki/ovirt-engine/apache-ca.pem state: absent when: apache_ca_stat.state == "file" - name: CA Rootchain in Apache config copy: src: "{{ key_files_prefix }}-rootchain.pem" dest: /etc/pki/ovirt-engine/apache-ca.pem backup: yes notify: restart httpd - name: Private key installed copy: src: "{{ key_files_prefix }}.key" dest: "{{ item }}" backup: yes owner: root group: ovirt mode: 0640 notify: restart httpd loop: - /etc/pki/ovirt-engine/keys/apache.key.nopass - /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass - name: Certificate installed copy: src: "{{ key_files_prefix }}.pem" dest: "{{ item }}" backup: yes owner: root group: ovirt mode: 0644 notify: restart httpd loop: - /etc/pki/ovirt-engine/certs/websocket-proxy.cer - /etc/pki/ovirt-engine/certs/apache.cer - name: Trust Store Configuration copy: dest: /etc/ovirt-engine/engine.conf.d/99-custom-truststore.conf content: | ENGINE_HTTPS_PKI_TRUST_STORE="/etc/pki/java/cacerts" ENGINE_HTTPS_PKI_TRUST_STORE_PASSWORD="" notify: - restart ovn - restart ovirt-engine - name: Websocket Proxy configuration lineinfile: path: /etc/ovirt-engine/ovirt-websocket-proxy.conf.d/10-setup.conf state: present backup: yes line: "{{ item.name }}={{ item.value }}" regexp: "^{{ item.name }}=" loop: - name: SSL_CERTIFICATE value: /etc/pki/ovirt-engine/certs/websocket-proxy.cer - name: SSL_KEY value: /etc/pki/ovirt-engine/keys/websocket-proxy.key.nopass # - SSL_CERTIFICATE=/etc/pki/ovirt-engine/certs/apache.cer # - SSL_KEY=/etc/pki/ovirt-engine/keys/apache.key.nopass notify: - restart ovirt-websocket-proxy handlers: - name: restart httpd service: name: httpd state: restarted - name: update ca-trust command: update-ca-trust - name: restart ovn service: name: ovirt-provider-ovn state: restarted - name: restart ovirt-engine service: name: ovirt-engine state: restarted - name: restart ovirt-websocket-proxy service: name: ovirt-websocket-proxy state: restarted - name: Create RHV/ovirt VLANs hosts: rhv.mgmt.toal.ca connection: local vars: # Hack to work around virtualenv python interpreter ansible_python_interpreter: "{{ ansible_playbook_python }}" tasks: - name: Obtain SSO token for RHV ovirt_auth: state: present insecure: true - ovirt_network: auth: "{{ ovirt_auth }}" fetch_nested: true data_center: "{{ item.data_center }}" name: "{{ item.name }}" vlan_tag: "{{ item.vlan_tag|default(omit) }}" vm_network: "{{ item.vm_network }}" mtu: "{{ item.mtu }}" description: "{{ item.description }}" loop: "{{ ovirt_networks }}" register: networkinfo - debug: msg="{{networkinfo}}" - name: Reminder hosts: localhost connection: local tasks: - name: Reminder debug: msg: "Don't forget to add tso off gro off gso off lro off to i217-LM NIC's (eg: Dell Optiplex)!" # https://access.redhat.com/documentation/en-us/red_hat_virtualization/4.4/html/administration_guide/sect-hosts_and_networking#Editing_Host_Network_Interfaces_and_Assigning_Logical_Networks_to_Hosts