homelab/roles/nginx/tasks/self-signed.yml

- name: generate root ca
  command: openssl req \
                    -x509 \
                    -new \
                    -nodes \
                    -newkey rsa:2048 \
                    -keyout "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
                    -out "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
                    -sha256 \
                    -days 3650 \
                    -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
  when: generate_cert.root
- name: generate wildcard csr
  command: openssl req \
                    -new \
                    -nodes \
                    -newkey rsa:2048 \
                    -keyout "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.key" \
                    -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
                    -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
  when: generate_cert.wildcard
- name: sign wildcard csr with root ca
  command: openssl x509 \
                    -req \
                    -in "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.csr" \
                    -CA "{{ playbook_dir }}/roles/nginx/files/rootca.pem" \
                    -CAkey "{{ playbook_dir }}/roles/nginx/files/rootca.key" \
                    -CAcreateserial \
                    -out "{{ playbook_dir }}/roles/nginx/files/{{ base_domain }}.crt" \
                    -days 3650 \
                    -sha256
  when: generate_cert.wildcard
- name: copy wildcard certificate and key from vault
  copy:
    content: "{{ item.content }}"
    dest: "{{ data_folder }}/nginx/{{ item.name }}"
    owner: root
    group: root
    mode: '0700'
  with_items:
    - "{{ certificates }}"
  no_log: true