From d9bd3ac145a593db8e7ea9df85626f77bcb2e5f9 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Kucharczyk?= <lukas@kucharczyk.xyz>
Date: Tue, 27 Apr 2021 22:25:17 +0200
Subject: [PATCH] Improve certificate generation

1. Generate root CA
2. Generate wildcard CSR
3. Sign wildcard CSR with root CA
4. Install root CA system-wide
---
 README.adoc                |  1 +
 roles/nginx/tasks/main.yml | 49 +++++++++++++++++++++++++++++++-------
 2 files changed, 41 insertions(+), 9 deletions(-)

diff --git a/README.adoc b/README.adoc
index aa4931a..4314076 100644
--- a/README.adoc
+++ b/README.adoc
@@ -8,6 +8,7 @@ homelab.
 * completely managed by Ansible
 * containerised
 * configurable
+* automatic SSL certificates via `openssl`
 
 === Containers
 
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index e1257eb..8a2b819 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -5,20 +5,51 @@
     mode: '0755'
   loop:
     - "{{ nginx_confd_folder }}"
-- name: generate certificates
+- name: generate root ca
   command: openssl req \
-            -x509 \
-            -sha256 \
-            -newkey rsa:2048 \
-            -keyout "{{ data_folder }}/nginx/{{ base_domain }}".key \
-            -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
-            -out "{{ data_folder }}/nginx/{{ base_domain }}".crt \
-            -days 3650 \
-            -nodes \
+                    -x509 \
+                    -new \
+                    -nodes \
+                    -newkey rsa:2048 \
+                    -keyout "{{ data_folder }}/nginx/rootca.key" \
+                    -out "{{ data_folder }}/nginx/rootca.pem" \
+                    -sha256 \
+                    -days 3650 \
+                    -subj "/C=CZ/L=Prague/CN=Homelab/emailAddress={{ admin_email }}"
+  args:
+    creates: rootca.*
+- name: generate wildcard csr
+  command: openssl req \
+                    -new \
+                    -nodes \
+                    -newkey rsa:2048 \
+                    -keyout "{{ data_folder }}/nginx/{{ base_domain }}.key" \
+                    -out "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
+                    -subj "/C=CZ/L=Prague/CN=*.{{ base_domain }}/emailAddress={{ admin_email }}"
+  args:
+    creates: "{{ data_folder }}/nginx/{{ base_domain }}.*"
+- name: sign wildcard csr with root ca
+  command: openssl x509 \
+                    -req \
+                    -in "{{ data_folder }}/nginx/{{ base_domain }}.csr" \
+                    -CA "{{ data_folder }}/nginx/rootca.pem" \
+                    -CAkey "{{ data_folder }}/nginx/rootca.key" \
+                    -CAcreateserial \
+                    -out "{{ data_folder }}/nginx/{{ base_domain }}.crt" \
+                    -days 3650 \
+                    -sha256
+  args:
+    creates: "{{ data_folder }}/nginx/{{ base_domain }}.crt"
+- name: install root ca
+  command: trust anchor "{{ data_folder }}/nginx/rootca.pem"
+  args:
+    creates: /etc/ca-certificates/extracted/cadir/Homelab*
+  become: yes
 - name: copy certificates
   copy:
     src: "{{ item }}"
     dest: "{{ data_folder }}/nginx"
+    mode: '0755'
   loop:
     - "{{ data_folder }}/nginx/{{ base_domain }}.key"
     - "{{ data_folder }}/nginx/{{ base_domain }}.crt"