ansible-role-basic-system-setup/tasks/self_signed_certificate.yml

---
- name: Manage the PKI directory
  tags: ['pki', 'ssl', 'ca', 'letsencrypt']
  block:
    - name: Ensure that the PKI directory exists
      ansible.builtin.file:
        path: "{{ pki_dir }}"
        state: directory
        owner: root
        group: root
        mode: 0755

    - name: Ensure that the PKI subdirectories exist
      ansible.builtin.file:
        path: "{{ pki_dir }}/{{ item }}"
        state: directory
        owner: root
        group: root
        mode: 0755
      loop: "{{ pki_subdirs }}"

- name: Letsencrypt is going to manage the certificates. Check if a certificate already exists
  tags: ['pki', 'ssl', 'letsencrypt']
  block:
    - name: Check if a certificate already exists. If so, skip all the related tasks
      ansible.builtin.stat:
        path: "{{ letsencrypt_acme_sh_certificates_install_path }}"
      register: true_cert

- name: Manage self signed certificates, if letsencrypt is going to be installed
  when:
    - true_cert is defined
    - true_cert.stat is defined
    - true_cert.stat.islnk is not defined
  tags: ['pki', 'ssl', 'letsencrypt']
  block:
    - name: Create the path to the self signed certificates
      ansible.builtin.file:
        path: "{{ item }}"
        state: directory
        owner: root
        group: root
        mode: 0755
      loop:
        - "{{ letsencrypt_acme_sh_certificates_install_base_path }}"
        - "{{ pki_dir }}/certs/selfsigned"

    - name: Path to the self signed key file
      ansible.builtin.file:
        path: "{{ pki_dir }}/keys/selfsigned"
        state: directory
        owner: root
        group: root
        mode: 0700

    - name: Generate the self signed certificate and private key
      ansible.builtin.command: openssl req -x509 -newkey rsa:2048 -keyout {{ self_signed_key }} -out {{ self_signed_cert }} -days 365 -nodes -subj '{{ self_signed_subject }}'
      args:
        creates: '{{ self_signed_cert }}'

    - name: Copy the cert file into fullchain
      ansible.builtin.copy:
        src: "{{ self_signed_cert }}"
        dest: "{{ self_signed_fullchain }}"
        remote_src: true
        owner: root
        group: root
        mode: 0644

    - name: Create the symbolic link for the certificates into the letsencrypt live directory
      ansible.builtin.file:
        src: "{{ pki_dir }}/certs/selfsigned"
        dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
        state: link