Ansible_repo-pub/playbooks/general_administration/certificates/update_domain_wildcard.yaml

---
# Update _domain wildcard certificate and private key on web servers running Apache, Gitlab, Nginx & Tomcat"

  - name: "Apache group: set group-wide variables"
    hosts: apache
    vars:
      new_cert: "include/current/_domain.cert"
      new_bundle: "include/current/root-chain_domain.pem"
      new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem"
      new_private_key: "include/current/_domain.key"
    ##########################################################################
      apache_config_test_command: "apachectl -t"
      apache_apply_command: "systemctl reload httpd.service"
    tasks:
      - name: "Apache group: dump group-wide variables"
        debug:
          msg:
            - "host is: {{ ansible_host }}"
            - "Group from inventory file is: {{ group_names }} "
            - "------------------------------------------------------------------"
            - "new_cert is: {{ new_cert }}"
            - "new_bundle is: {{ new_bundle }}"
            - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}"
            - "new_private_key is: {{ new_private_key }}"
            - "------------------------------------------------------------------"
            - "apache_config_test_command is: {{ apache_config_test_command }}"
            - "apache_apply_command is: {{ apply_command }}"
      - name: "Apache group: dump host-specific variables"
        debug:
          msg:
            - "host is: {{ ansible_host }}"
            - "--- Running for group apache only ---"
            - "------------------------------------------------------------------"
            - "cert_path is: {{ cert_path }}"
            - "private_key_path is: {{ private_key_path }}"
            - "post_test_command is: {{ post_test_command }}"
            - "webserver_hostname is: {{ webserver_hostname }}"
            - "------------------------------------------------------------------"
      - name: "Apache group: dump OPTIONAL host-specific variable: root_bundle_path"
        debug:
          msg:
            - "host is: {{ ansible_host }}"
            - "--- Running for group apache only ---"
            - "root_bundle_path is: {{ root_bundle_path }}"
        when: root_bundle_path is defined
################# copy cert section ##########
      - name: "Apache hosts: Copy the new certificate file"
        copy:
          backup: true
          src: "{{ new_cert }}"
          dest: "{{ cert_path }}"
      - name: "Apache: Copy the intermediate certs file"
        copy:
          backup: true
          src: "{{ new_bundle }}"
          dest: "{{ root_bundle_path }}"
        when: root_bundle_path is defined
      - name: "Apache: Copy the private key"
        copy:
          backup: true
          src: "{{ new_private_key }}"
          dest: "{{ private_key_path }}"

################# test section ##############
      - name: "Apache: run apache_config_test_command and register output"
        command: "{{ apache_config_test_command }}"
        register: apache_config_test_result
        ignore_errors: yes
      - debug:
          msg: "{{ apache_config_test_result.stderr }}"
      - name: "Set test_outcome to pass if criteria are met"
        set_fact:
          config_test_outcome: pass
        when: '"Syntax OK" in apache_config_test_result.stderr'
        ignore_errors: yes

      - debug:
          msg: "{{ config_test_outcome }}"
        ignore_errors: yes

#################### restart embedded nginx if test is ok $$$$$$$$$
      - name: "Apache: restart apache if config test is successful"
        command: "{{ apache_apply_command }}"
        when: config_test_outcome == "pass"
        ignore_errors: yes
      - name: "Apache: fail if config test is NOT successful"
        debug:
          msg:
            - '======================================================================================'
            - '===                                       !!!FAILURE!!!'
            - '=== APACHE CONFIG MODIFICATIONS ON "{{ inventory_hostname }}"AT"{{ ansible_host }}" FAILED.'
            - '===   THESE WILL HAVE TO BE FIXED MANUALLY. THESE FILES WERE MODIFIED but also backed up:'
            - '==='
            - ===  "{{ cert_path }}"
            - ===  "{{ root_bundle_path }}"
            - ===  "{{ private_key_path }}"
            - "===  *** The actual apache configuration wasn't changed, just the cert & key files the config points to."
            - "======================================================================================="
        when: config_test_outcome is undefined

      - name: "Get new cert info by contacting site locally"
        get_certificate:
          host: "{{ ansible_host }}"
          port: "{{ webserver_port }}"
          server_name: "{{ webserver_hostname }}"
        register: new_cert_info
        delegate_to: localhost
        when: config_test_outcome == "pass"

      - name: "Show results of locally connecting to remote site"
        debug:
          msg:
            - "New cert expires in: {{ new_cert_days_left }} days."
        vars:
          new_cert_days_left: >-
            {{ (
              (new_cert_info.not_after | ansible.builtin.to_datetime('%Y%m%d%H%M%SZ')) -
              (ansible_date_time.iso8601 | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ'))
            ).days }}
        register: new_cert_days_left
        when: config_test_outcome == "pass"

      - name: "set_fact from this host's test outputs to display at end of playbook run"
        set_fact:
          changed_site_hostname_and_new_exp_date: "{{ webserver_hostname }} {{ new_cert_days_left }}"
        when: config_test_outcome == "pass"


  - name: "Gitlab group: set group-wide variables"
    hosts: gitlab
    vars:
      new_bundle: "include/current/root-chain_domain.pem"
      new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem"
      new_private_key: "include/current/_domain.key"
      gitlab_apply_command: "gitlab-ctl restart nginx"
      #gitlab_apply_command: " gitlab-ctl hup nginx;  gitlab-ctl hup registry"

    tasks:
      - name: "GitLab group: dump group-wide variables"
        debug:
          msg:
            - "host is: {{ ansible_host }}"
            - "This is only showing info from GitLab group"
            - "------------------------------------------------------------------"
            - "new_bundle is: {{ new_bundle }}"
            - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}"
            - "new_private_key is: {{ new_private_key }}"

      - name: "Gitlab group: dump host-specific variables"
        debug:
          msg:
            - "host is: {{ ansible_host }}"
            - "This is only showing info from GitLab group"
            - "------------------------------------------------------------------"
            - "fullchain_root_bundle_path is: {{ fullchain_root_bundle_path }}"
            - "private_key_path path is: {{ private_key_path }}"
            - "------------------------------------------------------------------"
            - "gitlab_nginx_config_test_command is: {{ gitlab_nginx_config_test_command }}"
            - "healthcheck_url is: {{ healthcheck_url }}"
            - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}"
            - "fullchain_root_bundle_path is: {{ fullchain_root_bundle_path }}"

############# copy new cert files ##############
      - name: "GitLab hosts: Copy the new_fullchain_root_bundle"
        copy:
          backup: true
    #      follow: true
          src: "{{ new_fullchain_root_bundle }}"
          dest: "{{ fullchain_root_bundle_path }}"
      - name: "GitLab: Copy the private key"
        copy:
          backup: true
          src: "{{ new_private_key }}"
          dest: "{{ private_key_path }}"

################# test section ##############
      - name: "GitLab: run embedded nginx config check command and register output"
        command: "{{ gitlab_nginx_config_test_command }}"
        register: gitlab_nginx_config_test_result
        ignore_errors: yes

      - name: "Dump output from gitlab_nginx_config_test_result"
        debug:
          msg: "gitlab_nginx_config_test_result is {{ gitlab_nginx_config_test_result }}"

      - name: "Dump gitlab_nginx_config_test_result"
        debug:
          msg: "gitlab_nginx_config_test_result is {{ gitlab_nginx_config_test_result }}"

      - name: "dump gitlab_nginx_config_test_result.stderr"
        debug:
          msg: "{{ gitlab_nginx_config_test_result.stderr }}"
      - name: "Set test_outcome to pass if criteria are met"
        set_fact:
          config_test_outcome: pass
        when: '"test is successful" in gitlab_nginx_config_test_result.stderr'
        ignore_errors: yes

      - debug:
          msg: "{{ config_test_outcome }}"
        ignore_errors: yes

      - name: "Get new cert info by contacting site remotely"
        get_certificate:
          host: "{{ ansible_host }}"
          port: "{{ webserver_port }}"
          server_name: "{{ webserver_hostname }}"
        register: new_cert_info
        delegate_to: localhost
        when: config_test_outcome == "pass"

      - name: "Show results of remotely connecting to remote site"
        debug:
          msg:
            - "New cert expires in: {{ new_cert_days_left }} days."
        vars:
          new_cert_days_left: >-
            {{ (
              (new_cert_info.not_after | ansible.builtin.to_datetime('%Y%m%d%H%M%SZ')) -
              (ansible_date_time.iso8601 | ansible.builtin.to_datetime('%Y-%m-%dT%H:%M:%SZ'))
            ).days }}
        register: new_cert_days_left
        when: config_test_outcome == "pass"

      - name: "set_fact from this host's test outputs to display at end of playbook run"
        set_fact:
          changed_site_hostname_and_new_exp_date: "{{ webserver_hostname }} {{ new_cert_days_left }}"
        when: config_test_outcome == "pass"

################## apply changes if successful ###############
      - name: "GitLab: restart GitLab embedded Nginx if config test is successful"
        command: "{{ gitlab_apply_command }}"
        when: config_test_outcome == "pass"
        ignore_errors: yes

########## nginx group ###################################################################################################################
  - name: "Nginx group: set group-wide variables"
    hosts: nginx
    vars:
      new_bundle: "include/current/root-chain_domain.pem"
      new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem"
      new_private_key: "include/current/_domain.key"
      nginx_config_test_command: "nginx -t -c /etc/nginx/nginx.conf"
      nginx_apply_command: "systemctl reload nginx.service"

    tasks:
      - name: "nginx group: dump group-wide variables"
        debug:
          msg:
            - "host is: {{ ansible_host }}"
            - "This is only showing info from GitLab group"
            - "------------------------------------------------------------------"
            - "new_bundle is: {{ new_bundle }}"
            - "new_fullchain_root_bundle is: {{ new_fullchain_root_bundle }}"
            - "new_private_key is: {{ new_private_key }}"
            - "nginx_config_test_command is: {{ nginx_config_test_command }}"
            - "nginx_apply_command is: {{ nginx_apply_command }}"
      - name: "nginx group: dump host-specific variables"
        debug:
          msg:
            - "host is: {{ ansible_host }}"
            - "This is only showing info from GitLab group"
            - "------------------------------------------------------------------"
            - "fullchain_root_bundle_path is: {{ fullchain_root_bundle_path }}"
            - "private_key is: {{ private_key }}"
            - "------------------------------------------------------------------"
            - "healthcheck_url is: {{ healthcheck_url }}"
      - name: "nginx group: dump OPTIONAL host-specific variables"
        debug:
          msg:
          - "host is: {{ ansible_host }}"
          - "------------------------------------------------------------------"

      - name: "nginx hosts: Copy the new_fullchain_root_bundle"
        copy:
          backup: true
    #      follow: true
          src: "{{ new_fullchain_root_bundle }}"
          dest: "{{ fullchain_root_bundle_path }}"
      - name: "nginx: Copy the private key"
        copy:
          backup: true
          src: "{{ new_private_key }}"
          dest: "{{ private_key }}"

################# test section ##############
      - name: "Nginx: run nginx config check command and register output"
        command: "{{ nginx_config_test_command }}"
        register: nginx_config_test_command_result
        ignore_errors: yes

      - name: "Dump nginx_config_test_command_result"
        debug:
          msg: "nginx_config_test_command_result is {{ nginx_config_test_command_result }}"

      - name: "dump nginx_config_test_command_result.stderr"
        debug:
          msg: "{{ nginx_config_test_command_result.stderr }}"
      - name: "Set test_outcome to pass if criteria are met"
        set_fact:
          config_test_outcome: pass
        when: '"test is successful" in nginx_config_test_command_result.stderr'
        ignore_errors: yes

      - debug:
          msg: "{{ config_test_outcome }}"
        ignore_errors: yes

################# apply section ##############
      - name: "Nginx: reload nginx service if config test is successful"
        command: "{{ nginx_apply_command }}"
        ignore_errors: yes
        when: config_test_outcome == "pass"

########## others group ###################################################################################################################
  - name: "others group"
    hosts: others
    vars:
      new_cert: "include/current/_domain.cert"
      new_bundle: "include/current/root-chain_domain.pem"
      new_fullchain_root_bundle: "include/current/fullchain_bundle_domain.pem"
      new_private_key: "include/current/_domain.key"
    tasks:
    - name: "others: dump debugging messages"
      debug:
        msg:
            - "host is: {{ ansible_host }}"
            - "Group from inventory file is: {{ group_names }} "
            - "This host's post_test_command is: {{ post_test_command }}"
            - "This host's apply_command is: {{ apply_command }}"
            - "------------------------------------------------------------------"
            - "fullchain_root_bundle_path: {{ fullchain_root_bundle_path }}"
            - "private_key_path: {{ private_key_path }}"

    - name: "other hosts: Copy the new_fullchain_root_bundle"
      copy:
        backup: true
  #      follow: true
        src: "{{ new_fullchain_root_bundle }}"
        dest: "{{ fullchain_root_bundle_path }}"
    - name: "other: Copy the private key"
      copy:
        backup: true
        src: "{{ new_private_key }}"
        dest: "{{ private_key }}"

################# other section ##############
    - name: "other: run other host-specific config check command and register output"
      command: "{{ post_test_command }}"
      register: other_hosts_config_test_command_result
      ignore_errors: yes

    - name: "Dump other_hosts_config_test_command_result"
      debug:
        msg: "other_hosts_config_test_command_result is {{ other_hosts_config_test_command_result }}"

    - name: "dump other_hosts_config_test_command_result.stderr"
      debug:
        msg: "{{ other_hosts_config_test_command_result.stderr }}"
    - name: "Set test_outcome to pass if criteria are met"
      set_fact:
        config_test_outcome: pass
      when: '{{ post_test_command_success_output }} in other_hosts_config_test_command_result.stderr'
      ignore_errors: yes

    - debug:
        msg: "{{ config_test_outcome }}"
      ignore_errors: yes

################# other apply section ##############
    - name: "others: host-specific command"
      command: "{{ apply_command }}"
      ignore_errors: yes
      when: config_test_outcome == "pass"