--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/contrib/provision/roles/certs/tasks/main.yml	Sat Mar 19 00:45:41 2016 +0800
@@ -0,0 +1,45 @@
+---
+- name: Install packages
+  apt: pkg={{ item }} state=present
+  with_items:
+    - openssl
+    - ssl-cert
+
+- name: Make sure {{ path }} exists
+  file: path='{{ path }}' state=directory owner=root group=ssl-cert mode=0710
+
+- name: Make sure domain directories exist
+  file: path='{{ path }}/{{ item }}' state=directory owner=root group=ssl-cert mode=0710
+  with_items: '{{ selfsigned }}'
+
+- name: Generate private keys
+  command: >
+    openssl genrsa
+    -out '{{ path }}/{{ item }}/clean.key'
+    2048
+  args:
+    creates: '{{ path }}/{{ item }}/clean.key'
+  with_items: '{{ selfsigned }}'
+
+- name: Set permissions for private keys
+  file: path='{{ path }}/{{ item }}/clean.key' state=file owner=root group=ssl-cert mode=0640
+  with_items: '{{ selfsigned }}'
+
+- name: Generate self-signed certificates
+  command: >
+    openssl req
+    -new
+    -x509
+    -subj '/CN={{ item }}'
+    -extensions v3_ca
+    -days 3650
+    -key '{{ path }}/{{ item }}/clean.key'
+    -out '{{ path }}/{{ item }}/selfsigned.pem'
+  args:
+    creates: '{{ path }}/{{ item }}/selfsigned.pem'
+  with_items: '{{ selfsigned }}'
+
+- name: Set permissions for self-signed certificates
+  file: path='{{ path }}/{{ item }}/selfsigned.pem' state=file owner=root group=ssl-cert mode=0640
+  with_items: '{{ selfsigned }}'
+...

--- /dev/null	Thu Jan 01 00:00:00 1970 +0000
+++ b/contrib/provision/roles/certs/vars/main.yml	Sat Mar 19 00:45:41 2016 +0800
@@ -0,0 +1,4 @@
+---
+path: /etc/ssl/selfsigned/
+selfsigned: []
+...