From ce1babbeda57d1c01ba99e3fd40e4d62a62abe3d Mon Sep 17 00:00:00 2001
From: Mark Janssen -- Sig-I/O Automatisering <mark@sig-io.nl>
Date: Sun, 14 Jul 2024 20:20:56 +0200
Subject: [PATCH] Rework acme role
---
roles/acme/handlers/main.yaml | 4 +-
roles/acme/tasks/main.yaml | 112 ++++++++----------------
roles/acme/tasks/san_domains_loop.yaml | 1 +
roles/acme/templates/config.sh | 2 +-
roles/acme/templates/cron | 2 +-
roles/acme/templates/deploy.sh | 2 +-
roles/acme/templates/domains.txt | 2 +-
roles/acme/templates/nginx-snippet.conf | 2 +-
8 files changed, 47 insertions(+), 80 deletions(-)
diff --git a/roles/acme/handlers/main.yaml b/roles/acme/handlers/main.yaml
index 508fc1a..7ff2509 100644
--- a/roles/acme/handlers/main.yaml
+++ b/roles/acme/handlers/main.yaml
@@ -1,7 +1,9 @@
+---
+
- name: update_contact_info
ansible.builtin.command:
cmd: dehydrated --account
-- name: query_certificates
+- name: run dehydrated
ansible.builtin.command:
cmd: dehydrated --cron
diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml
index 653f49c..229f566 100644
--- a/roles/acme/tasks/main.yaml
+++ b/roles/acme/tasks/main.yaml
@@ -1,82 +1,46 @@
---
-- ansible.builtin.import_tasks:
- file: remove_conflicting.yaml
- tags: [ never, acme_remove_conflicting ]
- name: Install Dehydrated
- tags: [ acme, acme_install ]
- block:
- - name: Install dependencies
- ansible.builtin.apt:
- name: ssl-cert
- state: present
+ ansible.builtin.apt:
+ state: present
+ pkg:
+ - dehydrated
+ tags:
+ - acme
- - name: Install Dehydrated
- ansible.builtin.apt:
- name: dehydrated
- state: present
+- name: Create Nginx snippet snippets dir
+ ansible.builtin.file:
+ state: "directory"
+ path: "/etc/nginx/snippets"
+ owner: "root"
+ group: "root"
+ mode: "0755"
- - name: Install config file
- ansible.builtin.template:
- src: config.sh
- dest: /etc/dehydrated/conf.d/ansible.sh
- owner: root
- group: root
- mode: 0755
- notify: update_contact_info
+- name: Template dehydrated configfiles
+ ansible.builtin.template:
+ src: "{{ item.src }}"
+ dest: "{{ item.dest }}"
+ owner: "{{ item.owner | default('root') }}"
+ group: "{{ item.group | default('root') }}"
+ mode: "{{ item.mode | default('0640') }}"
+ notify: "{{ item.notify | default([]) }}"
+ with_items:
+ - { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
+ - { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }
+ - { src: "cron", dest: "/etc/cron.d/dehydrated" }
+ - { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
+ - { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
- - name: Install deploy hook
- ansible.builtin.template:
- src: deploy.sh
- dest: /etc/dehydrated/conf.d/deploy.sh
- owner: root
- group: root
- mode: 0755
+- name: Register account
+ ansible.builtin.command:
+ args:
+ cmd: dehydrated --register --accept-terms
+ creates: /var/lib/dehydrated/accounts
- - name: Install cronjob
- ansible.builtin.template:
- src: cron
- dest: /etc/cron.d/dehydrated
- owner: root
- group: root
- mode: 0644
+- name: Symlink SAN domains
+ ansible.builtin.include_tasks:
+ file: san_domains_loop.yaml
+ loop: "{{ acme_san_domains|default([]) }}"
+ loop_control:
+ loop_var: domains
- - name: Create Nginx snippet snippets dir
- ansible.builtin.file:
- state: directory
- path: /etc/nginx/snippets
- owner: root
- group: root
- mode: 0755
-
- - name: Install Nginx snippet
- ansible.builtin.template:
- src: nginx-snippet.conf
- dest: /etc/nginx/snippets/acme.conf
- owner: root
- group: root
- mode: 0644
-
- - name: Register account
- ansible.builtin.command:
- cmd: dehydrated --register --accept-terms
- args:
- creates: /var/lib/dehydrated/accounts
-
-- tags: [ acme, acme_certs ]
- block:
- - name: Configure certificates
- ansible.builtin.template:
- src: domains.txt
- dest: /etc/dehydrated/domains.txt
- owner: root
- group: root
- mode: 0644
- notify: query_certificates
-
- - name: Symlink SAN domains
- ansible.builtin.include_tasks:
- file: san_domains_loop.yaml
- loop: "{{ acme_san_domains|default([]) }}"
- loop_control:
- loop_var: domains
diff --git a/roles/acme/tasks/san_domains_loop.yaml b/roles/acme/tasks/san_domains_loop.yaml
index b878042..99d57b5 100644
--- a/roles/acme/tasks/san_domains_loop.yaml
+++ b/roles/acme/tasks/san_domains_loop.yaml
@@ -1,4 +1,5 @@
---
+
- ansible.builtin.stat:
path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
register: cert_stat
diff --git a/roles/acme/templates/config.sh b/roles/acme/templates/config.sh
index f51455d..2dae219 100644
--- a/roles/acme/templates/config.sh
+++ b/roles/acme/templates/config.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# Managed by Ansible
+# {{ ansible_managed }}
CONTACT_EMAIL={{ notify_email }}
diff --git a/roles/acme/templates/cron b/roles/acme/templates/cron
index ecf8b99..c7d7c91 100644
--- a/roles/acme/templates/cron
+++ b/roles/acme/templates/cron
@@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
diff --git a/roles/acme/templates/deploy.sh b/roles/acme/templates/deploy.sh
index 3d962b6..cbcb1b1 100644
--- a/roles/acme/templates/deploy.sh
+++ b/roles/acme/templates/deploy.sh
@@ -1,5 +1,5 @@
#!/bin/bash
-# Managed by Ansible
+# {{ ansible_managed }}
systemctl reload nginx.service
diff --git a/roles/acme/templates/domains.txt b/roles/acme/templates/domains.txt
index 632b12b..eba6ded 100644
--- a/roles/acme/templates/domains.txt
+++ b/roles/acme/templates/domains.txt
@@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}
{% for domain in acme_domains|default([]) %}
{{ domain }}
diff --git a/roles/acme/templates/nginx-snippet.conf b/roles/acme/templates/nginx-snippet.conf
index c57ac6a..7425bc2 100644
--- a/roles/acme/templates/nginx-snippet.conf
+++ b/roles/acme/templates/nginx-snippet.conf
@@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}
location /.well-known/acme-challenge {
allow all;