BlackDragon/ansible
1
0
Fork 0
forked from bitlair/ansible
Code Pull requests Activity

Rework acme role

Browse source
This commit is contained in:
Mark Janssen 2024-07-14 20:20:56 +02:00
parent b29062a436
commit ce1babbeda
Signed by: foobar
GPG key ID: D8674D8FC4F69BD2
8 changed files with 47 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/acme/handlers/main.yaml
View file

@ -1,7 +1,9 @@
---
- name: update_contact_info - name: update_contact_info
ansible.builtin.command: ansible.builtin.command:
cmd: dehydrated --account cmd: dehydrated --account
- name: query_certificates - name: run dehydrated
ansible.builtin.command: ansible.builtin.command:
cmd: dehydrated --cron cmd: dehydrated --cron

84
roles/acme/tasks/main.yaml
View file

@ -1,82 +1,46 @@
--- ---
- ansible.builtin.import_tasks:
file: remove_conflicting.yaml
tags: [ never, acme_remove_conflicting ]
- name: Install Dehydrated
tags: [ acme, acme_install ]
block:
- name: Install dependencies
ansible.builtin.apt:
name: ssl-cert
state: present
- name: Install Dehydrated - name: Install Dehydrated
ansible.builtin.apt: ansible.builtin.apt:
name: dehydrated
state: present state: present
pkg:
- name: Install config file - dehydrated
ansible.builtin.template: tags:
src: config.sh - acme
dest: /etc/dehydrated/conf.d/ansible.sh
owner: root
group: root
mode: 0755
notify: update_contact_info
- name: Install deploy hook
ansible.builtin.template:
src: deploy.sh
dest: /etc/dehydrated/conf.d/deploy.sh
owner: root
group: root
mode: 0755
- name: Install cronjob
ansible.builtin.template:
src: cron
dest: /etc/cron.d/dehydrated
owner: root
group: root
mode: 0644
- name: Create Nginx snippet snippets dir - name: Create Nginx snippet snippets dir
ansible.builtin.file: ansible.builtin.file:
state: directory state: "directory"
path: /etc/nginx/snippets path: "/etc/nginx/snippets"
owner: root owner: "root"
group: root group: "root"
mode: 0755 mode: "0755"
- name: Install Nginx snippet - name: Template dehydrated configfiles
ansible.builtin.template: ansible.builtin.template:
src: nginx-snippet.conf src: "{{ item.src }}"
dest: /etc/nginx/snippets/acme.conf dest: "{{ item.dest }}"
owner: root owner: "{{ item.owner | default('root') }}"
group: root group: "{{ item.group | default('root') }}"
mode: 0644 mode: "{{ item.mode | default('0640') }}"
notify: "{{ item.notify | default([]) }}"
with_items:
- { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
- { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }
- { src: "cron", dest: "/etc/cron.d/dehydrated" }
- { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
- { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
- name: Register account - name: Register account
ansible.builtin.command: ansible.builtin.command:
cmd: dehydrated --register --accept-terms
args: args:
cmd: dehydrated --register --accept-terms
creates: /var/lib/dehydrated/accounts creates: /var/lib/dehydrated/accounts
- tags: [ acme, acme_certs ]
block:
- name: Configure certificates
ansible.builtin.template:
src: domains.txt
dest: /etc/dehydrated/domains.txt
owner: root
group: root
mode: 0644
notify: query_certificates
- name: Symlink SAN domains - name: Symlink SAN domains
ansible.builtin.include_tasks: ansible.builtin.include_tasks:
file: san_domains_loop.yaml file: san_domains_loop.yaml
loop: "{{ acme_san_domains|default([]) }}" loop: "{{ acme_san_domains|default([]) }}"
loop_control: loop_control:
loop_var: domains loop_var: domains

1
roles/acme/tasks/san_domains_loop.yaml
View file

@ -1,4 +1,5 @@
--- ---
- ansible.builtin.stat: - ansible.builtin.stat:
path: "/var/lib/dehydrated/certs/{{ domains[0] }}" path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
register: cert_stat register: cert_stat

2
roles/acme/templates/config.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# Managed by Ansible # {{ ansible_managed }}
CONTACT_EMAIL={{ notify_email }} CONTACT_EMAIL={{ notify_email }}

2
roles/acme/templates/cron
View file

@ -1,4 +1,4 @@
# Managed by Ansible # {{ ansible_managed }}
SHELL=/bin/sh SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

2
roles/acme/templates/deploy.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# Managed by Ansible # {{ ansible_managed }}
systemctl reload nginx.service systemctl reload nginx.service

2
roles/acme/templates/domains.txt
View file

@ -1,4 +1,4 @@
# Managed by Ansible # {{ ansible_managed }}
{% for domain in acme_domains|default([]) %} {% for domain in acme_domains|default([]) %}
{{ domain }} {{ domain }}

2
roles/acme/templates/nginx-snippet.conf
View file

@ -1,4 +1,4 @@
# Managed by Ansible # {{ ansible_managed }}
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
allow all; allow all;