Rework acme role

This commit is contained in:
Mark Janssen 2024-07-14 20:20:56 +02:00
parent b29062a436
commit ce1babbeda
Signed by: foobar
GPG key ID: D8674D8FC4F69BD2
8 changed files with 47 additions and 80 deletions

View file

@ -1,7 +1,9 @@
---
- name: update_contact_info
ansible.builtin.command:
cmd: dehydrated --account
- name: query_certificates
- name: run dehydrated
ansible.builtin.command:
cmd: dehydrated --cron

View file

@ -1,82 +1,46 @@
---
- ansible.builtin.import_tasks:
file: remove_conflicting.yaml
tags: [ never, acme_remove_conflicting ]
- name: Install Dehydrated
tags: [ acme, acme_install ]
block:
- name: Install dependencies
ansible.builtin.apt:
name: ssl-cert
state: present
ansible.builtin.apt:
state: present
pkg:
- dehydrated
tags:
- acme
- name: Install Dehydrated
ansible.builtin.apt:
name: dehydrated
state: present
- name: Create Nginx snippet snippets dir
ansible.builtin.file:
state: "directory"
path: "/etc/nginx/snippets"
owner: "root"
group: "root"
mode: "0755"
- name: Install config file
ansible.builtin.template:
src: config.sh
dest: /etc/dehydrated/conf.d/ansible.sh
owner: root
group: root
mode: 0755
notify: update_contact_info
- name: Template dehydrated configfiles
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
owner: "{{ item.owner | default('root') }}"
group: "{{ item.group | default('root') }}"
mode: "{{ item.mode | default('0640') }}"
notify: "{{ item.notify | default([]) }}"
with_items:
- { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
- { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }
- { src: "cron", dest: "/etc/cron.d/dehydrated" }
- { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
- { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
- name: Install deploy hook
ansible.builtin.template:
src: deploy.sh
dest: /etc/dehydrated/conf.d/deploy.sh
owner: root
group: root
mode: 0755
- name: Register account
ansible.builtin.command:
args:
cmd: dehydrated --register --accept-terms
creates: /var/lib/dehydrated/accounts
- name: Install cronjob
ansible.builtin.template:
src: cron
dest: /etc/cron.d/dehydrated
owner: root
group: root
mode: 0644
- name: Symlink SAN domains
ansible.builtin.include_tasks:
file: san_domains_loop.yaml
loop: "{{ acme_san_domains|default([]) }}"
loop_control:
loop_var: domains
- name: Create Nginx snippet snippets dir
ansible.builtin.file:
state: directory
path: /etc/nginx/snippets
owner: root
group: root
mode: 0755
- name: Install Nginx snippet
ansible.builtin.template:
src: nginx-snippet.conf
dest: /etc/nginx/snippets/acme.conf
owner: root
group: root
mode: 0644
- name: Register account
ansible.builtin.command:
cmd: dehydrated --register --accept-terms
args:
creates: /var/lib/dehydrated/accounts
- tags: [ acme, acme_certs ]
block:
- name: Configure certificates
ansible.builtin.template:
src: domains.txt
dest: /etc/dehydrated/domains.txt
owner: root
group: root
mode: 0644
notify: query_certificates
- name: Symlink SAN domains
ansible.builtin.include_tasks:
file: san_domains_loop.yaml
loop: "{{ acme_san_domains|default([]) }}"
loop_control:
loop_var: domains

View file

@ -1,4 +1,5 @@
---
- ansible.builtin.stat:
path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
register: cert_stat

View file

@ -1,5 +1,5 @@
#!/bin/bash
# Managed by Ansible
# {{ ansible_managed }}
CONTACT_EMAIL={{ notify_email }}

View file

@ -1,4 +1,4 @@
# Managed by Ansible
# {{ ansible_managed }}
SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

View file

@ -1,5 +1,5 @@
#!/bin/bash
# Managed by Ansible
# {{ ansible_managed }}
systemctl reload nginx.service

View file

@ -1,4 +1,4 @@
# Managed by Ansible
# {{ ansible_managed }}
{% for domain in acme_domains|default([]) %}
{{ domain }}

View file

@ -1,4 +1,4 @@
# Managed by Ansible
# {{ ansible_managed }}
location /.well-known/acme-challenge {
allow all;