Rework acme role

2024-07-14 20:20:56 +02:00 · 2024-07-14 20:20:56 +02:00 · ce1babbeda
commit ce1babbeda
parent b29062a436
8 changed files with 47 additions and 80 deletions
--- a/roles/acme/handlers/main.yaml
+++ b/roles/acme/handlers/main.yaml
@ -1,7 +1,9 @@
+---
+
 - name: update_contact_info
  ansible.builtin.command:
    cmd: dehydrated --account

- name: query_certificates
+- name: run dehydrated
  ansible.builtin.command:
    cmd: dehydrated --cron
--- a/roles/acme/tasks/main.yaml
+++ b/roles/acme/tasks/main.yaml
@ -1,82 +1,46 @@
 ---
- ansible.builtin.import_tasks:
-    file: remove_conflicting.yaml
-  tags: [ never, acme_remove_conflicting ]

 - name: Install Dehydrated
-  tags: [ acme, acme_install ]
-  block:
-    - name: Install dependencies
-      ansible.builtin.apt:
-        name: ssl-cert
-        state: present
+  ansible.builtin.apt:
+    state: present
+    pkg:
+      - dehydrated
+  tags:
+    - acme

-    - name: Install Dehydrated
-      ansible.builtin.apt:
-        name: dehydrated
-        state: present
+- name: Create Nginx snippet snippets dir
+  ansible.builtin.file:
+    state: "directory"
+    path: "/etc/nginx/snippets"
+    owner: "root"
+    group: "root"
+    mode: "0755"

-    - name: Install config file
-      ansible.builtin.template:
-        src: config.sh
-        dest: /etc/dehydrated/conf.d/ansible.sh
-        owner: root
-        group: root
-        mode: 0755
-      notify: update_contact_info
+- name: Template dehydrated configfiles
+  ansible.builtin.template:
+    src: "{{ item.src }}"
+    dest: "{{ item.dest }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+    mode: "{{ item.mode | default('0640') }}"
+    notify: "{{ item.notify | default([]) }}"
+  with_items:
+    - { src: "config.sh",          dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
+    - { src: "deploy.sh",          dest: "/etc/dehydrated/conf.d/deploy.sh",  mode: '0755' }
+    - { src: "cron",               dest: "/etc/cron.d/dehydrated" }
+    - { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
+    - { src: "domains.txt",        dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }

-    - name: Install deploy hook
-      ansible.builtin.template:
-        src: deploy.sh
-        dest: /etc/dehydrated/conf.d/deploy.sh
-        owner: root
-        group: root
-        mode: 0755
+- name: Register account
+  ansible.builtin.command:
+  args:
+    cmd: dehydrated --register --accept-terms
+    creates: /var/lib/dehydrated/accounts

-    - name: Install cronjob
-      ansible.builtin.template:
-        src: cron
-        dest: /etc/cron.d/dehydrated
-        owner: root
-        group: root
-        mode: 0644
+- name: Symlink SAN domains
+  ansible.builtin.include_tasks:
+    file: san_domains_loop.yaml
+  loop: "{{ acme_san_domains|default([]) }}"
+  loop_control:
+    loop_var: domains

-    - name: Create Nginx snippet snippets dir
-      ansible.builtin.file:
-        state: directory
-        path: /etc/nginx/snippets
-        owner: root
-        group: root
-        mode: 0755
-
-    - name: Install Nginx snippet
-      ansible.builtin.template:
-        src: nginx-snippet.conf
-        dest: /etc/nginx/snippets/acme.conf
-        owner: root
-        group: root
-        mode: 0644
-
-    - name: Register account
-      ansible.builtin.command:
-        cmd: dehydrated --register --accept-terms
-      args:
-        creates: /var/lib/dehydrated/accounts
-
- tags: [ acme, acme_certs ]
-  block:
-    - name: Configure certificates
-      ansible.builtin.template:
-        src: domains.txt
-        dest: /etc/dehydrated/domains.txt
-        owner: root
-        group: root
-        mode: 0644
-      notify: query_certificates
-
-    - name: Symlink SAN domains
-      ansible.builtin.include_tasks:
-        file: san_domains_loop.yaml
-      loop: "{{ acme_san_domains|default([]) }}"
-      loop_control:
-        loop_var: domains
--- a/roles/acme/tasks/san_domains_loop.yaml
+++ b/roles/acme/tasks/san_domains_loop.yaml
@ -1,4 +1,5 @@
 ---
+
 - ansible.builtin.stat:
    path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
  register: cert_stat
--- a/roles/acme/templates/config.sh
+++ b/roles/acme/templates/config.sh
@ -1,5 +1,5 @@
 #!/bin/bash

-# Managed by Ansible
+# {{ ansible_managed }}

 CONTACT_EMAIL={{ notify_email }}
--- a/roles/acme/templates/cron
+++ b/roles/acme/templates/cron
@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}

 SHELL=/bin/sh
 PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin
--- a/roles/acme/templates/deploy.sh
+++ b/roles/acme/templates/deploy.sh
@ -1,5 +1,5 @@
 #!/bin/bash

-# Managed by Ansible
+# {{ ansible_managed }}

 systemctl reload nginx.service
--- a/roles/acme/templates/domains.txt
+++ b/roles/acme/templates/domains.txt
@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}

 {% for domain in acme_domains|default([]) %}
 {{ domain }}
--- a/roles/acme/templates/nginx-snippet.conf
+++ b/roles/acme/templates/nginx-snippet.conf
@ -1,4 +1,4 @@
-# Managed by Ansible
+# {{ ansible_managed }}

 location /.well-known/acme-challenge {
 	allow all;