diff --git a/roles/acme/handlers/main.yaml b/roles/acme/handlers/main.yaml index 508fc1a..7ff2509 100644 --- a/roles/acme/handlers/main.yaml +++ b/roles/acme/handlers/main.yaml @@ -1,7 +1,9 @@ +--- + - name: update_contact_info ansible.builtin.command: cmd: dehydrated --account -- name: query_certificates +- name: run dehydrated ansible.builtin.command: cmd: dehydrated --cron diff --git a/roles/acme/tasks/main.yaml b/roles/acme/tasks/main.yaml index 653f49c..229f566 100644 --- a/roles/acme/tasks/main.yaml +++ b/roles/acme/tasks/main.yaml @@ -1,82 +1,46 @@ --- -- ansible.builtin.import_tasks: - file: remove_conflicting.yaml - tags: [ never, acme_remove_conflicting ] - name: Install Dehydrated - tags: [ acme, acme_install ] - block: - - name: Install dependencies - ansible.builtin.apt: - name: ssl-cert - state: present + ansible.builtin.apt: + state: present + pkg: + - dehydrated + tags: + - acme - - name: Install Dehydrated - ansible.builtin.apt: - name: dehydrated - state: present +- name: Create Nginx snippet snippets dir + ansible.builtin.file: + state: "directory" + path: "/etc/nginx/snippets" + owner: "root" + group: "root" + mode: "0755" - - name: Install config file - ansible.builtin.template: - src: config.sh - dest: /etc/dehydrated/conf.d/ansible.sh - owner: root - group: root - mode: 0755 - notify: update_contact_info +- name: Template dehydrated configfiles + ansible.builtin.template: + src: "{{ item.src }}" + dest: "{{ item.dest }}" + owner: "{{ item.owner | default('root') }}" + group: "{{ item.group | default('root') }}" + mode: "{{ item.mode | default('0640') }}" + notify: "{{ item.notify | default([]) }}" + with_items: + - { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' } + - { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' } + - { src: "cron", dest: "/etc/cron.d/dehydrated" } + - { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" } + - { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" } - - name: Install deploy hook - ansible.builtin.template: - src: deploy.sh - dest: /etc/dehydrated/conf.d/deploy.sh - owner: root - group: root - mode: 0755 +- name: Register account + ansible.builtin.command: + args: + cmd: dehydrated --register --accept-terms + creates: /var/lib/dehydrated/accounts - - name: Install cronjob - ansible.builtin.template: - src: cron - dest: /etc/cron.d/dehydrated - owner: root - group: root - mode: 0644 +- name: Symlink SAN domains + ansible.builtin.include_tasks: + file: san_domains_loop.yaml + loop: "{{ acme_san_domains|default([]) }}" + loop_control: + loop_var: domains - - name: Create Nginx snippet snippets dir - ansible.builtin.file: - state: directory - path: /etc/nginx/snippets - owner: root - group: root - mode: 0755 - - - name: Install Nginx snippet - ansible.builtin.template: - src: nginx-snippet.conf - dest: /etc/nginx/snippets/acme.conf - owner: root - group: root - mode: 0644 - - - name: Register account - ansible.builtin.command: - cmd: dehydrated --register --accept-terms - args: - creates: /var/lib/dehydrated/accounts - -- tags: [ acme, acme_certs ] - block: - - name: Configure certificates - ansible.builtin.template: - src: domains.txt - dest: /etc/dehydrated/domains.txt - owner: root - group: root - mode: 0644 - notify: query_certificates - - - name: Symlink SAN domains - ansible.builtin.include_tasks: - file: san_domains_loop.yaml - loop: "{{ acme_san_domains|default([]) }}" - loop_control: - loop_var: domains diff --git a/roles/acme/tasks/san_domains_loop.yaml b/roles/acme/tasks/san_domains_loop.yaml index b878042..99d57b5 100644 --- a/roles/acme/tasks/san_domains_loop.yaml +++ b/roles/acme/tasks/san_domains_loop.yaml @@ -1,4 +1,5 @@ --- + - ansible.builtin.stat: path: "/var/lib/dehydrated/certs/{{ domains[0] }}" register: cert_stat diff --git a/roles/acme/templates/config.sh b/roles/acme/templates/config.sh index f51455d..2dae219 100644 --- a/roles/acme/templates/config.sh +++ b/roles/acme/templates/config.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Managed by Ansible +# {{ ansible_managed }} CONTACT_EMAIL={{ notify_email }} diff --git a/roles/acme/templates/cron b/roles/acme/templates/cron index ecf8b99..c7d7c91 100644 --- a/roles/acme/templates/cron +++ b/roles/acme/templates/cron @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} SHELL=/bin/sh PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin diff --git a/roles/acme/templates/deploy.sh b/roles/acme/templates/deploy.sh index 3d962b6..cbcb1b1 100644 --- a/roles/acme/templates/deploy.sh +++ b/roles/acme/templates/deploy.sh @@ -1,5 +1,5 @@ #!/bin/bash -# Managed by Ansible +# {{ ansible_managed }} systemctl reload nginx.service diff --git a/roles/acme/templates/domains.txt b/roles/acme/templates/domains.txt index 632b12b..eba6ded 100644 --- a/roles/acme/templates/domains.txt +++ b/roles/acme/templates/domains.txt @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} {% for domain in acme_domains|default([]) %} {{ domain }} diff --git a/roles/acme/templates/nginx-snippet.conf b/roles/acme/templates/nginx-snippet.conf index c57ac6a..7425bc2 100644 --- a/roles/acme/templates/nginx-snippet.conf +++ b/roles/acme/templates/nginx-snippet.conf @@ -1,4 +1,4 @@ -# Managed by Ansible +# {{ ansible_managed }} location /.well-known/acme-challenge { allow all;