bitlair/ansible
6
0
Fork 1
Code Issues Pull requests Releases Activity

Rework acme role

Browse source
This commit is contained in:
Mark Janssen 2024-07-14 20:20:56 +02:00
parent b29062a436
commit ce1babbeda
Signed by: foobar
GPG key ID: D8674D8FC4F69BD2
8 changed files with 47 additions and 80 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
roles/acme/handlers/main.yaml
View file

@ -1,7 +1,9 @@
---
- name: update_contact_info - name: update_contact_info
ansible.builtin.command: ansible.builtin.command:
cmd: dehydrated --account cmd: dehydrated --account
- name: query_certificates - name: run dehydrated
ansible.builtin.command: ansible.builtin.command:
cmd: dehydrated --cron cmd: dehydrated --cron

112
roles/acme/tasks/main.yaml
View file

@ -1,82 +1,46 @@
--- ---
- ansible.builtin.import_tasks:
file: remove_conflicting.yaml
tags: [ never, acme_remove_conflicting ]
- name: Install Dehydrated - name: Install Dehydrated
tags: [ acme, acme_install ] ansible.builtin.apt:
block: state: present
- name: Install dependencies pkg:
ansible.builtin.apt: - dehydrated
name: ssl-cert tags:
state: present - acme
- name: Install Dehydrated - name: Create Nginx snippet snippets dir
ansible.builtin.apt: ansible.builtin.file:
name: dehydrated state: "directory"
state: present path: "/etc/nginx/snippets"
owner: "root"
group: "root"
mode: "0755"
- name: Install config file - name: Template dehydrated configfiles
ansible.builtin.template: ansible.builtin.template:
src: config.sh src: "{{ item.src }}"
dest: /etc/dehydrated/conf.d/ansible.sh dest: "{{ item.dest }}"
owner: root owner: "{{ item.owner | default('root') }}"
group: root group: "{{ item.group | default('root') }}"
mode: 0755 mode: "{{ item.mode | default('0640') }}"
notify: update_contact_info notify: "{{ item.notify | default([]) }}"
with_items:
- { src: "config.sh", dest: "/etc/dehydrated/conf.d/ansible.sh", mode: '0755' }
- { src: "deploy.sh", dest: "/etc/dehydrated/conf.d/deploy.sh", mode: '0755' }
- { src: "cron", dest: "/etc/cron.d/dehydrated" }
- { src: "nginx-snippet.conf", dest: "/etc/nginx/snippets/acme.conf" }
- { src: "domains.txt", dest: "/etc/dehydrated/domains.txt", notify: "run dehydrated" }
- name: Install deploy hook - name: Register account
ansible.builtin.template: ansible.builtin.command:
src: deploy.sh args:
dest: /etc/dehydrated/conf.d/deploy.sh cmd: dehydrated --register --accept-terms
owner: root creates: /var/lib/dehydrated/accounts
group: root
mode: 0755
- name: Install cronjob - name: Symlink SAN domains
ansible.builtin.template: ansible.builtin.include_tasks:
src: cron file: san_domains_loop.yaml
dest: /etc/cron.d/dehydrated loop: "{{ acme_san_domains|default([]) }}"
owner: root loop_control:
group: root loop_var: domains
mode: 0644
- name: Create Nginx snippet snippets dir
ansible.builtin.file:
state: directory
path: /etc/nginx/snippets
owner: root
group: root
mode: 0755
- name: Install Nginx snippet
ansible.builtin.template:
src: nginx-snippet.conf
dest: /etc/nginx/snippets/acme.conf
owner: root
group: root
mode: 0644
- name: Register account
ansible.builtin.command:
cmd: dehydrated --register --accept-terms
args:
creates: /var/lib/dehydrated/accounts
- tags: [ acme, acme_certs ]
block:
- name: Configure certificates
ansible.builtin.template:
src: domains.txt
dest: /etc/dehydrated/domains.txt
owner: root
group: root
mode: 0644
notify: query_certificates
- name: Symlink SAN domains
ansible.builtin.include_tasks:
file: san_domains_loop.yaml
loop: "{{ acme_san_domains|default([]) }}"
loop_control:
loop_var: domains

1
roles/acme/tasks/san_domains_loop.yaml
View file

@ -1,4 +1,5 @@
--- ---
- ansible.builtin.stat: - ansible.builtin.stat:
path: "/var/lib/dehydrated/certs/{{ domains[0] }}" path: "/var/lib/dehydrated/certs/{{ domains[0] }}"
register: cert_stat register: cert_stat

2
roles/acme/templates/config.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# Managed by Ansible # {{ ansible_managed }}
CONTACT_EMAIL={{ notify_email }} CONTACT_EMAIL={{ notify_email }}

2
roles/acme/templates/cron
View file

@ -1,4 +1,4 @@
# Managed by Ansible # {{ ansible_managed }}
SHELL=/bin/sh SHELL=/bin/sh
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin

2
roles/acme/templates/deploy.sh
View file

@ -1,5 +1,5 @@
#!/bin/bash #!/bin/bash
# Managed by Ansible # {{ ansible_managed }}
systemctl reload nginx.service systemctl reload nginx.service

2
roles/acme/templates/domains.txt
View file

@ -1,4 +1,4 @@
# Managed by Ansible # {{ ansible_managed }}
{% for domain in acme_domains|default([]) %} {% for domain in acme_domains|default([]) %}
{{ domain }} {{ domain }}

2
roles/acme/templates/nginx-snippet.conf
View file

@ -1,4 +1,4 @@
# Managed by Ansible # {{ ansible_managed }}
location /.well-known/acme-challenge { location /.well-known/acme-challenge {
allow all; allow all;