Add acmetool role for Let's encrypt certificates

7503a408 · Robin Sonnabend · e5f10eaa · 7503a408 · 7503a408 · 7503a408
Commit 7503a408 authored 7 years ago by Robin Sonnabend
--- a/acmetool/defaults/main.yml
+++ b/acmetool/defaults/main.yml
+---
+# file: acmetool/defaults/main.yml
+acmetool_endpoint: "https://acme-v01.api.letsencrypt.org/directory"
+acmetool_key_type: rsa
+acmetool_rsa_key_size: 4096
--- a/acmetool/files/reload-config
+++ b/acmetool/files/reload-config
+SERVICES="nginx-proxy"
--- a/acmetool/files/service-after.conf
+++ b/acmetool/files/service-after.conf
+[Unit]
+After=nginx-proxy.service
--- a/acmetool/handlers/main.yml
+++ b/acmetool/handlers/main.yml
+---
+# file: acmetool/handlers/main.yml
+- name: reload systemd service files
+  systemd: daemon_reload=yes
+- name: update certificates
+  systemd: name=acmetool.service state=started
--- a/acmetool/tasks/main.yml
+++ b/acmetool/tasks/main.yml
+---
+# file: acmetool/tasks/main.yml
+- name: ensure acmetool is installed
+  apt: name=acmetool state=present
+  tags:
+    - acmetool
+    - packages
+- name: ensure we have our response file
+  template:
+    src: response-file.yml
+    dest: /var/lib/acme/quickstart-reponses.yml
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - acmetool
+    - config
+- name: check if acmetool is configured
+  command: acmetool status
+  register: acmetool_status
+  changed_when: no
+  tags:
+    - acmetool
+    - config
+- name: initially configure acmetool
+  command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
+  when: not acmetool_status.stdout|search(acmetool_endpoint)
+  tags:
+    - acmetool
+    - config
+- name: ensure acmetool reloads the right service 
+  copy:
+    src: reload-config
+    dest: /etc/default/acme-reload
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - acmetool
+    - config
+- name: ensure we can modify the systemd unit
+  file:
+    path: /etc/systemd/system/acmetool.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  notify:
+    - reload systemd service files
+  tags:
+    - acmetool
+    - services
+- name: ensure systemd waits for the right service
+  copy:
+    src: service-after.conf
+    dest: /etc/systemd/system/acmetool.service.d/nginx-proxy.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload systemd service files
+  tags:
+    - acmetool
+    - services
+- name: ensure the desired certificates are configured
+  template:
+    src: desired.conf
+    dest: "/var/lib/acme/desired/{{item.hostnames[0]}}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items: "{{acmetool_certificates}}"
+  notify:
+    - update certificates
+  tags:
+    - acmetool
+    - certificates
+- name: ensure certificates are updated regularly
+  systemd: name=acmetool.timer enabled=yes state=started
+  tags:
+    - acmetool
+    - services
--- a/acmetool/templates/desired.conf
+++ b/acmetool/templates/desired.conf
+satisfy:
+  names:
+{% for hostname in item.hostnames %}
+    - {{hostname}}
+{% endfor %}
--- a/acmetool/templates/response-file.yml
+++ b/acmetool/templates/response-file.yml
+"acme-enter-email": "{{adminaddr}}"
+"acme-agreement:{{(lookup('url', acmetool_endpoint, split_lines=False)|from_json)['meta']['terms-of-service']}}": true
+"acmetool-quickstart-choose-server": "{{acmetool_endpoint}}"
+"acmetool-quickstart-choose-method": webroot
+"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge"
+"acmetool-quickstart-key-type": {{acmetool_key_type}}
+{% if acmetool_key_type == "rsa" %}
+"acmetool-quickstart-rsa-key-size": {{acmetool_rsa_key_size}}
+{% endif %}
+"acmetool-quickstart-install-haproxy-script": false
+# systemd does that
+"acmetool-quickstart-install-cronjob": false
+# we use webroot
+"acmetool-quickstart-install-redirector-systemd": false