diff --git a/acmetool/defaults/main.yml b/acmetool/defaults/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..44070a08d88e9edfe9a6ac7135a52be177f26c46 --- /dev/null +++ b/acmetool/defaults/main.yml @@ -0,0 +1,6 @@ +--- +# file: acmetool/defaults/main.yml + +acmetool_endpoint: "https://acme-v01.api.letsencrypt.org/directory" +acmetool_key_type: rsa +acmetool_rsa_key_size: 4096 diff --git a/acmetool/files/reload-config b/acmetool/files/reload-config new file mode 100644 index 0000000000000000000000000000000000000000..69e9fdf51ede4a9e8a69f58a3d74f2e7f14d5dbd --- /dev/null +++ b/acmetool/files/reload-config @@ -0,0 +1 @@ +SERVICES="nginx-proxy" diff --git a/acmetool/files/service-after.conf b/acmetool/files/service-after.conf new file mode 100644 index 0000000000000000000000000000000000000000..a54ec72b702a5b82200d813310d1f8f5fc2fe5e0 --- /dev/null +++ b/acmetool/files/service-after.conf @@ -0,0 +1,2 @@ +[Unit] +After=nginx-proxy.service diff --git a/acmetool/handlers/main.yml b/acmetool/handlers/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..77446560d0582e1529f59e0aa4ce58cac8e721eb --- /dev/null +++ b/acmetool/handlers/main.yml @@ -0,0 +1,8 @@ +--- +# file: acmetool/handlers/main.yml + +- name: reload systemd service files + systemd: daemon_reload=yes + +- name: update certificates + systemd: name=acmetool.service state=started diff --git a/acmetool/tasks/main.yml b/acmetool/tasks/main.yml new file mode 100644 index 0000000000000000000000000000000000000000..5cc6ef4cd67433f654ca73037bcf8ab3e9521f4e --- /dev/null +++ b/acmetool/tasks/main.yml @@ -0,0 +1,91 @@ +--- +# file: acmetool/tasks/main.yml + +- name: ensure acmetool is installed + apt: name=acmetool state=present + tags: + - acmetool + - packages + +- name: ensure we have our response file + template: + src: response-file.yml + dest: /var/lib/acme/quickstart-reponses.yml + owner: root + group: root + mode: 0644 + tags: + - acmetool + - config + +- name: check if acmetool is configured + command: acmetool status + register: acmetool_status + changed_when: no + tags: + - acmetool + - config + +- name: initially configure acmetool + command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml + when: not acmetool_status.stdout|search(acmetool_endpoint) + tags: + - acmetool + - config + +- name: ensure acmetool reloads the right service + copy: + src: reload-config + dest: /etc/default/acme-reload + owner: root + group: root + mode: 0644 + tags: + - acmetool + - config + +- name: ensure we can modify the systemd unit + file: + path: /etc/systemd/system/acmetool.service.d + state: directory + owner: root + group: root + mode: 0755 + notify: + - reload systemd service files + tags: + - acmetool + - services + +- name: ensure systemd waits for the right service + copy: + src: service-after.conf + dest: /etc/systemd/system/acmetool.service.d/nginx-proxy.conf + owner: root + group: root + mode: 0644 + notify: + - reload systemd service files + tags: + - acmetool + - services + +- name: ensure the desired certificates are configured + template: + src: desired.conf + dest: "/var/lib/acme/desired/{{item.hostnames[0]}}" + owner: root + group: root + mode: 0644 + with_items: "{{acmetool_certificates}}" + notify: + - update certificates + tags: + - acmetool + - certificates + +- name: ensure certificates are updated regularly + systemd: name=acmetool.timer enabled=yes state=started + tags: + - acmetool + - services diff --git a/acmetool/templates/desired.conf b/acmetool/templates/desired.conf new file mode 100644 index 0000000000000000000000000000000000000000..eae3c4032c524081e03e7ca5b2491882d6fbd120 --- /dev/null +++ b/acmetool/templates/desired.conf @@ -0,0 +1,6 @@ +satisfy: + names: +{% for hostname in item.hostnames %} + - {{hostname}} +{% endfor %} + diff --git a/acmetool/templates/response-file.yml b/acmetool/templates/response-file.yml new file mode 100644 index 0000000000000000000000000000000000000000..ab5538b0a383847bc27e75b1d251eb4110306a5c --- /dev/null +++ b/acmetool/templates/response-file.yml @@ -0,0 +1,14 @@ +"acme-enter-email": "{{adminaddr}}" +"acme-agreement:{{(lookup('url', acmetool_endpoint, split_lines=False)|from_json)['meta']['terms-of-service']}}": true +"acmetool-quickstart-choose-server": "{{acmetool_endpoint}}" +"acmetool-quickstart-choose-method": webroot +"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge" +"acmetool-quickstart-key-type": {{acmetool_key_type}} +{% if acmetool_key_type == "rsa" %} +"acmetool-quickstart-rsa-key-size": {{acmetool_rsa_key_size}} +{% endif %} +"acmetool-quickstart-install-haproxy-script": false +# systemd does that +"acmetool-quickstart-install-cronjob": false +# we use webroot +"acmetool-quickstart-install-redirector-systemd": false