From 7503a408f4c4214080ccb679d085b4412e72ebc7 Mon Sep 17 00:00:00 2001
From: Robin Sonnabend <robin@fsmpi.rwth-aachen.de>
Date: Sat, 10 Mar 2018 17:10:25 +0100
Subject: [PATCH] Add acmetool role for Let's encrypt certificates

---
 acmetool/defaults/main.yml           |  6 ++
 acmetool/files/reload-config         |  1 +
 acmetool/files/service-after.conf    |  2 +
 acmetool/handlers/main.yml           |  8 +++
 acmetool/tasks/main.yml              | 91 ++++++++++++++++++++++++++++
 acmetool/templates/desired.conf      |  6 ++
 acmetool/templates/response-file.yml | 14 +++++
 7 files changed, 128 insertions(+)
 create mode 100644 acmetool/defaults/main.yml
 create mode 100644 acmetool/files/reload-config
 create mode 100644 acmetool/files/service-after.conf
 create mode 100644 acmetool/handlers/main.yml
 create mode 100644 acmetool/tasks/main.yml
 create mode 100644 acmetool/templates/desired.conf
 create mode 100644 acmetool/templates/response-file.yml

diff --git a/acmetool/defaults/main.yml b/acmetool/defaults/main.yml
new file mode 100644
index 0000000..44070a0
--- /dev/null
+++ b/acmetool/defaults/main.yml
@@ -0,0 +1,6 @@
+---
+# file: acmetool/defaults/main.yml
+
+acmetool_endpoint: "https://acme-v01.api.letsencrypt.org/directory"
+acmetool_key_type: rsa
+acmetool_rsa_key_size: 4096
diff --git a/acmetool/files/reload-config b/acmetool/files/reload-config
new file mode 100644
index 0000000..69e9fdf
--- /dev/null
+++ b/acmetool/files/reload-config
@@ -0,0 +1 @@
+SERVICES="nginx-proxy"
diff --git a/acmetool/files/service-after.conf b/acmetool/files/service-after.conf
new file mode 100644
index 0000000..a54ec72
--- /dev/null
+++ b/acmetool/files/service-after.conf
@@ -0,0 +1,2 @@
+[Unit]
+After=nginx-proxy.service
diff --git a/acmetool/handlers/main.yml b/acmetool/handlers/main.yml
new file mode 100644
index 0000000..7744656
--- /dev/null
+++ b/acmetool/handlers/main.yml
@@ -0,0 +1,8 @@
+---
+# file: acmetool/handlers/main.yml
+
+- name: reload systemd service files
+  systemd: daemon_reload=yes
+
+- name: update certificates
+  systemd: name=acmetool.service state=started
diff --git a/acmetool/tasks/main.yml b/acmetool/tasks/main.yml
new file mode 100644
index 0000000..5cc6ef4
--- /dev/null
+++ b/acmetool/tasks/main.yml
@@ -0,0 +1,91 @@
+---
+# file: acmetool/tasks/main.yml
+
+- name: ensure acmetool is installed
+  apt: name=acmetool state=present
+  tags:
+    - acmetool
+    - packages
+
+- name: ensure we have our response file
+  template:
+    src: response-file.yml
+    dest: /var/lib/acme/quickstart-reponses.yml
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - acmetool
+    - config
+
+- name: check if acmetool is configured
+  command: acmetool status
+  register: acmetool_status
+  changed_when: no
+  tags:
+    - acmetool
+    - config
+
+- name: initially configure acmetool
+  command: acmetool quickstart --expert --batch --response-file /var/lib/acme/quickstart-reponses.yml
+  when: not acmetool_status.stdout|search(acmetool_endpoint)
+  tags:
+    - acmetool
+    - config
+
+- name: ensure acmetool reloads the right service 
+  copy:
+    src: reload-config
+    dest: /etc/default/acme-reload
+    owner: root
+    group: root
+    mode: 0644
+  tags:
+    - acmetool
+    - config
+
+- name: ensure we can modify the systemd unit
+  file:
+    path: /etc/systemd/system/acmetool.service.d
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+  notify:
+    - reload systemd service files
+  tags:
+    - acmetool
+    - services
+
+- name: ensure systemd waits for the right service
+  copy:
+    src: service-after.conf
+    dest: /etc/systemd/system/acmetool.service.d/nginx-proxy.conf
+    owner: root
+    group: root
+    mode: 0644
+  notify:
+    - reload systemd service files
+  tags:
+    - acmetool
+    - services
+
+- name: ensure the desired certificates are configured
+  template:
+    src: desired.conf
+    dest: "/var/lib/acme/desired/{{item.hostnames[0]}}"
+    owner: root
+    group: root
+    mode: 0644
+  with_items: "{{acmetool_certificates}}"
+  notify:
+    - update certificates
+  tags:
+    - acmetool
+    - certificates
+
+- name: ensure certificates are updated regularly
+  systemd: name=acmetool.timer enabled=yes state=started
+  tags:
+    - acmetool
+    - services
diff --git a/acmetool/templates/desired.conf b/acmetool/templates/desired.conf
new file mode 100644
index 0000000..eae3c40
--- /dev/null
+++ b/acmetool/templates/desired.conf
@@ -0,0 +1,6 @@
+satisfy:
+  names:
+{% for hostname in item.hostnames %}
+    - {{hostname}}
+{% endfor %}
+    
diff --git a/acmetool/templates/response-file.yml b/acmetool/templates/response-file.yml
new file mode 100644
index 0000000..ab5538b
--- /dev/null
+++ b/acmetool/templates/response-file.yml
@@ -0,0 +1,14 @@
+"acme-enter-email": "{{adminaddr}}"
+"acme-agreement:{{(lookup('url', acmetool_endpoint, split_lines=False)|from_json)['meta']['terms-of-service']}}": true
+"acmetool-quickstart-choose-server": "{{acmetool_endpoint}}"
+"acmetool-quickstart-choose-method": webroot
+"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge"
+"acmetool-quickstart-key-type": {{acmetool_key_type}}
+{% if acmetool_key_type == "rsa" %}
+"acmetool-quickstart-rsa-key-size": {{acmetool_rsa_key_size}}
+{% endif %}
+"acmetool-quickstart-install-haproxy-script": false
+# systemd does that
+"acmetool-quickstart-install-cronjob": false
+# we use webroot
+"acmetool-quickstart-install-redirector-systemd": false
-- 
GitLab