imvproved acmetool role

5 files changed, 64 insertions, 1 deletions

diff --git a/roles/acmetool/base/defaults/main.yml b/roles/acmetool/base/defaults/main.yml
index 409523da..c9a7107c 100644
--- a/roles/acmetool/base/defaults/main.yml
+++ b/roles/acmetool/base/defaults/main.yml
@@ -7,6 +7,17 @@ acmetool_directory_server_le_staging: "https://acme-staging.api.letsencrypt.org/
 # acmetool_account_email:
 acmetool_directory_server: "{{ acmetool_directory_server_le_staging }}"
 
+#### optionally set http(s)_proxy
+# acmetool_http_proxy:
+# acmetool_https_proxy:
+
 acmetool_default_key_type: rsa
 acmetool_default_rsa_key_size: 4096
 acmetool_default_ecdsa_curve: nistp256
+
+### this defaults to '/var/run/acme/acme-challenge'
+# acmetool_challenge_webroot_path: "/path/to/acme-challenge"
+
+### by default a number of daemons are tried to be reloaded
+### an empty list disables reloading of any service
+# acmetool_reload_services: []
diff --git a/roles/acmetool/base/tasks/main.yml b/roles/acmetool/base/tasks/main.yml
index c2fc2c6c..0a853133 100644
--- a/roles/acmetool/base/tasks/main.yml
+++ b/roles/acmetool/base/tasks/main.yml
@@ -19,7 +19,42 @@
     src: responses.j2
     dest: /var/lib/acme/conf/responses
 
+- name: create non-standard acmetool webroot path
+  file:
+    name: "{{ acmetool_challenge_webroot_path }}"
+    state: directory
+  when: acmetool_challenge_webroot_path is defined
+
 - name: run quickstart to create account and default target configuration
   command: acmetool --batch quickstart
+  environment:
+    http_proxy: "{{ acmetool_http_proxy | default(omit) }}"
+    https_proxy: "{{ acmetool_https_proxy | default(omit) }}"
   args:
     creates: /var/lib/acme/conf/target
+
+- name: install service reload configuration
+  template:
+    src: acme-reload.j2
+    dest: /etc/default/acme-reload
+    owner: root
+    group: root
+    mode: 0644
+  when: acmetool_reload_services is defined
+
+- name: create system unit snippet directory
+  file:
+    path: /etc/systemd/system/acmetool.service.d/
+    state: directory
+
+- name: install systemd unit snippet
+  template:
+    src: systemd-override.conf.j2
+    dest: /etc/systemd/system/acmetool.service.d/override.conf
+
+- name: enable/start systemd timer for acmetool
+  systemd:
+    name: acmetool.timer
+    state: started
+    enabled: yes
+    daemon_reload: yes
diff --git a/roles/acmetool/base/templates/acme-reload.j2 b/roles/acmetool/base/templates/acme-reload.j2
new file mode 100644
index 00000000..a679bc7d
--- /dev/null
+++ b/roles/acmetool/base/templates/acme-reload.j2
@@ -0,0 +1,7 @@
+# This should contain a space-seperated list of services to be
+# reloaded after new certificates are generated. An empty list
+# disables reloading of any service
+#
+# example: SERVICES="apache2 nginx postfix"
+
+SERVICES="{{ acmetool_reload_services | join(' ') }}"
diff --git a/roles/acmetool/base/templates/responses.j2 b/roles/acmetool/base/templates/responses.j2
index a7bf2504..411455b8 100644
--- a/roles/acmetool/base/templates/responses.j2
+++ b/roles/acmetool/base/templates/responses.j2
@@ -2,7 +2,7 @@
 "acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true
 "acmetool-quickstart-choose-server": {{ acmetool_directory_server }}
 "acmetool-quickstart-choose-method": webroot
-"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge"
+"acmetool-quickstart-webroot-path": "{{ acmetool_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}"
 "acmetool-quickstart-complete": true
 "acmetool-quickstart-install-cronjob": false
 "acmetool-quickstart-install-haproxy-script": true
diff --git a/roles/acmetool/base/templates/systemd-override.conf.j2 b/roles/acmetool/base/templates/systemd-override.conf.j2
new file mode 100644
index 00000000..aec6f034
--- /dev/null
+++ b/roles/acmetool/base/templates/systemd-override.conf.j2
@@ -0,0 +1,10 @@
+[Service]
+{% if acmetool_http_proxy is defined %}
+Environment=http_proxy={{ acmetool_http_proxy }}
+{% endif %}
+{% if acmetool_https_proxy is defined %}
+Environment=https_proxy={{ acmetool_https_proxy }}
+{% endif %}
+{% if acmetool_challenge_webroot_path is defined %}
+ReadWritePaths={{ acmetool_challenge_webroot_path }}
+{% endif %}