Merge branch 'topic/uacme'

3 files changed, 28 insertions, 52 deletions

diff --git a/roles/apps/mumble/defaults/main.yml b/roles/apps/mumble/defaults/main.yml
index 627af125..c9cd9db3 100644
--- a/roles/apps/mumble/defaults/main.yml
+++ b/roles/apps/mumble/defaults/main.yml
@@ -14,6 +14,9 @@ mumble_dhparam_size: 2048
 
 mumble_timezone: "Europe/Vienna"
 
+# mumble_tls:
+#   certificate_provider: ...
+
 mumble_config_options:
   bonjour: false
   sslCiphers: "ECDHE+AESGCM:DHE+AESGCM:ECDHE+AES256:DHE+AES256:ECDHE+AES128:DHE+AES128:!RSA:!ADH:!AECDH:!MD5"
diff --git a/roles/apps/mumble/tasks/main.yml b/roles/apps/mumble/tasks/main.yml
index 33331dca..5b380725 100644
--- a/roles/apps/mumble/tasks/main.yml
+++ b/roles/apps/mumble/tasks/main.yml
@@ -27,31 +27,32 @@
     group: mumble
     mode: 0644
 
-- name: install acmetool hook script
-  template:
-    src: acmetool-reload.sh.j2
-    dest: "/etc/acme/hooks/mumble-{{ mumble_instance }}"
-    mode: 0755
-
-- name: install acmetool systemd unit snippet
-  copy:
-    dest: "/etc/systemd/system/acmetool.service.d/mumble-{{ mumble_instance }}.conf"
-    content: |
-      [Service]
-      ReadWritePaths={{ mumble_base_path }}/{{ mumble_instance }}/ssl
-  register: mumble_acmetool_snippet
-
-- name: reload systemd
-  when: mumble_acmetool_snippet is changed
-  systemd:
-    daemon_reload: yes
-
-- name: get certificate using acmetool
-  import_role:
-    name: x509/acmetool/cert
+- name: generate/install/fetch TLS certificate
   vars:
-    acmetool_cert_name: "mumble-{{ mumble_instance }}"
-    acmetool_cert_hostnames: "{{ mumble_hostnames }}"
+    x509_certificate_name: "mumble-{{ mumble_instance }}"
+    x509_certificate_hostnames: "{{ mumble_hostnames }}"
+    x509_certificate_renewal:
+      install:
+      - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/cert.pem"
+        src:
+        - fullchain
+        owner: root
+        group: mumble
+        mode: "0644"
+      - dest: "{{ mumble_base_path }}/{{ mumble_instance }}/ssl/privkey.pem"
+        src:
+        - key
+        owner: root
+        group: mumble
+        mode: "0640"
+      reload: |
+        pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$")
+        [ -n "$pod_id" ] || exit 42
+        container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id")
+        [ -n "$container_id" ] || exit 42
+        crictl exec "$container_id" kill -USR1 1
+  include_role:
+    name: "x509/{{ mumble_tls.certificate_provider }}/cert"
 
 - name: create mumble data directory
   file:
diff --git a/roles/apps/mumble/templates/acmetool-reload.sh.j2 b/roles/apps/mumble/templates/acmetool-reload.sh.j2
deleted file mode 100644
index fd9f01ba..00000000
--- a/roles/apps/mumble/templates/acmetool-reload.sh.j2
+++ /dev/null
@@ -1,28 +0,0 @@
-#!/bin/sh
-set -e
-EVENT_NAME="$1"
-[ "$EVENT_NAME" = "live-updated" ] || exit 42
-
-MAIN_HOSTNAME="{{ mumble_hostnames[0] }}"
-SSL_D="{{ mumble_base_path }}/{{ mumble_instance }}/ssl"
-
-while read name; do
-  certdir="$ACME_STATE_DIR/live/$name"
-  if [ -z "$name" -o ! -e "$certdir" ]; then
-    continue
-  fi
-  if [ "$name" != "$MAIN_HOSTNAME" ]; then
-    continue
-  fi
-
-  install -m 0644 -o root -g mumble "$certdir/fullchain" "$SSL_D/cert.pem"
-  install -m 0640 -o root -g mumble "$certdir/privkey" "$SSL_D/privkey.pem"
-
-  pod_id=$(crictl pods -q --state ready --name "^mumble-{{ mumble_instance }}-{{ ansible_nodename }}$")
-  [ -n "$pod_id" ] || exit 42
-  container_id=$(crictl ps -q --name '^mumble$' -p "$pod_id")
-  [ -n "$container_id" ] || exit 42
-  crictl exec "$container_id" kill -USR1 1
-
-  break
-done