diff options
author | Christian Pointner <equinox@spreadspace.org> | 2023-08-22 19:53:49 +0200 |
---|---|---|
committer | Christian Pointner <equinox@spreadspace.org> | 2023-08-22 19:53:49 +0200 |
commit | fc5d0657bfcba53ace230ff2ada64b7fcf9b97a3 (patch) | |
tree | 350a8d401e0113bff7d78aee4d8547cddf06b8f7 /roles/x509/acmetool/cert | |
parent | fix docker for debian bookworm+ (diff) | |
parent | some more cleanup for acme specific variables (diff) |
Merge branch 'topic/uacme'
Diffstat (limited to 'roles/x509/acmetool/cert')
-rw-r--r-- | roles/x509/acmetool/cert/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/finalize/defaults/main.yml | 5 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/finalize/handlers/main.yml (renamed from roles/x509/acmetool/cert/handlers/main.yml) | 1 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/finalize/tasks/main.yml (renamed from roles/x509/acmetool/cert/tasks/main.yml) | 2 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/prepare/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/prepare/filter_plugins/acme_certs.py (renamed from roles/x509/acmetool/cert/filter_plugins/acme_certs.py) | 0 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/prepare/handlers/main.yml | 10 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/prepare/tasks/main.yml | 79 | ||||
-rw-r--r-- | roles/x509/acmetool/cert/prepare/templates/reload.sh.j2 | 31 |
10 files changed, 133 insertions, 3 deletions
diff --git a/roles/x509/acmetool/cert/defaults/main.yml b/roles/x509/acmetool/cert/defaults/main.yml deleted file mode 100644 index ab0afaa3..00000000 --- a/roles/x509/acmetool/cert/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -acmetool_reconcile_disabled: false diff --git a/roles/x509/acmetool/cert/finalize/defaults/main.yml b/roles/x509/acmetool/cert/finalize/defaults/main.yml new file mode 100644 index 00000000..b9a80136 --- /dev/null +++ b/roles/x509/acmetool/cert/finalize/defaults/main.yml @@ -0,0 +1,5 @@ +--- +acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}" +acmetool_cert_name: "{{ x509_certificate_name | default(acmetool_cert_hostnames[0]) }}" + +acmetool_reconcile_disabled: false diff --git a/roles/x509/acmetool/cert/handlers/main.yml b/roles/x509/acmetool/cert/finalize/handlers/main.yml index a7fc43ed..02ffa598 100644 --- a/roles/x509/acmetool/cert/handlers/main.yml +++ b/roles/x509/acmetool/cert/finalize/handlers/main.yml @@ -2,5 +2,6 @@ - name: reconcile acmetool when: not acmetool_reconcile_disabled systemd: + daemon_reload: yes name: acmetool.service state: started diff --git a/roles/x509/acmetool/cert/tasks/main.yml b/roles/x509/acmetool/cert/finalize/tasks/main.yml index 09980dad..abb2d4cb 100644 --- a/roles/x509/acmetool/cert/tasks/main.yml +++ b/roles/x509/acmetool/cert/finalize/tasks/main.yml @@ -3,7 +3,7 @@ vars: acmetool_cert_satisfy: satisfy: - names: "{{ acmetool_cert_hostnames | default([acmetool_cert_name]) }}" + names: "{{ acmetool_cert_hostnames }}" copy: content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}" dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}" diff --git a/roles/x509/acmetool/cert/meta/main.yml b/roles/x509/acmetool/cert/meta/main.yml new file mode 100644 index 00000000..472f5a8c --- /dev/null +++ b/roles/x509/acmetool/cert/meta/main.yml @@ -0,0 +1,4 @@ +--- +dependencies: + - role: x509/acmetool/cert/prepare + - role: x509/acmetool/cert/finalize diff --git a/roles/x509/acmetool/cert/prepare/defaults/main.yml b/roles/x509/acmetool/cert/prepare/defaults/main.yml new file mode 100644 index 00000000..d4eb7c86 --- /dev/null +++ b/roles/x509/acmetool/cert/prepare/defaults/main.yml @@ -0,0 +1,2 @@ +--- +acmetool_cert_hostnames: "{{ x509_certificate_hostnames }}" diff --git a/roles/x509/acmetool/cert/filter_plugins/acme_certs.py b/roles/x509/acmetool/cert/prepare/filter_plugins/acme_certs.py index 179f71e9..179f71e9 100644 --- a/roles/x509/acmetool/cert/filter_plugins/acme_certs.py +++ b/roles/x509/acmetool/cert/prepare/filter_plugins/acme_certs.py diff --git a/roles/x509/acmetool/cert/prepare/handlers/main.yml b/roles/x509/acmetool/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..330bcd11 --- /dev/null +++ b/roles/x509/acmetool/cert/prepare/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: reload systemd + systemd: + daemon_reload: yes + +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded diff --git a/roles/x509/acmetool/cert/prepare/tasks/main.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml new file mode 100644 index 00000000..2db332b8 --- /dev/null +++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml @@ -0,0 +1,79 @@ +--- +- name: check if acme certs already exist + loop: "{{ acmetool_cert_hostnames }}" + loop_control: + loop_var: acme_hostname + stat: + path: "/var/lib/acme/live/{{ acme_hostname }}" + register: acme_cert_stat + +- name: set acmecert_missing_hostnames variable + set_fact: + acmecert_missing_hostnames: "{{ acme_cert_stat.results | acme_cert_nonexistent(acmetool_cert_hostnames) }}" + +- name: link nonexistent hostnames to self-signed interim cert + when: acmecert_missing_hostnames | length > 0 + block: + - name: get id of existing selfsigned interim certificate + command: cat /var/lib/acme/.selfsigned-interim-cert + changed_when: false + check_mode: false + register: selfsigned_interim_cert_id + + - name: set selfsigned_interim_cert_id variable + set_fact: + selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}" + + - name: link to snakeoil cert for nonexistent hostnames + loop: "{{ acmecert_missing_hostnames }}" + loop_control: + loop_var: acme_missing_hostname + file: + src: "../certs/{{ selfsigned_interim_cert_id }}" + dest: "/var/lib/acme/live/{{ acme_missing_hostname }}" + state: link + notify: reload services for x509 certificates + +- name: export paths to certificate files + set_fact: + x509_certificate_path_key: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/privkey" + x509_certificate_path_cert: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/cert" + x509_certificate_path_chain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/chain" + x509_certificate_path_fullchain: "/var/lib/acme/live/{{ acmetool_cert_hostnames[0] }}/fullchain" + +- name: setup custom renewal script + when: x509_certificate_renewal is defined + block: + - name: install custom hook script + template: + src: reload.sh.j2 + dest: "/etc/acme/hooks/{{ x509_certificate_name }}" + mode: 0755 + + - name: install acmetool systemd unit snippet + when: "'install' in x509_certificate_renewal" + copy: + dest: "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf" + content: | + [Service] + {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %} + ReadWritePaths={{ path }} + {% endfor %} + notify: reload systemd + + - name: remove acmetool systemd unit snippet + when: "'install' not in x509_certificate_renewal" + file: + path: "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf" + state: absent + notify: reload systemd + +- name: remove custom renewal script + when: x509_certificate_renewal is not defined + loop: + - "/etc/systemd/system/acmetool.service.d/{{ x509_certificate_name }}.conf" + - "/etc/acme/hooks/{{ x509_certificate_name }}" + file: + path: "{{ item }}" + state: absent + notify: reload systemd diff --git a/roles/x509/acmetool/cert/prepare/templates/reload.sh.j2 b/roles/x509/acmetool/cert/prepare/templates/reload.sh.j2 new file mode 100644 index 00000000..f4b8259e --- /dev/null +++ b/roles/x509/acmetool/cert/prepare/templates/reload.sh.j2 @@ -0,0 +1,31 @@ +#!/bin/sh +set -e +EVENT_NAME="$1" +[ "$EVENT_NAME" = "live-updated" ] || exit 42 + +MAIN_HOSTNAME="{{ acmetool_cert_hostnames[0] }}" + +while read name; do + certdir="$ACME_STATE_DIR/live/$name" + if [ -z "$name" -o ! -e "$certdir" ]; then + continue + fi + if [ "$name" != "$MAIN_HOSTNAME" ]; then + continue + fi +{% if 'install' in x509_certificate_renewal %} + +{% for file in x509_certificate_renewal.install %} + install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'owner' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new" +{% for src in file.src %} + cat "{{ hostvars[inventory_hostname]['x509_certificate_path_' + src] }}" >> "{{ file.dest }}.new" + mv "{{ file.dest }}.new" "{{ file.dest }}" +{% endfor %} +{% endfor %} +{% endif %} +{% if 'reload' in x509_certificate_renewal %} + + {{ x509_certificate_renewal.reload | trim | indent(2) }} +{% endif %} + break +done |