diff options
| -rw-r--r-- | roles/nginx/vhost/tasks/main.yml | 16 | ||||
| -rw-r--r-- | roles/x509/acmetool/cert/prepare/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/x509/acmetool/cert/prepare/tasks/main.yml | 1 | ||||
| -rw-r--r-- | roles/x509/selfsigned/cert/prepare/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/x509/selfsigned/cert/prepare/tasks/main.yml | 6 | ||||
| -rw-r--r-- | roles/x509/static/cert/prepare/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/x509/static/cert/prepare/tasks/main.yml | 12 | ||||
| -rw-r--r-- | roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 | 6 | ||||
| -rw-r--r-- | roles/x509/uacme/cert/prepare/handlers/main.yml | 6 | ||||
| -rw-r--r-- | roles/x509/uacme/cert/prepare/tasks/main.yml | 14 | ||||
| -rw-r--r-- | roles/x509/uacme/cert/prepare/templates/updated.sh.j2 | 17 |
11 files changed, 73 insertions, 23 deletions
diff --git a/roles/nginx/vhost/tasks/main.yml b/roles/nginx/vhost/tasks/main.yml index 55544733..2c1f0f29 100644 --- a/roles/nginx/vhost/tasks/main.yml +++ b/roles/nginx/vhost/tasks/main.yml @@ -1,13 +1,14 @@ --- - name: ensure certificate exists (fake it, until you make it) when: "'tls' in nginx_vhost" - include_role: - name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare" - public: true vars: x509_certificate_name: "{{ nginx_vhost.name }}" x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" - x509_notify_on_change: reload nginx + x509_certificate_reload_services: + - nginx + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/prepare" + public: true - name: install nginx configs from template when: "'template' in nginx_vhost" @@ -39,9 +40,10 @@ meta: flush_handlers - name: actually request the certificate - include_role: - name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize" vars: x509_certificate_name: "{{ nginx_vhost.name }}" x509_certificate_hostnames: "{{ nginx_vhost.hostnames }}" - x509_notify_on_change: reload nginx + x509_certificate_reload_services: + - nginx + include_role: + name: "x509/{{ nginx_vhost.tls.certificate_provider }}/cert/finalize" diff --git a/roles/x509/acmetool/cert/prepare/handlers/main.yml b/roles/x509/acmetool/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..b169d6ca --- /dev/null +++ b/roles/x509/acmetool/cert/prepare/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded diff --git a/roles/x509/acmetool/cert/prepare/tasks/main.yml b/roles/x509/acmetool/cert/prepare/tasks/main.yml index 146c5ac4..5bad1e5b 100644 --- a/roles/x509/acmetool/cert/prepare/tasks/main.yml +++ b/roles/x509/acmetool/cert/prepare/tasks/main.yml @@ -32,6 +32,7 @@ src: "../certs/{{ selfsigned_interim_cert_id }}" dest: "/var/lib/acme/live/{{ acme_missing_hostname }}" state: link + notify: reload services for x509 certificates - name: export paths to certificate files set_fact: diff --git a/roles/x509/selfsigned/cert/prepare/handlers/main.yml b/roles/x509/selfsigned/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..b169d6ca --- /dev/null +++ b/roles/x509/selfsigned/cert/prepare/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded diff --git a/roles/x509/selfsigned/cert/prepare/tasks/main.yml b/roles/x509/selfsigned/cert/prepare/tasks/main.yml index 1af6ef5e..e7a47742 100644 --- a/roles/x509/selfsigned/cert/prepare/tasks/main.yml +++ b/roles/x509/selfsigned/cert/prepare/tasks/main.yml @@ -10,7 +10,7 @@ mode: "{{ selfsigned_cert_config.mode | default('0700') }}" owner: "{{ selfsigned_cert_config.owner | default(omit) }}" group: "{{ selfsigned_cert_config.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: generate key for selfsigned certificate openssl_privatekey: @@ -20,7 +20,7 @@ group: "{{ selfsigned_cert_config.key.group | default(omit) }}" type: "{{ selfsigned_cert_config.key.type | default(omit) }}" size: "{{ selfsigned_cert_config.key.size | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: generate csr for selfsigned certificate community.crypto.openssl_csr: @@ -59,7 +59,7 @@ selfsigned_digest: "{{ selfsigned_cert_config.cert.digest | default(omit) }}" selfsigned_not_before: "{{ selfsigned_cert_config.cert.not_before | default(omit) }}" selfsigned_not_after: "{{ selfsigned_cert_config.cert.not_after | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: export paths to certificate files set_fact: diff --git a/roles/x509/static/cert/prepare/handlers/main.yml b/roles/x509/static/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..b169d6ca --- /dev/null +++ b/roles/x509/static/cert/prepare/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded diff --git a/roles/x509/static/cert/prepare/tasks/main.yml b/roles/x509/static/cert/prepare/tasks/main.yml index 1327c3b3..03df7542 100644 --- a/roles/x509/static/cert/prepare/tasks/main.yml +++ b/roles/x509/static/cert/prepare/tasks/main.yml @@ -10,7 +10,7 @@ mode: "{{ static_cert_config.mode | default('0700') }}" owner: "{{ static_cert_config.owner | default(omit) }}" group: "{{ static_cert_config.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: install key for static certificate copy: @@ -19,7 +19,7 @@ mode: "{{ static_cert_config.key.mode | default('0600') }}" owner: "{{ static_cert_config.key.owner | default(omit) }}" group: "{{ static_cert_config.key.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: install static certificate copy: @@ -28,7 +28,7 @@ mode: "{{ static_cert_config.cert.mode | default('0644') }}" owner: "{{ static_cert_config.cert.owner | default(omit) }}" group: "{{ static_cert_config.cert.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: export paths to basic certificate files set_fact: @@ -46,7 +46,7 @@ mode: "{{ static_cert_config.chain.mode | default('0644') }}" owner: "{{ static_cert_config.chain.owner | default(omit) }}" group: "{{ static_cert_config.chain.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: install fullchain for static certificate copy: @@ -57,7 +57,7 @@ mode: "{{ static_cert_config.cert.mode | default('0644') }}" owner: "{{ static_cert_config.cert.owner | default(omit) }}" group: "{{ static_cert_config.cert.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: export paths to additional certificate files set_fact: @@ -74,7 +74,7 @@ file: path: "{{ static_cert_path }}/{{ static_cert_name }}-{{ item }}.pem" state: absent - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: make sure variable that points to the chain certificate file is unset set_fact: diff --git a/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 b/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 index 73a7f4a3..ea02841d 100644 --- a/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 +++ b/roles/x509/uacme/base/templates/uacme-reconcile.sh.j2 @@ -16,9 +16,9 @@ for csr_file in "${csr_files[@]}"; do case $? in 0) echo "$id successfully (re)issued." - awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "/var/lib/uacme.d/$id/$id-cert.pem" > "/var/lib/uacme.d/$id/crt.pem" - awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "/var/lib/uacme.d/$id/$id-cert.pem" > "/var/lib/uacme.d/$id/chain.pem" - ## TODO: reload services + if [ -x "/var/lib/uacme.d/$id/updated.sh" ]; then + /var/lib/uacme.d/$id/updated.sh + fi ;; 1) echo "$id not updated." diff --git a/roles/x509/uacme/cert/prepare/handlers/main.yml b/roles/x509/uacme/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..b169d6ca --- /dev/null +++ b/roles/x509/uacme/cert/prepare/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml index 06b9f146..426a5eee 100644 --- a/roles/x509/uacme/cert/prepare/tasks/main.yml +++ b/roles/x509/uacme/cert/prepare/tasks/main.yml @@ -12,7 +12,7 @@ group: "{{ uacme_cert_config.key.group | default(omit) }}" type: "{{ uacme_cert_config.key.type | default(omit) }}" size: "{{ uacme_cert_config.key.size | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: generate csr for uacme-controlled certificate community.crypto.openssl_csr: @@ -60,7 +60,7 @@ selfsigned_not_after: "{{ remote_datetime_now.stdout }}" return_content: yes register: uacme_cert_selfsigned - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: make sure cert-only file exists copy: @@ -69,7 +69,7 @@ mode: "{{ uacme_cert_config.cert.mode | default('0644') }}" owner: "{{ uacme_cert_config.cert.owner | default(omit) }}" group: "{{ uacme_cert_config.cert.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates - name: make sure the chain file exists copy: @@ -78,7 +78,13 @@ mode: "{{ uacme_cert_config.cert.mode | default('0644') }}" owner: "{{ uacme_cert_config.cert.owner | default(omit) }}" group: "{{ uacme_cert_config.cert.group | default(omit) }}" - notify: "{{ x509_notify_on_change | default(omit) }}" + notify: reload services for x509 certificates + +- name: install script to be called when new certificate is generated + template: + src: updated.sh.j2 + dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh" + mode: 0755 - name: export paths to certificate files set_fact: diff --git a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 new file mode 100644 index 00000000..b0fa705a --- /dev/null +++ b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 @@ -0,0 +1,17 @@ +#!/bin/sh + +# split fullchain and fix permissions +awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem" +awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem" +chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem +{% if uacme_cert_config.cert.owner is defined %} +chown "{{ uacme_cert_config.cert.owner }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem +{% endif %} +{% if uacme_cert_config.cert.group is defined %} +chgrp "{{ uacme_cert_config.cert.group }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem +{% endif %} + +## reload services +{% for service in (x509_certificate_reload_services | default([])) %} +systemctl reload "{{ service }}.service" +{% endfor %} |