summaryrefslogtreecommitdiff
path: root/roles/acmetool
diff options
context:
space:
mode:
Diffstat (limited to 'roles/acmetool')
-rw-r--r--roles/acmetool/base/defaults/main.yml26
-rw-r--r--roles/acmetool/base/tasks/main.yml65
-rw-r--r--roles/acmetool/base/tasks/selfsigned.yml145
-rw-r--r--roles/acmetool/base/templates/acme-reload.j27
-rw-r--r--roles/acmetool/base/templates/responses.j215
-rw-r--r--roles/acmetool/base/templates/systemd-override.conf.j219
-rw-r--r--roles/acmetool/cert/defaults/main.yml2
-rw-r--r--roles/acmetool/cert/filter_plugins/acme_certs.py24
-rw-r--r--roles/acmetool/cert/handlers/main.yml6
-rw-r--r--roles/acmetool/cert/tasks/main.yml10
10 files changed, 0 insertions, 319 deletions
diff --git a/roles/acmetool/base/defaults/main.yml b/roles/acmetool/base/defaults/main.yml
deleted file mode 100644
index df82d26c..00000000
--- a/roles/acmetool/base/defaults/main.yml
+++ /dev/null
@@ -1,26 +0,0 @@
----
-acmetool_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory"
-acmetool_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory"
-
-acmetool_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory"
-acmetool_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory"
-
-## this can't be changed after the account as been created (aka after the first run)
-## and it's not recommended to keep this empty so we don't define it here which will lead to an error
-# acmetool_account_email:
-acmetool_directory_server: "{{ acmetool_directory_server_le_staging_v2 }}"
-
-#### optionally set http(s)_proxy
-# acmetool_http_proxy:
-# acmetool_https_proxy:
-
-acmetool_default_key_type: rsa
-acmetool_default_rsa_key_size: 4096
-acmetool_default_ecdsa_curve: nistp256
-
-### this defaults to '/var/run/acme/acme-challenge'
-# acmetool_challenge_webroot_path: "/path/to/acme-challenge"
-
-### by default a number of daemons are tried to be reloaded
-### an empty list disables reloading of any service
-# acmetool_reload_services: []
diff --git a/roles/acmetool/base/tasks/main.yml b/roles/acmetool/base/tasks/main.yml
deleted file mode 100644
index 5f2ae4ab..00000000
--- a/roles/acmetool/base/tasks/main.yml
+++ /dev/null
@@ -1,65 +0,0 @@
----
-- name: check if acmetool package is new enough
- ansible.builtin.debug:
- msg: "Check distribution_release"
- failed_when: (ansible_distribution == 'Debian' and (ansible_distribution_major_version | int) < 9) or (ansible_distribution == 'Ubuntu' and (ansible_distribution_major_version | int) < 17) or (ansible_distribution != 'Debian' and ansible_distribution != 'Ubuntu')
-
-- name: install needed packages
- ansible.builtin.apt:
- name:
- - acmetool
- - "{{ python_basename }}-openssl"
- state: present
-
-- name: create initial directory structure
- ansible.builtin.command: acmetool --batch
- args:
- creates: /var/lib/acme/conf
-
-- name: create acmetool response file
- ansible.builtin.template:
- src: responses.j2
- dest: /var/lib/acme/conf/responses
-
-- name: create non-standard acmetool webroot path
- ansible.builtin.file:
- name: "{{ acmetool_challenge_webroot_path }}"
- state: directory
- when: acmetool_challenge_webroot_path is defined
-
-- name: run quickstart to create account and default target configuration
- ansible.builtin.command: acmetool --batch quickstart
- environment:
- http_proxy: "{{ acmetool_http_proxy | default('') }}"
- https_proxy: "{{ acmetool_https_proxy | default('') }}"
- args:
- creates: /var/lib/acme/conf/target
-
-- name: generate selfsigned interim certificate
- ansible.builtin.include_tasks: selfsigned.yml
-
-- name: install service reload configuration
- ansible.builtin.template:
- src: acme-reload.j2
- dest: /etc/default/acme-reload
- owner: root
- group: root
- mode: 0644
- when: acmetool_reload_services is defined
-
-- name: create system unit snippet directory
- ansible.builtin.file:
- path: /etc/systemd/system/acmetool.service.d/
- state: directory
-
-- name: install systemd unit snippet
- ansible.builtin.template:
- src: systemd-override.conf.j2
- dest: /etc/systemd/system/acmetool.service.d/override.conf
-
-- name: enable/start systemd timer for acmetool
- ansible.builtin.systemd:
- name: acmetool.timer
- state: started
- enabled: yes
- daemon_reload: yes
diff --git a/roles/acmetool/base/tasks/selfsigned.yml b/roles/acmetool/base/tasks/selfsigned.yml
deleted file mode 100644
index 449fbdb9..00000000
--- a/roles/acmetool/base/tasks/selfsigned.yml
+++ /dev/null
@@ -1,145 +0,0 @@
----
-- name: get id of existing selfsigned interim certificate
- ansible.builtin.shell: cat /var/lib/acme/.selfsigned-interim-cert || true
- changed_when: false
- check_mode: false
- register: existing_selfsigned_interim_cert_id
-
-- name: set existing_selfsigned_interim_cert_id variable
- ansible.builtin.set_fact:
- existing_selfsigned_interim_cert_id: "{{ existing_selfsigned_interim_cert_id.stdout }}"
-
-- name: check if selfsigned interim certificate does exist
- ansible.builtin.stat:
- path: "/var/lib/acme/certs/{{ existing_selfsigned_interim_cert_id }}"
- register: existing_selfsigned_interim_cert_stat
-
-- name: create selfsigned interim certificate
- when: not existing_selfsigned_interim_cert_id or not existing_selfsigned_interim_cert_stat.stat.exists
- block:
- - name: create temporary directory
- ansible.builtin.tempfile:
- path: /var/lib/acme/tmp
- prefix: selfsigned-interim-cert-
- state: directory
- register: tmpdir
-
- - name: set tmpdir variable
- ansible.builtin.set_fact:
- tmpdir: "{{ tmpdir.path }}"
-
- - name: generate private key for selfsigned interim certificate
- ansible.builtin.openssl_privatekey:
- path: "{{ tmpdir }}/privkey"
- mode: 0600
-
- - name: generate csr for selfsigned interim certificate
- community.crypto.openssl_csr_pipe:
- privatekey_path: "{{ tmpdir }}/privkey"
- common_name: "{{ ansible_fqdn }}"
- register: selfsigned_interim_cert_req
-
-
- ### this is needed because strftime filter in ansible is exceptionally stupid
- ### see: https://github.com/ansible/ansible/issues/39835
- - name: get remote date-time 10s ago
- ansible.builtin.command: date -d '10 seconds ago' -u '+%Y%m%d%H%M%SZ'
- register: remote_datetime_10sago
-
- - name: get remote date-time now
- ansible.builtin.command: date -u '+%Y%m%d%H%M%SZ'
- register: remote_datetime_now
-
- - name: generate selfsigned interim certificate
- community.crypto.x509_certificate_pipe:
- privatekey_path: "{{ tmpdir }}/privkey"
- csr_content: "{{ selfsigned_interim_cert_req.csr }}"
- provider: selfsigned
- ## make sure the certificate is not valid anymore to force acmetool to create a new cert
- selfsigned_not_before: "{{ remote_datetime_10sago.stdout }}"
- selfsigned_not_after: "{{ remote_datetime_now.stdout }}"
- register: selfsigned_interim_cert
-
- - name: install selfsigned interim certificate and fullchain
- loop:
- - cert
- - fullchain
- ansible.builtin.copy:
- content: "{{ selfsigned_interim_cert.certificate }}"
- dest: "{{ tmpdir }}/{{ item }}"
-
- - name: create additional empty files
- loop:
- - chain
- - selfsigned
- ansible.builtin.copy:
- content: ""
- dest: "{{ tmpdir }}/{{ item }}"
-
- ### TODO: remove this once acmetool respects it's own storage layout
- ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates
- - name: generate fake url file
- ansible.builtin.copy:
- content: "https://acme.example.com/acme/cert/self-signed\n"
- dest: "{{ tmpdir }}/url"
-
- - name: get key id
- ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -noout -pubkey | openssl enc -base64 -d | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
- register: selfsigned_interim_key_id
-
- - name: set selfsigned_interim_key_id variable
- ansible.builtin.set_fact:
- selfsigned_interim_key_id: "{{ selfsigned_interim_key_id.stdout }}"
-
- - name: create directory for private key of selfsigned interim certificate
- ansible.builtin.file:
- path: "/var/lib/acme/keys/{{ selfsigned_interim_key_id }}"
- state: directory
- mode: 0700
-
- - name: move private key to its directory
- ansible.builtin.command: "mv '{{ tmpdir }}/privkey' '/var/lib/acme/keys/{{ selfsigned_interim_key_id }}/privkey'"
-
- - name: create symlink to privkey
- ansible.builtin.file:
- src: "../../keys/{{ selfsigned_interim_key_id }}/privkey"
- dest: "{{ tmpdir }}/privkey"
- state: link
-
- # - name: get certificate id
- # ansible.builtin.shell: "openssl x509 -in '{{ tmpdir }}/cert' -outform der | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
- # register: selfsigned_interim_cert_id
-
- # - name: set selfsigned_interim_cert_id variable
- # ansible.builtin.set_fact:
- # selfsigned_interim_cert_id: "selfsigned-{{ selfsigned_interim_cert_id.stdout }}"
-
- ### TODO: replace with the above once acmetool respects it's own storage layout
- ### see: https://github.com/hlandau/acme/blob/master/_doc/SCHEMA.md#temporary-use-of-self-signed-certificates
- - name: get certificate id
- ansible.builtin.shell: "cat '{{ tmpdir }}/url' | tr -d '\n' | openssl sha256 -binary | base32 | tr -d '=' | tr '[:upper:]' '[:lower:]'"
- register: selfsigned_interim_cert_id
-
- - name: set selfsigned_interim_cert_id variable
- ansible.builtin.set_fact:
- selfsigned_interim_cert_id: "{{ selfsigned_interim_cert_id.stdout }}"
-
- - name: set permissions for selfsigned interim certificate directory
- ansible.builtin.file:
- path: "{{ tmpdir }}"
- mode: 0755
- state: directory
-
- - name: move selfsigned interim certificate directory into place
- ansible.builtin.command: "mv '{{ tmpdir }}' '/var/lib/acme/certs/{{ selfsigned_interim_cert_id }}'"
-
- - name: write cert-id of selfsigned interim certificate to state directory
- ansible.builtin.copy:
- content: "{{ selfsigned_interim_cert_id }}"
- dest: /var/lib/acme/.selfsigned-interim-cert
-
- rescue:
- - name: remove temporary directory for selfsigned interim certificate
- ansible.builtin.file:
- path: "{{ tmpdir }}"
- state: absent
diff --git a/roles/acmetool/base/templates/acme-reload.j2 b/roles/acmetool/base/templates/acme-reload.j2
deleted file mode 100644
index a679bc7d..00000000
--- a/roles/acmetool/base/templates/acme-reload.j2
+++ /dev/null
@@ -1,7 +0,0 @@
-# This should contain a space-seperated list of services to be
-# reloaded after new certificates are generated. An empty list
-# disables reloading of any service
-#
-# example: SERVICES="apache2 nginx postfix"
-
-SERVICES="{{ acmetool_reload_services | join(' ') }}"
diff --git a/roles/acmetool/base/templates/responses.j2 b/roles/acmetool/base/templates/responses.j2
deleted file mode 100644
index 981eba90..00000000
--- a/roles/acmetool/base/templates/responses.j2
+++ /dev/null
@@ -1,15 +0,0 @@
-"acme-enter-email": "{{ acmetool_account_email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017-w-v1.3-notice.pdf": true
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.3-August-10-2022.pdf": true
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.3-September-21-2022.pdf": true
-"acmetool-quickstart-choose-server": {{ acmetool_directory_server }}
-"acmetool-quickstart-choose-method": webroot
-"acmetool-quickstart-webroot-path": "{{ acmetool_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}"
-"acmetool-quickstart-complete": true
-"acmetool-quickstart-install-cronjob": false
-"acmetool-quickstart-install-haproxy-script": true
-"acmetool-quickstart-install-redirector-systemd": false
-"acmetool-quickstart-key-type": {{ acmetool_default_key_type }}
-"acmetool-quickstart-rsa-key-size": {{ acmetool_default_rsa_key_size }}
-"acmetool-quickstart-ecdsa-curve": {{ acmetool_default_ecdsa_curve }}
diff --git a/roles/acmetool/base/templates/systemd-override.conf.j2 b/roles/acmetool/base/templates/systemd-override.conf.j2
deleted file mode 100644
index 5de58bdd..00000000
--- a/roles/acmetool/base/templates/systemd-override.conf.j2
+++ /dev/null
@@ -1,19 +0,0 @@
-{% if acmetool_challenge_webroot_path is defined %}
-[Unit]
-# In case the webroot path is hosted by a filesystem that is
-# using a systemd automount unit the ReadWritePaths= below does
-# prevent the unit from being loaded when the filesystem is
-# not yet mounted.
-RequiresMountsFor={{ acmetool_challenge_webroot_path }}
-
-{% endif %}
-[Service]
-{% if acmetool_http_proxy is defined %}
-Environment=http_proxy={{ acmetool_http_proxy }}
-{% endif %}
-{% if acmetool_https_proxy is defined %}
-Environment=https_proxy={{ acmetool_https_proxy }}
-{% endif %}
-{% if acmetool_challenge_webroot_path is defined %}
-ReadWritePaths={{ acmetool_challenge_webroot_path }}
-{% endif %}
diff --git a/roles/acmetool/cert/defaults/main.yml b/roles/acmetool/cert/defaults/main.yml
deleted file mode 100644
index ab0afaa3..00000000
--- a/roles/acmetool/cert/defaults/main.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-acmetool_reconcile_disabled: false
diff --git a/roles/acmetool/cert/filter_plugins/acme_certs.py b/roles/acmetool/cert/filter_plugins/acme_certs.py
deleted file mode 100644
index 179f71e9..00000000
--- a/roles/acmetool/cert/filter_plugins/acme_certs.py
+++ /dev/null
@@ -1,24 +0,0 @@
-from __future__ import (absolute_import, division, print_function)
-__metaclass__ = type
-
-from functools import partial
-
-from ansible import errors
-
-
-def acme_cert_nonexistent(data, hostnames):
- try:
- return [hostnames[i] for i, d in enumerate(data) if d['stat']['exists'] == False]
- except Exception as e:
- raise errors.AnsibleFilterError("acme_cert_nonexistent(): %s" % str(e))
-
-
-class FilterModule(object):
-
- ''' acme certificate filters '''
- filter_map = {
- 'acme_cert_nonexistent': acme_cert_nonexistent,
- }
-
- def filters(self):
- return self.filter_map
diff --git a/roles/acmetool/cert/handlers/main.yml b/roles/acmetool/cert/handlers/main.yml
deleted file mode 100644
index 08892c18..00000000
--- a/roles/acmetool/cert/handlers/main.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-- name: reconcile acmetool
- when: not acmetool_reconcile_disabled
- ansible.builtin.systemd:
- name: acmetool.service
- state: started
diff --git a/roles/acmetool/cert/tasks/main.yml b/roles/acmetool/cert/tasks/main.yml
deleted file mode 100644
index e97aab84..00000000
--- a/roles/acmetool/cert/tasks/main.yml
+++ /dev/null
@@ -1,10 +0,0 @@
----
-- name: add acmetool desired file
- vars:
- acmetool_cert_satisfy:
- satisfy:
- names: "{{ acmetool_cert_hostnames | default([acmetool_cert_name]) }}"
- ansible.builtin.copy:
- content: "{{ acmetool_cert_config | default({}) | combine(acmetool_cert_satisfy) | to_nice_yaml }}"
- dest: "/var/lib/acme/desired/{{ acmetool_cert_name }}"
- notify: reconcile acmetool
generated by cgit v1.2.3 (git 2.39.1) at 2024-07-08 04:30:16 +0000