diff options
Diffstat (limited to 'roles')
-rw-r--r-- | roles/x509/acmetool/base/defaults/main.yml | 12 | ||||
-rw-r--r-- | roles/x509/acmetool/base/tasks/main.yml | 4 | ||||
-rw-r--r-- | roles/x509/uacme/base/defaults/main.yml | 6 | ||||
-rw-r--r-- | roles/x509/uacme/base/tasks/main.yml | 51 |
4 files changed, 61 insertions, 12 deletions
diff --git a/roles/x509/acmetool/base/defaults/main.yml b/roles/x509/acmetool/base/defaults/main.yml index df82d26c..f824d9f7 100644 --- a/roles/x509/acmetool/base/defaults/main.yml +++ b/roles/x509/acmetool/base/defaults/main.yml @@ -1,14 +1,6 @@ --- -acmetool_directory_server_le_live_v1: "https://acme-v01.api.letsencrypt.org/directory" -acmetool_directory_server_le_staging_v1: "https://acme-staging.api.letsencrypt.org/directory" - -acmetool_directory_server_le_live_v2: "https://acme-v02.api.letsencrypt.org/directory" -acmetool_directory_server_le_staging_v2: "https://acme-staging-v02.api.letsencrypt.org/directory" - -## this can't be changed after the account as been created (aka after the first run) -## and it's not recommended to keep this empty so we don't define it here which will lead to an error -# acmetool_account_email: -acmetool_directory_server: "{{ acmetool_directory_server_le_staging_v2 }}" +acmetool_account_email: "{{ acme_account_email }}" +acmetool_directory_server: "{{ acme_directory_server }}" #### optionally set http(s)_proxy # acmetool_http_proxy: diff --git a/roles/x509/acmetool/base/tasks/main.yml b/roles/x509/acmetool/base/tasks/main.yml index 5ad03257..7a53906b 100644 --- a/roles/x509/acmetool/base/tasks/main.yml +++ b/roles/x509/acmetool/base/tasks/main.yml @@ -22,10 +22,10 @@ dest: /var/lib/acme/conf/responses - name: create non-standard acmetool webroot path + when: acmetool_challenge_webroot_path is defined file: name: "{{ acmetool_challenge_webroot_path }}" state: directory - when: acmetool_challenge_webroot_path is defined - name: run quickstart to create account and default target configuration command: acmetool --batch quickstart @@ -39,13 +39,13 @@ include_tasks: selfsigned.yml - name: install service reload configuration + when: acmetool_reload_services is defined template: src: acme-reload.j2 dest: /etc/default/acme-reload owner: root group: root mode: 0644 - when: acmetool_reload_services is defined - name: create system unit snippet directory file: diff --git a/roles/x509/uacme/base/defaults/main.yml b/roles/x509/uacme/base/defaults/main.yml new file mode 100644 index 00000000..50ac8019 --- /dev/null +++ b/roles/x509/uacme/base/defaults/main.yml @@ -0,0 +1,6 @@ +--- +uacme_account_email: "{{ acme_account_email }}" +uacme_directory_server: "{{ acme_directory_server }}" + +### this defaults to '/var/run/acme/acme-challenge' +# uacme_challenge_webroot_path: "/path/to/acme-challenge" diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml new file mode 100644 index 00000000..b40c52b5 --- /dev/null +++ b/roles/x509/uacme/base/tasks/main.yml @@ -0,0 +1,51 @@ +--- +- name: install needed packages + apt: + name: + - uacme + - "{{ python_basename }}-openssl" + state: present + +- name: create acme account key + command: "uacme -c /var/lib/uacme.d -a '{{ uacme_directory_server }}' -y new '{{ uacme_account_email }}'" + args: + creates: /var/lib/uacme.d/private/key.pem + +- name: create standard uacme webroot path + when: uacme_challenge_webroot_path is not defined + block: + - name: install systemd tmpfiles config + copy: + dest: /usr/lib/tmpfiles.d/uacme.conf + content: | + d /var/run/acme/acme-challenge 0755 root root - - + register: uacme_systemd_tmpfiles_config + + - name: trigger systemd-tmpfiles + when: uacme_systemd_tmpfiles_config is changed + command: systemd-tmpfiles --create + +- name: create non-standard uacme webroot path + when: uacme_challenge_webroot_path is defined + file: + name: "{{ uacme_challenge_webroot_path }}" + state: directory + +- name: make sure nginx snipped directory exists + file: + path: /etc/nginx/snippets + state: directory + +- name: generate nginx snippet for webroot challenges + copy: + dest: /etc/nginx/snippets/uacme.conf + content: | + location /.well-known/acme-challenge/ { + alias {{ uacme_challenge_webroot_path | default('/var/run/acme/acme-challenge/') }}; + } + +## TODO: implement this +# - name: generate selfsigned interim certificate +# include_tasks: selfsigned.yml + +## TODO: add global automatic refresher? |