From c4bc6125cfc6205838b87a519870c7874f522d66 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Fri, 5 Oct 2018 17:57:33 +0200 Subject: imvproved acmetool role --- roles/acmetool/base/defaults/main.yml | 11 +++++++ roles/acmetool/base/tasks/main.yml | 35 ++++++++++++++++++++++ roles/acmetool/base/templates/acme-reload.j2 | 7 +++++ roles/acmetool/base/templates/responses.j2 | 2 +- .../base/templates/systemd-override.conf.j2 | 10 +++++++ 5 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 roles/acmetool/base/templates/acme-reload.j2 create mode 100644 roles/acmetool/base/templates/systemd-override.conf.j2 (limited to 'roles/acmetool/base') diff --git a/roles/acmetool/base/defaults/main.yml b/roles/acmetool/base/defaults/main.yml index 409523da..c9a7107c 100644 --- a/roles/acmetool/base/defaults/main.yml +++ b/roles/acmetool/base/defaults/main.yml @@ -7,6 +7,17 @@ acmetool_directory_server_le_staging: "https://acme-staging.api.letsencrypt.org/ # acmetool_account_email: acmetool_directory_server: "{{ acmetool_directory_server_le_staging }}" +#### optionally set http(s)_proxy +# acmetool_http_proxy: +# acmetool_https_proxy: + acmetool_default_key_type: rsa acmetool_default_rsa_key_size: 4096 acmetool_default_ecdsa_curve: nistp256 + +### this defaults to '/var/run/acme/acme-challenge' +# acmetool_challenge_webroot_path: "/path/to/acme-challenge" + +### by default a number of daemons are tried to be reloaded +### an empty list disables reloading of any service +# acmetool_reload_services: [] diff --git a/roles/acmetool/base/tasks/main.yml b/roles/acmetool/base/tasks/main.yml index c2fc2c6c..0a853133 100644 --- a/roles/acmetool/base/tasks/main.yml +++ b/roles/acmetool/base/tasks/main.yml @@ -19,7 +19,42 @@ src: responses.j2 dest: /var/lib/acme/conf/responses +- name: create non-standard acmetool webroot path + file: + name: "{{ acmetool_challenge_webroot_path }}" + state: directory + when: acmetool_challenge_webroot_path is defined + - name: run quickstart to create account and default target configuration command: acmetool --batch quickstart + environment: + http_proxy: "{{ acmetool_http_proxy | default(omit) }}" + https_proxy: "{{ acmetool_https_proxy | default(omit) }}" args: creates: /var/lib/acme/conf/target + +- name: install service reload configuration + template: + src: acme-reload.j2 + dest: /etc/default/acme-reload + owner: root + group: root + mode: 0644 + when: acmetool_reload_services is defined + +- name: create system unit snippet directory + file: + path: /etc/systemd/system/acmetool.service.d/ + state: directory + +- name: install systemd unit snippet + template: + src: systemd-override.conf.j2 + dest: /etc/systemd/system/acmetool.service.d/override.conf + +- name: enable/start systemd timer for acmetool + systemd: + name: acmetool.timer + state: started + enabled: yes + daemon_reload: yes diff --git a/roles/acmetool/base/templates/acme-reload.j2 b/roles/acmetool/base/templates/acme-reload.j2 new file mode 100644 index 00000000..a679bc7d --- /dev/null +++ b/roles/acmetool/base/templates/acme-reload.j2 @@ -0,0 +1,7 @@ +# This should contain a space-seperated list of services to be +# reloaded after new certificates are generated. An empty list +# disables reloading of any service +# +# example: SERVICES="apache2 nginx postfix" + +SERVICES="{{ acmetool_reload_services | join(' ') }}" diff --git a/roles/acmetool/base/templates/responses.j2 b/roles/acmetool/base/templates/responses.j2 index a7bf2504..411455b8 100644 --- a/roles/acmetool/base/templates/responses.j2 +++ b/roles/acmetool/base/templates/responses.j2 @@ -2,7 +2,7 @@ "acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true "acmetool-quickstart-choose-server": {{ acmetool_directory_server }} "acmetool-quickstart-choose-method": webroot -"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge" +"acmetool-quickstart-webroot-path": "{{ acmetool_challenge_webroot_path | default('/var/run/acme/acme-challenge') }}" "acmetool-quickstart-complete": true "acmetool-quickstart-install-cronjob": false "acmetool-quickstart-install-haproxy-script": true diff --git a/roles/acmetool/base/templates/systemd-override.conf.j2 b/roles/acmetool/base/templates/systemd-override.conf.j2 new file mode 100644 index 00000000..aec6f034 --- /dev/null +++ b/roles/acmetool/base/templates/systemd-override.conf.j2 @@ -0,0 +1,10 @@ +[Service] +{% if acmetool_http_proxy is defined %} +Environment=http_proxy={{ acmetool_http_proxy }} +{% endif %} +{% if acmetool_https_proxy is defined %} +Environment=https_proxy={{ acmetool_https_proxy }} +{% endif %} +{% if acmetool_challenge_webroot_path is defined %} +ReadWritePaths={{ acmetool_challenge_webroot_path }} +{% endif %} -- cgit v1.2.3