From 775492cc28346ea86396a947e1371b8aa0784380 Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Thu, 17 Aug 2023 00:23:01 +0200 Subject: revamp x509 service reloading --- roles/x509/uacme/cert/prepare/handlers/main.yml | 6 ++++++ 1 file changed, 6 insertions(+) create mode 100644 roles/x509/uacme/cert/prepare/handlers/main.yml (limited to 'roles/x509/uacme/cert/prepare/handlers') diff --git a/roles/x509/uacme/cert/prepare/handlers/main.yml b/roles/x509/uacme/cert/prepare/handlers/main.yml new file mode 100644 index 00000000..b169d6ca --- /dev/null +++ b/roles/x509/uacme/cert/prepare/handlers/main.yml @@ -0,0 +1,6 @@ +--- +- name: reload services for x509 certificates + loop: "{{ x509_certificate_reload_services | default([]) }}" + service: + name: "{{ item }}" + state: reloaded -- cgit v1.2.3 From f2d4ce732249e8711fc807fecd25d8c43a88175c Mon Sep 17 00:00:00 2001 From: Christian Pointner Date: Mon, 21 Aug 2023 01:02:51 +0200 Subject: x509/uacme: add support for special renewal actions --- dan/sk-testvm.yml | 4 +-- roles/x509/uacme/base/tasks/main.yml | 5 ++++ roles/x509/uacme/cert/prepare/handlers/main.yml | 4 +++ roles/x509/uacme/cert/prepare/tasks/main.yml | 30 +++++++++++++++++----- .../uacme/cert/prepare/templates/updated.sh.j2 | 26 +++++++++++++++---- 5 files changed, 56 insertions(+), 13 deletions(-) (limited to 'roles/x509/uacme/cert/prepare/handlers') diff --git a/dan/sk-testvm.yml b/dan/sk-testvm.yml index 698eb7de..70b6f336 100644 --- a/dan/sk-testvm.yml +++ b/dan/sk-testvm.yml @@ -11,8 +11,8 @@ - name: Payload Setup hosts: sk-testvm vars: - # acme_client: uacme - acme_client: acmetool + acme_client: uacme + # acme_client: acmetool cert_provider: "{{ acme_client }}" # cert_provider: static # cert_provider: selfsigned diff --git a/roles/x509/uacme/base/tasks/main.yml b/roles/x509/uacme/base/tasks/main.yml index 17e6034f..3473d541 100644 --- a/roles/x509/uacme/base/tasks/main.yml +++ b/roles/x509/uacme/base/tasks/main.yml @@ -58,6 +58,11 @@ src: "uacme-reconcile.{{ item }}.j2" dest: "/etc/systemd/system/uacme-reconcile.{{ item }}" +- name: create system unit snippet directory + file: + path: /etc/systemd/system/uacme-reconcile.service.d/ + state: directory + - name: make sure systemd timer for automatic refresh is enabled and started systemd: daemon_reload: yes diff --git a/roles/x509/uacme/cert/prepare/handlers/main.yml b/roles/x509/uacme/cert/prepare/handlers/main.yml index b169d6ca..330bcd11 100644 --- a/roles/x509/uacme/cert/prepare/handlers/main.yml +++ b/roles/x509/uacme/cert/prepare/handlers/main.yml @@ -1,4 +1,8 @@ --- +- name: reload systemd + systemd: + daemon_reload: yes + - name: reload services for x509 certificates loop: "{{ x509_certificate_reload_services | default([]) }}" service: diff --git a/roles/x509/uacme/cert/prepare/tasks/main.yml b/roles/x509/uacme/cert/prepare/tasks/main.yml index 426a5eee..a83651b3 100644 --- a/roles/x509/uacme/cert/prepare/tasks/main.yml +++ b/roles/x509/uacme/cert/prepare/tasks/main.yml @@ -80,15 +80,33 @@ group: "{{ uacme_cert_config.cert.group | default(omit) }}" notify: reload services for x509 certificates -- name: install script to be called when new certificate is generated - template: - src: updated.sh.j2 - dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh" - mode: 0755 - - name: export paths to certificate files set_fact: x509_certificate_path_key: "/var/lib/uacme.d/{{ uacme_cert_name }}/key.pem" x509_certificate_path_cert: "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem" x509_certificate_path_chain: "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem" x509_certificate_path_fullchain: "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" + +- name: install script to be called when new certificate is generated + template: + src: updated.sh.j2 + dest: "/var/lib/uacme.d/{{ uacme_cert_name }}/updated.sh" + mode: 0755 + +- name: install systemd unit snippet + when: "x509_certificate_renewal is defined and 'install' in x509_certificate_renewal" + copy: + dest: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf" + content: | + [Service] + {% for path in (x509_certificate_renewal.install | map(attribute='dest') | map('dirname') | unique | list) %} + ReadWritePaths={{ path }} + {% endfor %} + notify: reload systemd + +- name: remove systemd unit snippet + when: "x509_certificate_renewal is undefined or 'install' not in x509_certificate_renewal" + file: + path: "/etc/systemd/system/uacme-reconcile.service.d/{{ x509_certificate_name }}.conf" + state: absent + notify: reload systemd diff --git a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 index b0fa705a..275ca189 100644 --- a/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 +++ b/roles/x509/uacme/cert/prepare/templates/updated.sh.j2 @@ -1,17 +1,33 @@ #!/bin/sh +BASE_D="/var/lib/uacme.d/{{ uacme_cert_name }}" + # split fullchain and fix permissions -awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem" -awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "/var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem" > "/var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem" -chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem +awk '{if(length($0) > 0) print} /-----END CERTIFICATE-----/ { exit }' "$BASE_D/{{ uacme_cert_name }}-cert.pem" > "$BASE_D/crt.pem" +awk '(show==1) {if(length($0) > 0) print} /-----END CERTIFICATE-----/ { show=1 }' "$BASE_D/{{ uacme_cert_name }}-cert.pem" > "$BASE_D/chain.pem" +chmod "{{ uacme_cert_config.cert.mode | default('0644') }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem {% if uacme_cert_config.cert.owner is defined %} -chown "{{ uacme_cert_config.cert.owner }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem +chown "{{ uacme_cert_config.cert.owner }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem {% endif %} {% if uacme_cert_config.cert.group is defined %} -chgrp "{{ uacme_cert_config.cert.group }}" /var/lib/uacme.d/{{ uacme_cert_name }}/{{ uacme_cert_name }}-cert.pem /var/lib/uacme.d/{{ uacme_cert_name }}/crt.pem /var/lib/uacme.d/{{ uacme_cert_name }}/chain.pem +chgrp "{{ uacme_cert_config.cert.group }}" $BASE_D/{{ uacme_cert_name }}-cert.pem $BASE_D/crt.pem $BASE_D/chain.pem +{% endif %} +{% if x509_certificate_renewal is defined and 'install' in x509_certificate_renewal %} +{% for file in x509_certificate_renewal.install %} + +install{% if 'mode' in file %} -m {{ file.mode }}{% endif %}{% if 'owner' in file %} -o {{ file.owner }}{% endif %}{% if 'owner' in file %} -g {{ file.group }}{% endif %} /dev/null "{{ file.dest }}.new" +{% for src in file.src %} +cat "{{ hostvars[inventory_hostname]['x509_certificate_path_' + src] }}" >> "{{ file.dest }}.new" +mv "{{ file.dest }}.new" "{{ file.dest }}" +{% endfor %} +{% endfor %} {% endif %} ## reload services {% for service in (x509_certificate_reload_services | default([])) %} systemctl reload "{{ service }}.service" {% endfor %} +{% if x509_certificate_renewal is defined and 'reload' in x509_certificate_renewal %} + +{{ x509_certificate_renewal.reload | trim }} +{% endif %} -- cgit v1.2.3