feat: add renew hook script

CHANGELOG.md

@@ -4,6 +4,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 Which is based on [Keep A Changelog](http://keepachangelog.com/)
 
 ## [Unreleased]
+- add renew hook script
 
 ## [1.0.0] - 2018-06-10
 - first version

README.md

@@ -13,11 +13,11 @@ None
 - `certbot_mail` - mail address used by let's encrypt to notify
 - `certbot_key_size` - private key size (default: `4096`)
 - `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`)
-- `certbot_domains` - array with the domain name
+- `certbot_domains` - array with the domain name and command
+- `certbot_role` - string must be master or slave, if master generate the certificates
 
 ## How to use
 
- * Install:
 ```
 - hosts: git-server
   roles:

defaults/main.yml

@@ -1,4 +1,5 @@
 certbot_mail: ssl@host.local
 certbot_key_size: 4096
 certbot_path: /var/www/acme
+certbot_role: master
 certbot_domains: []

files/certbot-renew

@@ -0,0 +1,13 @@
+#!/usr/bin/python3
+
+import configparser
+import os
+
+config = configparser.ConfigParser()
+config.read('/etc/letsencrypt/renew.cfg')
+
+for domain in os.environ['RENEWED_DOMAINS'].split(' '):
+  try:
+    os.system(config.get('default', domain))
+  except:
+    continue

tasks/base.yml

@@ -1,8 +1,11 @@
 - name: install certbot package
   apt:
-    name: certbot
+    name: '{{ item }}'
     default_release: '{{ certbot_distribution|default(ansible_distribution_release) }}'
     state: present
+  with_items:
+    - certbot
+    - cron
   tags: certbot
 
 - name: create webroot path directory
@@ -13,3 +16,31 @@
     mode: 0755
     state: directory
   tags: certbot
+
+- name: install certbot-renew binary
+  copy:
+    src: certbot-renew
+    dest: /usr/local/bin/certbot-renew
+    owner: root
+    group: root
+    mode: 0755
+  tags: certbot
+
+- name: install certbot renew configuration
+  template:
+    src: renew.cfg.j2
+    dest: /etc/letsencrypt/renew.cfg
+    owner: root
+    group: root
+    mode: 0644
+  tags: certbot
+
+- name: add certbot renew cron
+  lineinfile:
+    path: /etc/cron.d/certbot
+    owner: root
+    group: root
+    mode: 0644
+    regexp: '^0 */12 * * * root'
+    line: "0 */12 * * * root perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook /usr/local/bin/certbot-renew"
+  tags: certbot

tasks/certificates.yml

@@ -1,6 +1,6 @@
 - name: check if certificate exist
   stat:
-    path: '/etc/letsencrypt/live/{{ item }}'
+    path: '/etc/letsencrypt/live/{{ item.name }}'
   with_items: '{{ certbot_domains }}'
   register: st
   tags: certbot
@@ -12,13 +12,13 @@
   tags: certbot
 
 - name: create a new certificate
-  shell: 'certbot certonly -n --agree-tos -d {{ item.item }} -m {{ certbot_mail }} --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}'
+  shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}'
   with_items: '{{ st.results }}'
-  when: (role == 'master' or item.item == ansible_fqdn) and not item.stat.exists and ng.stat.exists
+  when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and ng.stat.exists
   tags: certbot
 
 - name: create a new certificate (standalone)
-  shell: 'certbot certonly -n --agree-tos -d {{ item.item }} -m {{ certbot_mail }} --standalone --rsa-key-size {{ certbot_key_size }}'
+  shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --standalone --rsa-key-size {{ certbot_key_size }}'
   with_items: '{{ st.results }}'
-  when: (role == 'master' or item.item == ansible_fqdn) and not item.stat.exists and not ng.stat.exists
+  when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not ng.stat.exists
   tags: certbot

templates/renew.cfg.j2

@@ -0,0 +1,4 @@
+[default]
+{% for domain in certbot_domains%}
+{{ domain.name }} = {{ domain.command }}
+{% endfor %}

test/integration/certbot/default.yml

@@ -1,6 +1,8 @@
-- hosts: gitea
+- hosts: certbot
   connection: local
   vars:
-    certbot_mail: test@local.com
+    certbot_role: slave
+    certbot_domains:
+      - { name: test.local, command: 'echo OK > /tmp/test.txt'}
   roles:
       - ansible-role-certbot

test/integration/certbot/serverspec/certbot_spec.rb

@@ -13,3 +13,31 @@ describe file('/var/www/acme') do
   it { should be_owned_by 'root' }
   it { should be_grouped_into 'root' }
 end
+
+describe file('/etc/cron.d/certbot') do
+  it { should exist }
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should contain '--renew-hook /usr/local/bin/certbot-renew' }
+end
+
+describe file('/etc/letsencrypt/renew.cfg') do
+  it { should exist }
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should contain 'test.local = echo OK > /tmp/test.txt' }
+end
+
+describe command('RENEWED_DOMAINS=test.local /usr/local/bin/certbot-renew') do
+  its(:exit_status) { should eq 0 }
+end
+
+describe file('/tmp/test.txt') do
+  it { should exist }
+  it { should be_file }
+  it { should contain 'OK' }
+end

test/integration/inventory

@@ -1,2 +1,2 @@
-[gitea]
+[certbot]
 localhost