feat: add renew hook script

2018-07-07 19:24:56 +02:00 · 2018-07-07 19:24:56 +02:00 · 196240c95f
commit 196240c95f
parent 8256e86007
10 changed files with 91 additions and 11 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,7 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 Which is based on [Keep A Changelog](http://keepachangelog.com/)

 ## [Unreleased]
+- add renew hook script

 ## [1.0.0] - 2018-06-10
 - first version
--- a/README.md
+++ b/README.md
@ -13,11 +13,11 @@ None
 - `certbot_mail` - mail address used by let's encrypt to notify
 - `certbot_key_size` - private key size (default: `4096`)
 - `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`)
- `certbot_domains` - array with the domain name
+- `certbot_domains` - array with the domain name and command
+- `certbot_role` - string must be master or slave, if master generate the certificates

 ## How to use

- * Install:
 ```
 - hosts: git-server
  roles:
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -1,4 +1,5 @@
 certbot_mail: ssl@host.local
 certbot_key_size: 4096
 certbot_path: /var/www/acme
+certbot_role: master
 certbot_domains: []
--- a/files/certbot-renew
+++ b/files/certbot-renew
@ -0,0 +1,13 @@
+#!/usr/bin/python3
+
+import configparser
+import os
+
+config = configparser.ConfigParser()
+config.read('/etc/letsencrypt/renew.cfg')
+
+for domain in os.environ['RENEWED_DOMAINS'].split(' '):
+  try:
+    os.system(config.get('default', domain))
+  except:
+    continue
--- a/tasks/base.yml
+++ b/tasks/base.yml
@ -1,8 +1,11 @@
 - name: install certbot package
  apt:
-    name: certbot
+    name: '{{ item }}'
    default_release: '{{ certbot_distribution|default(ansible_distribution_release) }}'
    state: present
+  with_items:
+    - certbot
+    - cron
  tags: certbot

 - name: create webroot path directory
@ -13,3 +16,31 @@
    mode: 0755
    state: directory
  tags: certbot
+
+- name: install certbot-renew binary
+  copy:
+    src: certbot-renew
+    dest: /usr/local/bin/certbot-renew
+    owner: root
+    group: root
+    mode: 0755
+  tags: certbot
+
+- name: install certbot renew configuration
+  template:
+    src: renew.cfg.j2
+    dest: /etc/letsencrypt/renew.cfg
+    owner: root
+    group: root
+    mode: 0644
+  tags: certbot
+
+- name: add certbot renew cron
+  lineinfile:
+    path: /etc/cron.d/certbot
+    owner: root
+    group: root
+    mode: 0644
+    regexp: '^0 */12 * * * root'
+    line: "0 */12 * * * root perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook /usr/local/bin/certbot-renew"
+  tags: certbot
--- a/tasks/certificates.yml
+++ b/tasks/certificates.yml
@ -1,6 +1,6 @@
 - name: check if certificate exist
  stat:
-    path: '/etc/letsencrypt/live/{{ item }}'
+    path: '/etc/letsencrypt/live/{{ item.name }}'
  with_items: '{{ certbot_domains }}'
  register: st
  tags: certbot
@ -12,13 +12,13 @@
  tags: certbot

 - name: create a new certificate
-  shell: 'certbot certonly -n --agree-tos -d {{ item.item }} -m {{ certbot_mail }} --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}'
+  shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}'
  with_items: '{{ st.results }}'
-  when: (role == 'master' or item.item == ansible_fqdn) and not item.stat.exists and ng.stat.exists
+  when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and ng.stat.exists
  tags: certbot

 - name: create a new certificate (standalone)
-  shell: 'certbot certonly -n --agree-tos -d {{ item.item }} -m {{ certbot_mail }} --standalone --rsa-key-size {{ certbot_key_size }}'
+  shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --standalone --rsa-key-size {{ certbot_key_size }}'
  with_items: '{{ st.results }}'
-  when: (role == 'master' or item.item == ansible_fqdn) and not item.stat.exists and not ng.stat.exists
+  when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not ng.stat.exists
  tags: certbot
--- a/templates/renew.cfg.j2
+++ b/templates/renew.cfg.j2
@ -0,0 +1,4 @@
+[default]
+{% for domain in certbot_domains%}
+{{ domain.name }} = {{ domain.command }}
+{% endfor %}
--- a/test/integration/certbot/default.yml
+++ b/test/integration/certbot/default.yml
@ -1,6 +1,8 @@
- hosts: gitea
+- hosts: certbot
  connection: local
  vars:
-    certbot_mail: test@local.com
+    certbot_role: slave
+    certbot_domains:
+      - { name: test.local, command: 'echo OK > /tmp/test.txt'}
  roles:
      - ansible-role-certbot
--- a/test/integration/certbot/serverspec/certbot_spec.rb
+++ b/test/integration/certbot/serverspec/certbot_spec.rb
@ -13,3 +13,31 @@ describe file('/var/www/acme') do
  it { should be_owned_by 'root' }
  it { should be_grouped_into 'root' }
 end
+
+describe file('/etc/cron.d/certbot') do
+  it { should exist }
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should contain '--renew-hook /usr/local/bin/certbot-renew' }
+end
+
+describe file('/etc/letsencrypt/renew.cfg') do
+  it { should exist }
+  it { should be_file }
+  it { should be_mode 644 }
+  it { should be_owned_by 'root' }
+  it { should be_grouped_into 'root' }
+  it { should contain 'test.local = echo OK > /tmp/test.txt' }
+end
+
+describe command('RENEWED_DOMAINS=test.local /usr/local/bin/certbot-renew') do
+  its(:exit_status) { should eq 0 }
+end
+
+describe file('/tmp/test.txt') do
+  it { should exist }
+  it { should be_file }
+  it { should contain 'OK' }
+end
--- a/test/integration/inventory
+++ b/test/integration/inventory
@ -1,2 +1,2 @@
-[gitea]
+[certbot]
 localhost