feat: add hook script and port

This commit is contained in:
Adrien Waksberg 2022-01-03 15:27:56 +01:00
parent d1c910d3d1
commit 3ec19e9143
6 changed files with 43 additions and 29 deletions

View file

@ -5,6 +5,11 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
## Unreleased ## Unreleased
### Added
- feat: add certbot_port variable
- feat: add hook scripts
## v2.2.0 - 2021-08-24 ## v2.2.0 - 2021-08-24
### Added ### Added

View file

@ -7,17 +7,24 @@ Generate certificate SSL with certbot.
## Requirements ## Requirements
* Ansible >= 2.9 * Ansible >= 2.10
* Debian * Debian
* Buster
* Bullseye * Bullseye
## Role variables ## Role variables
- `certbot_mail` - mail address used by let's encrypt to notify - `certbot_mail` - mail address used by let's encrypt to notify
- `certbot_key_size` - private key size (default: `4096`) - `certbot_key_size` - private key size (default: `4096`)
- `certbot_port` - port to listen for certbot web (default: `80`)
- `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`) - `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`)
- `certbot_domains` - array with the domain name and command - `certbot_domains` - dict with the domain name and the script
```
website.com:
#!/bin/bash
echo "test" > /tmp/log
```
- `certbot_role` - string must be master or slave, if master generate the certificates - `certbot_role` - string must be master or slave, if master generate the certificates
## How to use ## How to use
@ -37,7 +44,6 @@ Generate certificate SSL with certbot.
* install molecule and dependencies `pip3 install molecule molecule-docker docker ansible-lint pytest-testinfra yamllint` * install molecule and dependencies `pip3 install molecule molecule-docker docker ansible-lint pytest-testinfra yamllint`
* run `molecule test` * run `molecule test`
## License ## License
``` ```

View file

@ -1,6 +1,7 @@
--- ---
certbot_mail: ssl@host.local certbot_mail: ssl@host.local
certbot_key_size: 4096 certbot_key_size: 4096
certbot_port: 80
certbot_path: /var/www/acme certbot_path: /var/www/acme
certbot_role: master certbot_role: master
certbot_domains: [] certbot_domains: {}

View file

@ -1,15 +1,15 @@
--- ---
galaxy_info: galaxy_info:
role_name: certbot role_name: certbot
namespace: nishiki
author: Adrien Waksberg author: Adrien Waksberg
company: Adrien Waksberg company: Adrien Waksberg
description: Generate certificate SSL with certbot description: Generate certificate SSL with certbot
license: Apache2 license: Apache2
min_ansible_version: 2.9 min_ansible_version: 2.10
platforms: platforms:
- name: Debian - name: Debian
versions: versions:
- buster
- bullseye - bullseye
galaxy_tags: galaxy_tags:

View file

@ -17,22 +17,16 @@
state: directory state: directory
tags: certbot tags: certbot
- name: install certbot-renew binary - name: install hooks script
ansible.builtin.copy: ansible.builtin.copy:
src: certbot-renew content: '{{ item.value|default("#!/bin/bash") }}'
dest: /usr/local/bin/certbot-renew dest: '/etc/letsencrypt/hook-{{ item.key }}'
owner: root owner: root
group: root group: root
mode: 0755 mode: 0700
tags: certbot loop: '{{ certbot_domains|dict2items }}'
loop_control:
- name: install certbot renew configuration label: '{{ item.key }}'
ansible.builtin.template:
src: renew.cfg.j2
dest: /etc/letsencrypt/renew.cfg
owner: root
group: root
mode: 0644
tags: certbot tags: certbot
- name: remove old cerbot renew cron - name: remove old cerbot renew cron
@ -47,5 +41,5 @@
user: root user: root
hour: '*/12' hour: '*/12'
minute: '0' minute: '0'
job: perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook /usr/local/bin/certbot-renew job: perl -e 'sleep int(rand(3600))' && certbot -q renew
tags: certbot tags: certbot

View file

@ -1,32 +1,40 @@
--- ---
- name: check if certificate exist - name: check if certificate exist
ansible.builtin.stat: ansible.builtin.stat:
path: '/etc/letsencrypt/live/{{ item.name }}' path: '/etc/letsencrypt/live/{{ item.key }}'
loop: '{{ certbot_domains }}' loop: '{{ certbot_domains|dict2items }}'
loop_control:
label: '{{ item.key }}'
register: st register: st
tags: certbot tags: certbot
- name: check if a webservice is started on port 80 - name: check if a webservice is started
ansible.builtin.wait_for: ansible.builtin.wait_for:
port: 80 port: '{{ certbot_port }}'
state: started state: started
timeout: 5 timeout: 2
ignore_errors: true ignore_errors: true
register: web register: web
tags: certbot tags: certbot
- name: create a new certificate - name: create a new certificate
ansible.builtin.command: > ansible.builtin.command: >
certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
--webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }} --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}
--deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
loop: '{{ st.results }}' loop: '{{ st.results }}'
loop_control:
label: '{{ item.item.key }}'
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not web.failed when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not web.failed
tags: certbot tags: certbot
- name: create a new certificate (standalone) - name: create a new certificate (standalone)
ansible.builtin.command: > ansible.builtin.command: >
certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
--standalone --rsa-key-size {{ certbot_key_size }} --standalone --rsa-key-size {{ certbot_key_size }} --deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
--http-01-port {{ certbot_port }}
loop: '{{ st.results }}' loop: '{{ st.results }}'
loop_control:
label: '{{ item.item.key }}'
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and web.failed when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and web.failed
tags: certbot tags: certbot