feat: add hook script and port
This commit is contained in:
parent
d1c910d3d1
commit
3ec19e9143
6 changed files with 43 additions and 29 deletions
|
|
@ -5,6 +5,11 @@ Which is based on [Keep A Changelog](http://keepachangelog.com/)
|
||||||
|
|
||||||
## Unreleased
|
## Unreleased
|
||||||
|
|
||||||
|
### Added
|
||||||
|
|
||||||
|
- feat: add certbot_port variable
|
||||||
|
- feat: add hook scripts
|
||||||
|
|
||||||
## v2.2.0 - 2021-08-24
|
## v2.2.0 - 2021-08-24
|
||||||
|
|
||||||
### Added
|
### Added
|
||||||
|
|
|
||||||
14
README.md
14
README.md
|
|
@ -7,17 +7,24 @@ Generate certificate SSL with certbot.
|
||||||
|
|
||||||
## Requirements
|
## Requirements
|
||||||
|
|
||||||
* Ansible >= 2.9
|
* Ansible >= 2.10
|
||||||
* Debian
|
* Debian
|
||||||
* Buster
|
|
||||||
* Bullseye
|
* Bullseye
|
||||||
|
|
||||||
## Role variables
|
## Role variables
|
||||||
|
|
||||||
- `certbot_mail` - mail address used by let's encrypt to notify
|
- `certbot_mail` - mail address used by let's encrypt to notify
|
||||||
- `certbot_key_size` - private key size (default: `4096`)
|
- `certbot_key_size` - private key size (default: `4096`)
|
||||||
|
- `certbot_port` - port to listen for certbot web (default: `80`)
|
||||||
- `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`)
|
- `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`)
|
||||||
- `certbot_domains` - array with the domain name and command
|
- `certbot_domains` - dict with the domain name and the script
|
||||||
|
|
||||||
|
```
|
||||||
|
website.com:
|
||||||
|
#!/bin/bash
|
||||||
|
echo "test" > /tmp/log
|
||||||
|
```
|
||||||
|
|
||||||
- `certbot_role` - string must be master or slave, if master generate the certificates
|
- `certbot_role` - string must be master or slave, if master generate the certificates
|
||||||
|
|
||||||
## How to use
|
## How to use
|
||||||
|
|
@ -37,7 +44,6 @@ Generate certificate SSL with certbot.
|
||||||
* install molecule and dependencies `pip3 install molecule molecule-docker docker ansible-lint pytest-testinfra yamllint`
|
* install molecule and dependencies `pip3 install molecule molecule-docker docker ansible-lint pytest-testinfra yamllint`
|
||||||
* run `molecule test`
|
* run `molecule test`
|
||||||
|
|
||||||
|
|
||||||
## License
|
## License
|
||||||
|
|
||||||
```
|
```
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,7 @@
|
||||||
---
|
---
|
||||||
certbot_mail: ssl@host.local
|
certbot_mail: ssl@host.local
|
||||||
certbot_key_size: 4096
|
certbot_key_size: 4096
|
||||||
|
certbot_port: 80
|
||||||
certbot_path: /var/www/acme
|
certbot_path: /var/www/acme
|
||||||
certbot_role: master
|
certbot_role: master
|
||||||
certbot_domains: []
|
certbot_domains: {}
|
||||||
|
|
|
||||||
|
|
@ -1,15 +1,15 @@
|
||||||
---
|
---
|
||||||
galaxy_info:
|
galaxy_info:
|
||||||
role_name: certbot
|
role_name: certbot
|
||||||
|
namespace: nishiki
|
||||||
author: Adrien Waksberg
|
author: Adrien Waksberg
|
||||||
company: Adrien Waksberg
|
company: Adrien Waksberg
|
||||||
description: Generate certificate SSL with certbot
|
description: Generate certificate SSL with certbot
|
||||||
license: Apache2
|
license: Apache2
|
||||||
min_ansible_version: 2.9
|
min_ansible_version: 2.10
|
||||||
platforms:
|
platforms:
|
||||||
- name: Debian
|
- name: Debian
|
||||||
versions:
|
versions:
|
||||||
- buster
|
|
||||||
- bullseye
|
- bullseye
|
||||||
|
|
||||||
galaxy_tags:
|
galaxy_tags:
|
||||||
|
|
|
||||||
|
|
@ -17,22 +17,16 @@
|
||||||
state: directory
|
state: directory
|
||||||
tags: certbot
|
tags: certbot
|
||||||
|
|
||||||
- name: install certbot-renew binary
|
- name: install hooks script
|
||||||
ansible.builtin.copy:
|
ansible.builtin.copy:
|
||||||
src: certbot-renew
|
content: '{{ item.value|default("#!/bin/bash") }}'
|
||||||
dest: /usr/local/bin/certbot-renew
|
dest: '/etc/letsencrypt/hook-{{ item.key }}'
|
||||||
owner: root
|
owner: root
|
||||||
group: root
|
group: root
|
||||||
mode: 0755
|
mode: 0700
|
||||||
tags: certbot
|
loop: '{{ certbot_domains|dict2items }}'
|
||||||
|
loop_control:
|
||||||
- name: install certbot renew configuration
|
label: '{{ item.key }}'
|
||||||
ansible.builtin.template:
|
|
||||||
src: renew.cfg.j2
|
|
||||||
dest: /etc/letsencrypt/renew.cfg
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
tags: certbot
|
tags: certbot
|
||||||
|
|
||||||
- name: remove old cerbot renew cron
|
- name: remove old cerbot renew cron
|
||||||
|
|
@ -47,5 +41,5 @@
|
||||||
user: root
|
user: root
|
||||||
hour: '*/12'
|
hour: '*/12'
|
||||||
minute: '0'
|
minute: '0'
|
||||||
job: perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook /usr/local/bin/certbot-renew
|
job: perl -e 'sleep int(rand(3600))' && certbot -q renew
|
||||||
tags: certbot
|
tags: certbot
|
||||||
|
|
|
||||||
|
|
@ -1,32 +1,40 @@
|
||||||
---
|
---
|
||||||
- name: check if certificate exist
|
- name: check if certificate exist
|
||||||
ansible.builtin.stat:
|
ansible.builtin.stat:
|
||||||
path: '/etc/letsencrypt/live/{{ item.name }}'
|
path: '/etc/letsencrypt/live/{{ item.key }}'
|
||||||
loop: '{{ certbot_domains }}'
|
loop: '{{ certbot_domains|dict2items }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.key }}'
|
||||||
register: st
|
register: st
|
||||||
tags: certbot
|
tags: certbot
|
||||||
|
|
||||||
- name: check if a webservice is started on port 80
|
- name: check if a webservice is started
|
||||||
ansible.builtin.wait_for:
|
ansible.builtin.wait_for:
|
||||||
port: 80
|
port: '{{ certbot_port }}'
|
||||||
state: started
|
state: started
|
||||||
timeout: 5
|
timeout: 2
|
||||||
ignore_errors: true
|
ignore_errors: true
|
||||||
register: web
|
register: web
|
||||||
tags: certbot
|
tags: certbot
|
||||||
|
|
||||||
- name: create a new certificate
|
- name: create a new certificate
|
||||||
ansible.builtin.command: >
|
ansible.builtin.command: >
|
||||||
certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }}
|
certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
|
||||||
--webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}
|
--webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}
|
||||||
|
--deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
|
||||||
loop: '{{ st.results }}'
|
loop: '{{ st.results }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.item.key }}'
|
||||||
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not web.failed
|
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not web.failed
|
||||||
tags: certbot
|
tags: certbot
|
||||||
|
|
||||||
- name: create a new certificate (standalone)
|
- name: create a new certificate (standalone)
|
||||||
ansible.builtin.command: >
|
ansible.builtin.command: >
|
||||||
certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }}
|
certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
|
||||||
--standalone --rsa-key-size {{ certbot_key_size }}
|
--standalone --rsa-key-size {{ certbot_key_size }} --deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
|
||||||
|
--http-01-port {{ certbot_port }}
|
||||||
loop: '{{ st.results }}'
|
loop: '{{ st.results }}'
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.item.key }}'
|
||||||
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and web.failed
|
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and web.failed
|
||||||
tags: certbot
|
tags: certbot
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue