Compare commits
26 commits
Author | SHA1 | Date | |
---|---|---|---|
bb0f6c1f1e | |||
429d82c203 | |||
3a46cdbb2c | |||
aa1958992b | |||
d383c722c1 | |||
c1309158b0 | |||
3ec19e9143 | |||
d1c910d3d1 | |||
b00d571718 | |||
b9e7adfe81 | |||
aab9e5cb08 | |||
cd68ec7b1d | |||
4aed7e86c8 | |||
d947820cab | |||
7bd85cfd4d | |||
88e1c84bbe | |||
a3fd853cfb | |||
904d1ae1cb | |||
c85c43e555 | |||
4f688f3022 | |||
79445d9d05 | |||
289e2d34e6 | |||
50836886c1 | |||
ad2cabbf1d | |||
4c2c33f8af | |||
255e131a25 |
22 changed files with 320 additions and 289 deletions
18
.forgejo/workflows/molecule.yml
Normal file
18
.forgejo/workflows/molecule.yml
Normal file
|
@ -0,0 +1,18 @@
|
|||
---
|
||||
on: [push]
|
||||
jobs:
|
||||
lint:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: code.waks.be/nishiki/molecule:docker
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: ansible-lint .
|
||||
- run: yamllint .
|
||||
molecule:
|
||||
runs-on: docker
|
||||
container:
|
||||
image: code.waks.be/nishiki/molecule:docker
|
||||
steps:
|
||||
- uses: actions/checkout@v3
|
||||
- run: molecule test
|
2
.gitignore
vendored
2
.gitignore
vendored
|
@ -1,2 +1,2 @@
|
|||
.kitchen/*
|
||||
|
||||
*.pyc
|
||||
|
|
10
.gitlab-ci.yml
Normal file
10
.gitlab-ci.yml
Normal file
|
@ -0,0 +1,10 @@
|
|||
---
|
||||
image: nishiki/molecule:docker
|
||||
|
||||
before_script:
|
||||
- molecule --version
|
||||
|
||||
molecule:
|
||||
stage: test
|
||||
script:
|
||||
- molecule test
|
27
.kitchen.yml
27
.kitchen.yml
|
@ -1,27 +0,0 @@
|
|||
driver:
|
||||
name: docker_cli
|
||||
|
||||
transport:
|
||||
name: docker_cli
|
||||
|
||||
provisioner:
|
||||
name: ansible_playbook
|
||||
hosts: localhost
|
||||
require_ansible_repo: false
|
||||
require_ansible_omnibus: true
|
||||
require_chef_for_busser: true
|
||||
ansible_verbose: false
|
||||
ansible_version: <% if ENV['ANSIBLE_VERSION'] %><%= ENV['ANSIBLE_VERSION'] %><% else %><%= '2.4.4.0' %><% end %>
|
||||
ansible_inventory: ./test/integration/inventory
|
||||
|
||||
platforms:
|
||||
- name: debian-9
|
||||
driver_config:
|
||||
image: nishiki/ansible:stretch
|
||||
command: /bin/systemd
|
||||
volume:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:ro
|
||||
security_opt: seccomp=unconfined
|
||||
|
||||
suites:
|
||||
- name: certbot
|
38
.rubocop.yml
38
.rubocop.yml
|
@ -1,38 +0,0 @@
|
|||
|
||||
AllCops:
|
||||
Exclude:
|
||||
- db/**/*
|
||||
- config/**/*
|
||||
- Vagrantfile
|
||||
TargetRubyVersion: 2.3
|
||||
|
||||
Naming/AccessorMethodName:
|
||||
Enabled: false
|
||||
|
||||
Lint/RescueWithoutErrorClass:
|
||||
Enabled: false
|
||||
|
||||
Metrics/LineLength:
|
||||
Max: 120
|
||||
Metrics/CyclomaticComplexity:
|
||||
Enabled: false
|
||||
Metrics/PerceivedComplexity:
|
||||
Enabled: false
|
||||
Metrics/MethodLength:
|
||||
Enabled: false
|
||||
Metrics/BlockLength:
|
||||
Enabled: false
|
||||
Metrics/ClassLength:
|
||||
Enabled: false
|
||||
Metrics/AbcSize:
|
||||
Enabled: false
|
||||
|
||||
Style/NumericLiteralPrefix:
|
||||
Enabled: false
|
||||
Style/FrozenStringLiteralComment:
|
||||
Enabled: false
|
||||
Style/CommandLiteral:
|
||||
Enabled: true
|
||||
EnforcedStyle: percent_x
|
||||
Style/Documentation:
|
||||
Enabled: false
|
30
.travis.yml
Normal file
30
.travis.yml
Normal file
|
@ -0,0 +1,30 @@
|
|||
---
|
||||
sudo: required
|
||||
dist: bionic
|
||||
addons:
|
||||
apt:
|
||||
packages:
|
||||
- python3
|
||||
- python3-pip
|
||||
- python3-setuptools
|
||||
|
||||
env:
|
||||
- ANSIBLE_VERSION=2.9.25
|
||||
- ANSIBLE_VERSION=2.10.7
|
||||
- ANSIBLE_VERSION=3.4.0
|
||||
- ANSIBLE_VERSION=4.4.0
|
||||
|
||||
services:
|
||||
- docker
|
||||
|
||||
before_install:
|
||||
- sudo pip3 install ansible==${ANSIBLE_VERSION}
|
||||
- sudo pip3 install molecule 'molecule[docker]' docker testinfra ansible-lint yamllint
|
||||
- git clone https://github.com/ansible/galaxy-lint-rules.git
|
||||
|
||||
script:
|
||||
- ansible --version
|
||||
- molecule test
|
||||
|
||||
notifications:
|
||||
webhooks: https://galaxy.ansible.com/api/v1/notifications/
|
12
.yamllint
Normal file
12
.yamllint
Normal file
|
@ -0,0 +1,12 @@
|
|||
---
|
||||
extends: default
|
||||
|
||||
ignore: |
|
||||
.kitchen/*
|
||||
vendor/
|
||||
.forgejo/
|
||||
|
||||
rules:
|
||||
line-length:
|
||||
max: 120
|
||||
level: warning
|
49
CHANGELOG.md
49
CHANGELOG.md
|
@ -3,10 +3,51 @@
|
|||
This project adheres to [Semantic Versioning](http://semver.org/).
|
||||
Which is based on [Keep A Changelog](http://keepachangelog.com/)
|
||||
|
||||
## [Unreleased]
|
||||
## Unreleased
|
||||
|
||||
## [2.0.0] 2018-07-07
|
||||
- add renew hook script
|
||||
### Added
|
||||
|
||||
- feat: add certbot_port variable
|
||||
- feat: add hook scripts
|
||||
- test: add support debian 12
|
||||
|
||||
### Changed
|
||||
|
||||
- test: use personal docker registry
|
||||
|
||||
## v2.2.0 - 2021-08-24
|
||||
|
||||
### Added
|
||||
|
||||
- test: add check yamllint
|
||||
- test: add support debian 11
|
||||
|
||||
### Changed
|
||||
|
||||
- test: replace kitchen to molecule
|
||||
- chore: use FQCN for module name
|
||||
- feat: check if the port 80 is used
|
||||
|
||||
### Removed
|
||||
|
||||
- test: remove support debian 9
|
||||
|
||||
## v2.1.1 - 2018-11-26
|
||||
|
||||
- fix: replace shell module to command
|
||||
- test: add check ansible-lint with galaxy rules
|
||||
|
||||
## v2.1.0 - 2018-11-25
|
||||
|
||||
- BREAKING CHANGE: minimal ansible version is 2.5 now
|
||||
- fix: replace inline module to cron for renew cron
|
||||
- test: use new docker images
|
||||
- test: add tavis-ci to run tests
|
||||
|
||||
## v2.0.0 - 2018-07-07
|
||||
|
||||
- feat: add renew hook script
|
||||
|
||||
## v1.0.0 - 2018-06-10
|
||||
|
||||
## [1.0.0] - 2018-06-10
|
||||
- first version
|
||||
|
|
8
Gemfile
8
Gemfile
|
@ -1,8 +0,0 @@
|
|||
source 'https://rubygems.org'
|
||||
|
||||
group :development do
|
||||
gem 'kitchen-ansible'
|
||||
gem 'kitchen-docker_cli'
|
||||
gem 'rubocop', '0.50.0'
|
||||
gem 'test-kitchen'
|
||||
end
|
94
Gemfile.lock
94
Gemfile.lock
|
@ -1,94 +0,0 @@
|
|||
GEM
|
||||
remote: https://rubygems.org/
|
||||
specs:
|
||||
ast (2.4.0)
|
||||
builder (3.2.3)
|
||||
erubis (2.7.0)
|
||||
ffi (1.9.23)
|
||||
gssapi (1.2.0)
|
||||
ffi (>= 1.0.1)
|
||||
gyoku (1.3.1)
|
||||
builder (>= 2.1.2)
|
||||
httpclient (2.8.3)
|
||||
kitchen-ansible (0.47.5)
|
||||
net-ssh (>= 3)
|
||||
test-kitchen (~> 1.4)
|
||||
kitchen-docker_cli (0.18.0)
|
||||
test-kitchen (>= 1.3)
|
||||
little-plugger (1.1.4)
|
||||
logging (2.2.2)
|
||||
little-plugger (~> 1.1)
|
||||
multi_json (~> 1.10)
|
||||
mixlib-install (3.6.0)
|
||||
mixlib-shellout
|
||||
mixlib-versioning
|
||||
thor
|
||||
mixlib-shellout (2.3.2)
|
||||
mixlib-versioning (1.2.2)
|
||||
multi_json (1.13.1)
|
||||
net-scp (1.2.1)
|
||||
net-ssh (>= 2.6.5)
|
||||
net-ssh (4.2.0)
|
||||
net-ssh-gateway (1.3.0)
|
||||
net-ssh (>= 2.6.5)
|
||||
nori (2.6.0)
|
||||
parallel (1.12.1)
|
||||
parser (2.5.0.2)
|
||||
ast (~> 2.4.0)
|
||||
powerpack (0.1.1)
|
||||
rainbow (2.2.2)
|
||||
rake
|
||||
rake (12.3.1)
|
||||
rubocop (0.50.0)
|
||||
parallel (~> 1.10)
|
||||
parser (>= 2.3.3.1, < 3.0)
|
||||
powerpack (~> 0.1)
|
||||
rainbow (>= 2.2.2, < 3.0)
|
||||
ruby-progressbar (~> 1.7)
|
||||
unicode-display_width (~> 1.0, >= 1.0.1)
|
||||
ruby-progressbar (1.9.0)
|
||||
rubyntlm (0.6.2)
|
||||
rubyzip (1.2.1)
|
||||
safe_yaml (1.0.4)
|
||||
test-kitchen (1.18.0)
|
||||
mixlib-install (~> 3.6)
|
||||
mixlib-shellout (>= 1.2, < 3.0)
|
||||
net-scp (~> 1.1)
|
||||
net-ssh (>= 2.9, < 5.0)
|
||||
net-ssh-gateway (~> 1.2)
|
||||
safe_yaml (~> 1.0)
|
||||
thor (~> 0.19, < 0.19.2)
|
||||
winrm (~> 2.0)
|
||||
winrm-elevated (~> 1.0)
|
||||
winrm-fs (~> 1.0.2)
|
||||
thor (0.19.1)
|
||||
unicode-display_width (1.3.0)
|
||||
winrm (2.2.3)
|
||||
builder (>= 2.1.2)
|
||||
erubis (~> 2.7)
|
||||
gssapi (~> 1.2)
|
||||
gyoku (~> 1.0)
|
||||
httpclient (~> 2.2, >= 2.2.0.2)
|
||||
logging (>= 1.6.1, < 3.0)
|
||||
nori (~> 2.0)
|
||||
rubyntlm (~> 0.6.0, >= 0.6.1)
|
||||
winrm-elevated (1.1.0)
|
||||
winrm (~> 2.0)
|
||||
winrm-fs (~> 1.0)
|
||||
winrm-fs (1.0.2)
|
||||
erubis (~> 2.7)
|
||||
logging (>= 1.6.1, < 3.0)
|
||||
rubyzip (~> 1.1)
|
||||
winrm (~> 2.0)
|
||||
|
||||
PLATFORMS
|
||||
ruby
|
||||
|
||||
DEPENDENCIES
|
||||
kitchen-ansible
|
||||
kitchen-docker_cli
|
||||
rubocop (= 0.50.0)
|
||||
test-kitchen
|
||||
|
||||
BUNDLED WITH
|
||||
1.16.0
|
33
README.md
33
README.md
|
@ -1,19 +1,32 @@
|
|||
# Ansible role: Certbot
|
||||
[![Version](https://img.shields.io/badge/latest_version-2.0.0-green.svg)](https://git.yaegashi.fr/nishiki/ansible-role-certbot/releases)
|
||||
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://git.yaegashi.fr/nishiki/ansible-role-certbot/src/branch/master/LICENSE)
|
||||
|
||||
[![Version](https://img.shields.io/badge/latest_version-2.2.0-green.svg)](https://code.waks.be/nishiki/ansible-role-certbot/releases)
|
||||
[![License](https://img.shields.io/badge/license-Apache--2.0-blue.svg)](https://code.waks.be/nishiki/ansible-role-certbot/src/branch/main/LICENSE)
|
||||
[![Build](https://code.waks.be/nishiki/ansible-role-certbot/actions/workflows/molecule.yml/badge.svg?branch=main)](https://code.waks.be/nishiki/ansible-role-certbot/actions?workflow=molecule.yml)
|
||||
|
||||
Generate certificate SSL with certbot.
|
||||
|
||||
## Requirements
|
||||
|
||||
None
|
||||
- Ansible >= 2.10
|
||||
- Debian
|
||||
- Bullseye
|
||||
- Bookworm
|
||||
|
||||
## Role variables
|
||||
|
||||
- `certbot_mail` - mail address used by let's encrypt to notify
|
||||
- `certbot_key_size` - private key size (default: `4096`)
|
||||
- `certbot_port` - port to listen for certbot web (default: `80`)
|
||||
- `certbot_path` - path where certbot write temporary files(default: `/var/www/acme`)
|
||||
- `certbot_domains` - array with the domain name and command
|
||||
- `certbot_domains` - dict with the domain name and the script
|
||||
|
||||
```
|
||||
website.com:
|
||||
#!/bin/bash
|
||||
echo "test" > /tmp/log
|
||||
```
|
||||
|
||||
- `certbot_role` - string must be master or slave, if master generate the certificates
|
||||
|
||||
## How to use
|
||||
|
@ -25,13 +38,13 @@ None
|
|||
```
|
||||
|
||||
## Development
|
||||
### Tests with docker
|
||||
|
||||
* install [docker](https://docs.docker.com/engine/installation/)
|
||||
* install ruby
|
||||
* install bundler `gem install bundler`
|
||||
* install dependencies `bundle install`
|
||||
* run the tests `kitchen test`
|
||||
### Test with molecule and docker
|
||||
|
||||
- install [docker](https://docs.docker.com/engine/installation/)
|
||||
- install `python3` and `python3-pip`
|
||||
- install molecule and dependencies `pip3 install molecule molecule-plugins[docker] docker ansible-lint pytest-testinfra yamllint`
|
||||
- run `molecule test`
|
||||
|
||||
## License
|
||||
|
||||
|
|
|
@ -1,5 +1,7 @@
|
|||
---
|
||||
certbot_mail: ssl@host.local
|
||||
certbot_key_size: 4096
|
||||
certbot_port: 80
|
||||
certbot_path: /var/www/acme
|
||||
certbot_role: master
|
||||
certbot_domains: []
|
||||
certbot_domains: {}
|
||||
|
|
23
meta/main.yml
Normal file
23
meta/main.yml
Normal file
|
@ -0,0 +1,23 @@
|
|||
---
|
||||
galaxy_info:
|
||||
role_name: certbot
|
||||
namespace: nishiki
|
||||
author: Adrien Waksberg
|
||||
company: Adrien Waksberg
|
||||
description: Generate certificate SSL with certbot
|
||||
license: Apache2
|
||||
min_ansible_version: "2.10"
|
||||
platforms:
|
||||
- name: Debian
|
||||
versions:
|
||||
- bullseye
|
||||
- bookworm
|
||||
|
||||
galaxy_tags:
|
||||
- certbot
|
||||
- letsencrypt
|
||||
- ssl
|
||||
- https
|
||||
- certifactes
|
||||
|
||||
dependencies: []
|
14
molecule/default/converge.yml
Normal file
14
molecule/default/converge.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- name: Converge
|
||||
hosts: all
|
||||
roles:
|
||||
- ansible-role-certbot
|
||||
vars:
|
||||
certbot_role: slave
|
||||
certbot_domains:
|
||||
test.local: 'echo OK > /tmp/test.txt'
|
||||
|
||||
pre_tasks:
|
||||
- name: update apt cache
|
||||
ansible.builtin.apt:
|
||||
update_cache: true
|
28
molecule/default/molecule.yml
Normal file
28
molecule/default/molecule.yml
Normal file
|
@ -0,0 +1,28 @@
|
|||
---
|
||||
driver:
|
||||
name: docker
|
||||
platforms:
|
||||
- name: debian12
|
||||
image: code.waks.be/nishiki/molecule:debian12
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
||||
cgroupns_mode: host
|
||||
command: /bin/systemd
|
||||
capabilities:
|
||||
- SYS_ADMIN
|
||||
- name: debian11
|
||||
image: code.waks.be/nishiki/molecule:debian11
|
||||
privileged: true
|
||||
volumes:
|
||||
- /sys/fs/cgroup:/sys/fs/cgroup:rw
|
||||
cgroupns_mode: host
|
||||
command: /bin/systemd
|
||||
capabilities:
|
||||
- SYS_ADMIN
|
||||
lint: |
|
||||
set -e
|
||||
yamllint .
|
||||
ansible-lint .
|
||||
verifier:
|
||||
name: testinfra
|
44
molecule/default/tests/test_default.py
Normal file
44
molecule/default/tests/test_default.py
Normal file
|
@ -0,0 +1,44 @@
|
|||
import testinfra.utils.ansible_runner
|
||||
|
||||
def test_packages(host):
|
||||
package = host.package('certbot')
|
||||
assert package.is_installed
|
||||
|
||||
def test_acme_directory(host):
|
||||
path = host.file('/var/www/acme')
|
||||
assert path.exists
|
||||
assert path.is_directory
|
||||
assert path.user == 'root'
|
||||
assert path.group == 'root'
|
||||
assert path.mode == 0o755
|
||||
|
||||
def test_old_cron_file(host):
|
||||
path = host.file('/etc/cron.d/certbot')
|
||||
assert not path.exists
|
||||
|
||||
def test_cron_file(host):
|
||||
path = host.file('/var/spool/cron/crontabs/root')
|
||||
assert path.exists
|
||||
assert path.is_file
|
||||
assert path.user == 'root'
|
||||
assert path.group == 'crontab'
|
||||
assert path.mode == 0o600
|
||||
assert path.contains('perl -e \'sleep int(rand(3600))\' && certbot -q renew')
|
||||
|
||||
def test_config_file(host):
|
||||
path = host.file('/etc/letsencrypt/hook-test.local')
|
||||
assert path.exists
|
||||
assert path.is_file
|
||||
assert path.user == 'root'
|
||||
assert path.group == 'root'
|
||||
assert path.mode == 0o700
|
||||
assert path.contains('echo OK > /tmp/test.txt')
|
||||
|
||||
def test_renew(host):
|
||||
cmd = host.run('/etc/letsencrypt/hook-test.local')
|
||||
assert cmd.succeeded
|
||||
|
||||
path = host.file('/tmp/test.txt')
|
||||
assert path.exists
|
||||
assert path.is_file
|
||||
assert path.contains('OK')
|
|
@ -1,46 +1,45 @@
|
|||
- name: install certbot package
|
||||
apt:
|
||||
name: '{{ item }}'
|
||||
default_release: '{{ certbot_distribution|default(ansible_distribution_release) }}'
|
||||
---
|
||||
- name: Install certbot package
|
||||
ansible.builtin.apt:
|
||||
name:
|
||||
- certbot
|
||||
- cron
|
||||
default_release: "{{ certbot_distribution | default(ansible_distribution_release) }}"
|
||||
state: present
|
||||
with_items:
|
||||
- certbot
|
||||
- cron
|
||||
tags: certbot
|
||||
|
||||
- name: create webroot path directory
|
||||
file:
|
||||
path: '{{ certbot_path }}'
|
||||
- name: Create webroot path directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ certbot_path }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
state: directory
|
||||
tags: certbot
|
||||
|
||||
- name: install certbot-renew binary
|
||||
copy:
|
||||
src: certbot-renew
|
||||
dest: /usr/local/bin/certbot-renew
|
||||
- name: Install hooks script
|
||||
ansible.builtin.copy:
|
||||
content: "{{ item.value | default('#!/bin/bash') }}"
|
||||
dest: "/etc/letsencrypt/hook-{{ item.key }}"
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0755
|
||||
mode: 0700
|
||||
loop: "{{ certbot_domains | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
tags: certbot
|
||||
|
||||
- name: install certbot renew configuration
|
||||
template:
|
||||
src: renew.cfg.j2
|
||||
dest: /etc/letsencrypt/renew.cfg
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
tags: certbot
|
||||
|
||||
- name: add certbot renew cron
|
||||
lineinfile:
|
||||
- name: Remove old cerbot renew cron
|
||||
ansible.builtin.file:
|
||||
path: /etc/cron.d/certbot
|
||||
owner: root
|
||||
group: root
|
||||
mode: 0644
|
||||
regexp: '^0 */12 * * * root'
|
||||
line: "0 */12 * * * root perl -e 'sleep int(rand(3600))' && certbot -q renew --renew-hook /usr/local/bin/certbot-renew"
|
||||
state: absent
|
||||
tags: certbot
|
||||
|
||||
- name: Add certbot renew cron
|
||||
ansible.builtin.cron:
|
||||
name: certbot-renew
|
||||
user: root
|
||||
hour: "*/12"
|
||||
minute: "0"
|
||||
job: "perl -e 'sleep int(rand(3600))' && certbot -q renew"
|
||||
tags: certbot
|
||||
|
|
|
@ -1,24 +1,40 @@
|
|||
- name: check if certificate exist
|
||||
stat:
|
||||
path: '/etc/letsencrypt/live/{{ item.name }}'
|
||||
with_items: '{{ certbot_domains }}'
|
||||
---
|
||||
- name: Check if certificate exist
|
||||
ansible.builtin.stat:
|
||||
path: "/etc/letsencrypt/live/{{ item.key }}"
|
||||
loop: "{{ certbot_domains | dict2items }}"
|
||||
loop_control:
|
||||
label: "{{ item.key }}"
|
||||
register: st
|
||||
tags: certbot
|
||||
|
||||
- name: check if nginx is launch
|
||||
stat:
|
||||
path: /var/run/nginx.pid
|
||||
register: ng
|
||||
- name: Check if a webservice is started
|
||||
ansible.builtin.wait_for:
|
||||
port: "{{ certbot_port }}"
|
||||
state: started
|
||||
timeout: 2
|
||||
ignore_errors: true
|
||||
register: web
|
||||
tags: certbot
|
||||
|
||||
- name: create a new certificate
|
||||
shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}'
|
||||
with_items: '{{ st.results }}'
|
||||
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and ng.stat.exists
|
||||
- name: Create a new certificate # noqa no-changed-when
|
||||
ansible.builtin.command: >
|
||||
certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
|
||||
--webroot --webroot-path {{ certbot_path }} --rsa-key-size {{ certbot_key_size }}
|
||||
--deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
|
||||
loop: "{{ st.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.item.key }}"
|
||||
when: (certbot_role == "master" or item.item.key == ansible_fqdn) and not item.stat.exists and not web.failed
|
||||
tags: certbot
|
||||
|
||||
- name: create a new certificate (standalone)
|
||||
shell: 'certbot certonly -n --agree-tos -d {{ item.item.name }} -m {{ certbot_mail }} --standalone --rsa-key-size {{ certbot_key_size }}'
|
||||
with_items: '{{ st.results }}'
|
||||
when: (certbot_role == 'master' or item.item.name == ansible_fqdn) and not item.stat.exists and not ng.stat.exists
|
||||
- name: Create a new certificate (standalone) # noqa no-changed-when
|
||||
ansible.builtin.command: >
|
||||
certbot certonly -n --agree-tos -d {{ item.item.key }} -m {{ certbot_mail }}
|
||||
--standalone --rsa-key-size {{ certbot_key_size }} --deploy-hook /etc/letsencrypt/hook-{{ item.item.key }}
|
||||
--http-01-port {{ certbot_port }}
|
||||
loop: "{{ st.results }}"
|
||||
loop_control:
|
||||
label: "{{ item.item.key }}"
|
||||
when: (certbot_role == "master" or item.item.key == ansible_fqdn) and not item.stat.exists and web.failed
|
||||
tags: certbot
|
||||
|
|
|
@ -1,7 +1,8 @@
|
|||
- include_tasks: '{{ file }}.yml'
|
||||
with_items:
|
||||
- base
|
||||
- certificates
|
||||
loop_control:
|
||||
loop_var: file
|
||||
---
|
||||
- name: Import base
|
||||
ansible.builtin.import_tasks: base.yml
|
||||
tags: certbot
|
||||
|
||||
- name: Import certificates
|
||||
ansible.builtin.import_tasks: certificates.yml
|
||||
tags: certbot
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
- hosts: certbot
|
||||
connection: local
|
||||
vars:
|
||||
certbot_role: slave
|
||||
certbot_domains:
|
||||
- { name: test.local, command: 'echo OK > /tmp/test.txt'}
|
||||
roles:
|
||||
- ansible-role-certbot
|
|
@ -1,43 +0,0 @@
|
|||
require 'serverspec'
|
||||
|
||||
set :backend, :exec
|
||||
|
||||
describe package('certbot') do
|
||||
it { should be_installed }
|
||||
end
|
||||
|
||||
describe file('/var/www/acme') do
|
||||
it { should exist }
|
||||
it { should be_directory }
|
||||
it { should be_mode 755 }
|
||||
it { should be_owned_by 'root' }
|
||||
it { should be_grouped_into 'root' }
|
||||
end
|
||||
|
||||
describe file('/etc/cron.d/certbot') do
|
||||
it { should exist }
|
||||
it { should be_file }
|
||||
it { should be_mode 644 }
|
||||
it { should be_owned_by 'root' }
|
||||
it { should be_grouped_into 'root' }
|
||||
it { should contain '--renew-hook /usr/local/bin/certbot-renew' }
|
||||
end
|
||||
|
||||
describe file('/etc/letsencrypt/renew.cfg') do
|
||||
it { should exist }
|
||||
it { should be_file }
|
||||
it { should be_mode 644 }
|
||||
it { should be_owned_by 'root' }
|
||||
it { should be_grouped_into 'root' }
|
||||
it { should contain 'test.local = echo OK > /tmp/test.txt' }
|
||||
end
|
||||
|
||||
describe command('RENEWED_DOMAINS=test.local /usr/local/bin/certbot-renew') do
|
||||
its(:exit_status) { should eq 0 }
|
||||
end
|
||||
|
||||
describe file('/tmp/test.txt') do
|
||||
it { should exist }
|
||||
it { should be_file }
|
||||
it { should contain 'OK' }
|
||||
end
|
|
@ -1,2 +0,0 @@
|
|||
[certbot]
|
||||
localhost
|
Loading…
Reference in a new issue