From 6287ddcb138cbf59a5a37c0d93f44ec2745841cd Mon Sep 17 00:00:00 2001 From: L3D Date: Wed, 11 Aug 2021 23:17:29 +0200 Subject: [PATCH 1/2] Improve services restart hook --- README.md | 14 +++++++++++ defaults/main.yml | 4 +++ files/reload | 47 +++++++++++++++++++++++++++++++++++ files/restart | 2 ++ meta/main.yml | 2 +- tasks/hook.yml | 33 ++++++++++++++++++++++-- templates/acmetool_reload.j2 | 10 ++++++++ templates/acmetool_restart.j2 | 10 ++++++++ vars/main.yml | 24 +++++++++++++++++- 9 files changed, 142 insertions(+), 4 deletions(-) create mode 100644 files/reload create mode 100644 templates/acmetool_reload.j2 create mode 100644 templates/acmetool_restart.j2 diff --git a/README.md b/README.md index 21ae7a3..7e23868 100644 --- a/README.md +++ b/README.md @@ -5,6 +5,8 @@ Install and configure the `acmetool` LE client. +Currently this role is designed to work with the [do1jlr.nginx](https://github.com/do1jlr/ansible_role_nginx.git) ansible role. Maybe there will be a standalone version of this role someday... + Variables ----------- @@ -12,6 +14,13 @@ Install and configure the `acmetool` LE client. * ``acme_notification_email:`` (Default: ``root@example.org``): LE account email. The default needs to be changed! +* ``acme_reload_services:`` (Default: ``[]``): + Services that need a reload by certificat change + *(There are some services pre-defined in the [files/reload](files/reload) file)* + +* ``acme_restart_services:`` (Default: ``[]``): + Services that need a restart by certificat change + * ``submodules_versioncheck:`` (Default: ``false``): Enable basic versionscheck. *(``true`` is recomended)* @@ -30,6 +39,11 @@ Install and configure the `acmetool` LE client. - "files/{{ inventory_hostname }}" - 'templates' ``` +This file is configuring the acmetool behaviour like certificate type, challange methode, acme notification email and so on. Change the values by providing your own ``response-file.yml.j2``. + +* We search the ``reload`` and ``restart`` hook using the [first_found_loopup](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/first_found_lookup.html) with the config defined in ``vars/main.yml``. + +* We deploy the ``acme-reload`` and ``acme-restart`` configuration based on the ``acme_reload_services:`` and ``acme_restart_services:`` variables References ------------ diff --git a/defaults/main.yml b/defaults/main.yml index 91e6aa6..2b59bd8 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -1,5 +1,9 @@ --- acme_notification_email: 'root@example.org' +# services that need reload or restart +acme_reload_services: [] +acme_restart_services: [] + # should we do a version check? (recomended) submodules_versioncheck: false diff --git a/files/reload b/files/reload new file mode 100644 index 0000000..39570a3 --- /dev/null +++ b/files/reload @@ -0,0 +1,47 @@ +#!/bin/sh +## this file is managed by https://github.com/roles-ansible/ansible_role_acmetool.git +# +# This file reloads services when the preferred certificate for a hostname +# changes. A list of commonly used daemons is preconfigured. You can override +# this list by setting $SERVICES in /etc/{default,conf.d}/acme-reload. +# +# Configuration options: +# /etc/{default,conf.d}/acme-reload +# Sourced if they exist. Specify variables here. +# Please note that most of the time, you don't need to specify anything. +# +# $SERVICES +# Space-separated list of daemons to reload. +# Append with SERVICES="$SERVICES mydaemon". + +############################################################################### +set -e +EVENT_NAME="$1" +[ "$EVENT_NAME" = "live-updated" ] || exit 42 + +SERVICES="httpd apache2 apache nginx tengine lighttpd postfix dovecot exim exim4 haproxy hitch quassel quasselcore opensmtpd freeswitch" +[ -e "/etc/default/acme-reload" ] && . /etc/default/acme-reload +[ -e "/etc/conf.d/acme-reload" ] && . /etc/conf.d/acme-reload +[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR="/var/lib/acme" + +# Restart services. +if which service >/dev/null 2>/dev/null; then + for x in $SERVICES; do + service "$x" reload >/dev/null 2>/dev/null || true + done + exit 0 +fi + +if which systemctl >/dev/null 2>/dev/null; then + for x in $SERVICES; do + [ -e "/lib/systemd/system/$x.service" -o -e "/etc/systemd/system/$x.service" ] && systemctl reload "$x.service" >/dev/null 2>/dev/null || true + done + exit 0 +fi + +if [ -e "/etc/init.d" ]; then + for x in $SERVICES; do + /etc/init.d/$x reload >/dev/null 2>/dev/null || true + done + exit 0 +fi diff --git a/files/restart b/files/restart index 420f18b..0e7fce8 100644 --- a/files/restart +++ b/files/restart @@ -1,4 +1,6 @@ #!/bin/sh +## this file is managed by https://github.com/roles-ansible/ansible_role_acmetool.git +# ## This script is similar to the default 'reload' script by acmetool but ## for services that need a full restart. diff --git a/meta/main.yml b/meta/main.yml index d46ed66..aeff827 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,7 +2,7 @@ galaxy_info: role_name: acmetool author: do1jlr - description: Install acmetool and get it working together with the do1jlr.nginx role. + description: Install acmetool, an easy-to-use command line tool for automatically acquiring certificates from ACME servers (eg. Let's Encrypt) license: "MIT" min_ansible_version: 2.11 github_branch: main diff --git a/tasks/hook.yml b/tasks/hook.yml index 2c5ad93..84be26d 100644 --- a/tasks/hook.yml +++ b/tasks/hook.yml @@ -1,9 +1,38 @@ --- -- name: Copy hook to enable acmetool to restart services +- name: Copy hook to enable acmetool to reload services become: true ansible.builtin.copy: - src: 'files/restart' + src: "{{ lookup('first_found', acmetool__reload_hook ) }}" dest: '/etc/acme/hooks/' owner: root group: root mode: 'u=rx,g=rx,o=rx' + +- name: create hook configuration to reload services via ansible + become: true + ansible.builtin.template: + src: 'templates/acmetool_reload.j2' + dest: '/etc/default/acme-reload' + owner: root + group: root + mode: 'u=rx,g=rx,o=rx' + +- name: Copy hook to enable acmetool to restart services + become: true + ansible.builtin.copy: + src: "{{ lookup('first_found', acmetool__restart_hook ) }}" + dest: '/etc/acme/hooks/' + owner: root + group: root + mode: 'u=rx,g=rx,o=rx' + +- name: create hook configuration to restart services via ansible + become: true + ansible.builtin.template: + src: 'templates/acmetool_restart.j2' + dest: '/etc/default/acme-restart' + owner: root + group: root + mode: 'u=rx,g=rx,o=rx' + +- name: Copy hook to enable acmetool to restart services diff --git a/templates/acmetool_reload.j2 b/templates/acmetool_reload.j2 new file mode 100644 index 0000000..68ed82d --- /dev/null +++ b/templates/acmetool_reload.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} +# https://github.com/roles-ansible/ansible_role_acmetool.git +# +# reload hook configuration file +# adding the service to the list of services to be reloaded by acmetool. +SERVICES="$SERVICES + {%- for service in acme_reload_services -%} + {{- ' ' -}} + {{- service -}} + {%- endfor -%}" diff --git a/templates/acmetool_restart.j2 b/templates/acmetool_restart.j2 new file mode 100644 index 0000000..3db2c35 --- /dev/null +++ b/templates/acmetool_restart.j2 @@ -0,0 +1,10 @@ +# {{ ansible_managed }} +# https://github.com/roles-ansible/ansible_role_acmetool.git +# +# restart hook configuration file +# adding the service to the list of services to be restarted. +SERVICES="$SERVICES + {%- for service in acme_restart_services -%} + {{- ' ' -}} + {{- service -}} + {%- endfor -%}" diff --git a/vars/main.yml b/vars/main.yml index 060cdee..315b499 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -10,6 +10,28 @@ acmetool__response_file: - "files/{{ inventory_hostname }}" - 'templates' +acmetool__reload_hook: + files: + - "{{ inventory_hostname }}.restart" + - 'restart' + paths: + - 'files/acmetool' + - "files/{{ inventory_hostname }}" + - 'templates/acmetool' + - "templates/{{ inventory_hostname }}" + - 'files' + +acmetool__restart_hook: + files: + - "{{ inventory_hostname }}.restart" + - 'restart' + paths: + - 'files/acmetool' + - "files/{{ inventory_hostname }}" + - 'templates/acmetool' + - "templates/{{ inventory_hostname }}" + - 'files' + # versionscheck -playbook_version_number: 26 # should be a integer +playbook_version_number: 27 # should be a integer playbook_version_path: 'do1jlr.role-acmetool.version' From 8793616ff17abaef718726f49891a9da2f83dc6a Mon Sep 17 00:00:00 2001 From: L3D Date: Wed, 11 Aug 2021 23:33:53 +0200 Subject: [PATCH 2/2] update acmetool hook --- tasks/hook.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/tasks/hook.yml b/tasks/hook.yml index 84be26d..5ddf595 100644 --- a/tasks/hook.yml +++ b/tasks/hook.yml @@ -34,5 +34,3 @@ owner: root group: root mode: 'u=rx,g=rx,o=rx' - -- name: Copy hook to enable acmetool to restart services