1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_acmetool.git synced 2024-08-16 12:29:49 +02:00

Merge pull request #10 from roles-ansible/hook

improve acmetool hook configuration
This commit is contained in:
L3D 2021-08-11 23:38:08 +02:00 committed by GitHub
commit 9ea537d4fd
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
9 changed files with 140 additions and 4 deletions

View file

@ -5,6 +5,8 @@
Install and configure the `acmetool` LE client. Install and configure the `acmetool` LE client.
Currently this role is designed to work with the [do1jlr.nginx](https://github.com/do1jlr/ansible_role_nginx.git) ansible role. Maybe there will be a standalone version of this role someday...
Variables Variables
----------- -----------
@ -12,6 +14,13 @@ Install and configure the `acmetool` LE client.
* ``acme_notification_email:`` (Default: ``root@example.org``): * ``acme_notification_email:`` (Default: ``root@example.org``):
LE account email. The default needs to be changed! LE account email. The default needs to be changed!
* ``acme_reload_services:`` (Default: ``[]``):
Services that need a reload by certificat change
*(There are some services pre-defined in the [files/reload](files/reload) file)*
* ``acme_restart_services:`` (Default: ``[]``):
Services that need a restart by certificat change
* ``submodules_versioncheck:`` (Default: ``false``): * ``submodules_versioncheck:`` (Default: ``false``):
Enable basic versionscheck. *(``true`` is recomended)* Enable basic versionscheck. *(``true`` is recomended)*
@ -30,6 +39,11 @@ Install and configure the `acmetool` LE client.
- "files/{{ inventory_hostname }}" - "files/{{ inventory_hostname }}"
- 'templates' - 'templates'
``` ```
This file is configuring the acmetool behaviour like certificate type, challange methode, acme notification email and so on. Change the values by providing your own ``response-file.yml.j2``.
* We search the ``reload`` and ``restart`` hook using the [first_found_loopup](https://docs.ansible.com/ansible/latest/collections/ansible/builtin/first_found_lookup.html) with the config defined in ``vars/main.yml``.
* We deploy the ``acme-reload`` and ``acme-restart`` configuration based on the ``acme_reload_services:`` and ``acme_restart_services:`` variables
References References
------------ ------------

View file

@ -1,5 +1,9 @@
--- ---
acme_notification_email: 'root@example.org' acme_notification_email: 'root@example.org'
# services that need reload or restart
acme_reload_services: []
acme_restart_services: []
# should we do a version check? (recomended) # should we do a version check? (recomended)
submodules_versioncheck: false submodules_versioncheck: false

47
files/reload Normal file
View file

@ -0,0 +1,47 @@
#!/bin/sh
## this file is managed by https://github.com/roles-ansible/ansible_role_acmetool.git
#
# This file reloads services when the preferred certificate for a hostname
# changes. A list of commonly used daemons is preconfigured. You can override
# this list by setting $SERVICES in /etc/{default,conf.d}/acme-reload.
#
# Configuration options:
# /etc/{default,conf.d}/acme-reload
# Sourced if they exist. Specify variables here.
# Please note that most of the time, you don't need to specify anything.
#
# $SERVICES
# Space-separated list of daemons to reload.
# Append with SERVICES="$SERVICES mydaemon".
###############################################################################
set -e
EVENT_NAME="$1"
[ "$EVENT_NAME" = "live-updated" ] || exit 42
SERVICES="httpd apache2 apache nginx tengine lighttpd postfix dovecot exim exim4 haproxy hitch quassel quasselcore opensmtpd freeswitch"
[ -e "/etc/default/acme-reload" ] && . /etc/default/acme-reload
[ -e "/etc/conf.d/acme-reload" ] && . /etc/conf.d/acme-reload
[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR="/var/lib/acme"
# Restart services.
if which service >/dev/null 2>/dev/null; then
for x in $SERVICES; do
service "$x" reload >/dev/null 2>/dev/null || true
done
exit 0
fi
if which systemctl >/dev/null 2>/dev/null; then
for x in $SERVICES; do
[ -e "/lib/systemd/system/$x.service" -o -e "/etc/systemd/system/$x.service" ] && systemctl reload "$x.service" >/dev/null 2>/dev/null || true
done
exit 0
fi
if [ -e "/etc/init.d" ]; then
for x in $SERVICES; do
/etc/init.d/$x reload >/dev/null 2>/dev/null || true
done
exit 0
fi

View file

@ -1,4 +1,6 @@
#!/bin/sh #!/bin/sh
## this file is managed by https://github.com/roles-ansible/ansible_role_acmetool.git
#
## This script is similar to the default 'reload' script by acmetool but ## This script is similar to the default 'reload' script by acmetool but
## for services that need a full restart. ## for services that need a full restart.

View file

@ -2,7 +2,7 @@
galaxy_info: galaxy_info:
role_name: acmetool role_name: acmetool
author: do1jlr author: do1jlr
description: Install acmetool and get it working together with the do1jlr.nginx role. description: Install acmetool, an easy-to-use command line tool for automatically acquiring certificates from ACME servers (eg. Let's Encrypt)
license: "MIT" license: "MIT"
min_ansible_version: 2.11 min_ansible_version: 2.11
github_branch: main github_branch: main

View file

@ -1,9 +1,36 @@
--- ---
- name: Copy hook to enable acmetool to restart services - name: Copy hook to enable acmetool to reload services
become: true become: true
ansible.builtin.copy: ansible.builtin.copy:
src: 'files/restart' src: "{{ lookup('first_found', acmetool__reload_hook ) }}"
dest: '/etc/acme/hooks/' dest: '/etc/acme/hooks/'
owner: root owner: root
group: root group: root
mode: 'u=rx,g=rx,o=rx' mode: 'u=rx,g=rx,o=rx'
- name: create hook configuration to reload services via ansible
become: true
ansible.builtin.template:
src: 'templates/acmetool_reload.j2'
dest: '/etc/default/acme-reload'
owner: root
group: root
mode: 'u=rx,g=rx,o=rx'
- name: Copy hook to enable acmetool to restart services
become: true
ansible.builtin.copy:
src: "{{ lookup('first_found', acmetool__restart_hook ) }}"
dest: '/etc/acme/hooks/'
owner: root
group: root
mode: 'u=rx,g=rx,o=rx'
- name: create hook configuration to restart services via ansible
become: true
ansible.builtin.template:
src: 'templates/acmetool_restart.j2'
dest: '/etc/default/acme-restart'
owner: root
group: root
mode: 'u=rx,g=rx,o=rx'

View file

@ -0,0 +1,10 @@
# {{ ansible_managed }}
# https://github.com/roles-ansible/ansible_role_acmetool.git
#
# reload hook configuration file
# adding the service to the list of services to be reloaded by acmetool.
SERVICES="$SERVICES
{%- for service in acme_reload_services -%}
{{- ' ' -}}
{{- service -}}
{%- endfor -%}"

View file

@ -0,0 +1,10 @@
# {{ ansible_managed }}
# https://github.com/roles-ansible/ansible_role_acmetool.git
#
# restart hook configuration file
# adding the service to the list of services to be restarted.
SERVICES="$SERVICES
{%- for service in acme_restart_services -%}
{{- ' ' -}}
{{- service -}}
{%- endfor -%}"

View file

@ -10,6 +10,28 @@ acmetool__response_file:
- "files/{{ inventory_hostname }}" - "files/{{ inventory_hostname }}"
- 'templates' - 'templates'
acmetool__reload_hook:
files:
- "{{ inventory_hostname }}.restart"
- 'restart'
paths:
- 'files/acmetool'
- "files/{{ inventory_hostname }}"
- 'templates/acmetool'
- "templates/{{ inventory_hostname }}"
- 'files'
acmetool__restart_hook:
files:
- "{{ inventory_hostname }}.restart"
- 'restart'
paths:
- 'files/acmetool'
- "files/{{ inventory_hostname }}"
- 'templates/acmetool'
- "templates/{{ inventory_hostname }}"
- 'files'
# versionscheck # versionscheck
playbook_version_number: 26 # should be a integer playbook_version_number: 27 # should be a integer
playbook_version_path: 'do1jlr.role-acmetool.version' playbook_version_path: 'do1jlr.role-acmetool.version'