Basic acmetool role

defaults/main.yml

@@ -0,0 +1,3 @@
+---
+
+acme_notification_email: 'root@example.org'

files/acme.service

@@ -0,0 +1,14 @@
+[Unit]
+Description = Update Let's Encrypt certificates
+
+[Service]
+ExecStart = /usr/bin/acmetool --batch reconcile
+
+#User = acme
+#Group = acme
+
+PrivateTmp = True
+PrivateDevices = True
+ProtectSystem = True
+ProtectHome = True
+NoNewPrivileges = True

files/acme.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description = Timer unit to update Let's Encrypt certificates once a day
+After = connection.service
+
+[Timer]
+OnCalendar = *-*-* 20:00:00
+Unit = acme.service
+Persistent = True
+
+[Install]
+WantedBy = multi-user.target

files/response-file.yml.j2

@@ -0,0 +1,17 @@
+"acme-enter-email": "{{ acme_notification_email }}"
+
+"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true
+
+"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory
+
+"acmetool-quickstart-choose-method": "webroot"
+"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge"
+
+"acmetool-quickstart-complete": true
+"acmetool-quickstart-install-cronjob": false
+"acmetool-quickstart-install-haproxy-script": false
+"acmetool-quickstart-install-redirector-systemd": false
+
+"acmetool-quickstart-key-type": ecdsa
+"acmetool-quickstart-rsa-key-size": 4096
+"acmetool-quickstart-ecdsa-curve": nistp256

files/restart

@@ -0,0 +1,48 @@
+#!/bin/sh
+## This script is similar to the default 'reload' script by acmetool but
+## for services that need a full restart.
+
+# This file restarts services when the preferred certificate for a hostname
+# changes. A list of commonly used daemons is preconfigured. You can override
+# this list by setting $SERVICES in /etc/{default,conf.d}/acme-restart.
+#
+# Configuration options:
+#   /etc/{default,conf.d}/acme-restart
+#     Sourced if they exist. Specify variables here.
+#     Please note that most of the time, you don't need to specify anything.
+#
+#   $SERVICES
+#     Space-separated list of daemons to restart.
+#     Append with SERVICES="$SERVICES mydaemon".
+
+###############################################################################
+set -e
+EVENT_NAME="$1"
+[ "$EVENT_NAME" = "live-updated" ] || exit 42
+
+SERVICES=""
+[ -e "/etc/default/acme-restart" ] && . /etc/default/acme-restart
+[ -e "/etc/conf.d/acme-restart" ] && . /etc/conf.d/acme-restart
+[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR="/var/lib/acme"
+
+# Restart services.
+if which service >/dev/null 2>/dev/null; then
+  for x in $SERVICES; do
+    service "$x" restart >/dev/null 2>/dev/null || true
+  done
+  exit 0
+fi
+
+if which systemctl >/dev/null 2>/dev/null; then
+  for x in $SERVICES; do
+    [ -e "/lib/systemd/system/$x.service" -o -e "/etc/systemd/system/$x.service" ] && systemctl restart "$x.service" >/dev/null 2>/dev/null || true
+  done
+  exit 0
+fi
+
+if [ -e "/etc/init.d" ]; then
+  for x in $SERVICES; do
+    /etc/init.d/$x restart >/dev/null 2>/dev/null || true
+  done
+  exit 0
+fi

handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Reload systemd and enable units
+  systemd:
+    name: 'acme.timer'
+    daemon_reload: yes
+    enabled: yes
+    state: started

tasks/main.yml

@@ -0,0 +1,71 @@
+---
+
+- name: Install acmetool
+  package:
+    name: 'acmetool'
+    state: present
+  tags:
+    - installation
+
+
+- name: Install systemd units for acmetool
+  template:
+    src: 'files/{{ item }}'
+    dest: '/etc/systemd/system/{{ item }}'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  with_items:
+    - 'acme.service'
+    - 'acme.timer'
+  notify:
+    - Reload systemd and enable units
+  tags:
+    - installation
+    - configuration
+    - acme
+
+
+- name: Create directory for acmetool response file
+  file:
+    name: '/var/lib/acme/conf'
+    state: directory
+    owner: root
+    group: root
+    mode: 'u=rwx,g=rx,o=rx'
+  tags:
+    - installation
+
+
+- name: Copy acmetool response file
+  template:
+    src: 'files/response-file.yml.j2'
+    dest: '/var/lib/acme/conf/responses'
+    owner: root
+    group: root
+    mode: 'u=rw,g=r,o=r'
+  tags:
+    - configuration
+    - acme
+
+
+- name: Perform acmetool quickstart
+  command: acmetool quickstart --expert
+  args:
+    creates: '/var/lib/acme/conf/target'
+  tags:
+    - configuration
+    - operation
+    - acme
+
+
+- name: Copy hook to enable acmetool to restart services
+  copy:
+    src: 'files/restart'
+    dest: '/usr/libexec/acme/hooks/'
+    owner: root
+    group: root
+    mode: 'u=rx,g=rx,o=rx'
+  tags:
+    - configuration
+    - acme