From b5246ed0bd56276176642fcbbf53cd34fb7b1e28 Mon Sep 17 00:00:00 2001 From: Raoul Date: Sat, 27 Jul 2019 17:11:01 +0200 Subject: [PATCH] Basic acmetool role --- defaults/main.yml | 3 ++ files/acme.service | 14 ++++++++ files/acme.timer | 11 ++++++ files/response-file.yml.j2 | 17 +++++++++ files/restart | 48 ++++++++++++++++++++++++++ handlers/main.yml | 8 +++++ tasks/main.yml | 71 ++++++++++++++++++++++++++++++++++++++ 7 files changed, 172 insertions(+) create mode 100644 defaults/main.yml create mode 100644 files/acme.service create mode 100644 files/acme.timer create mode 100644 files/response-file.yml.j2 create mode 100644 files/restart create mode 100644 handlers/main.yml create mode 100644 tasks/main.yml diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..6016495 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +--- + +acme_notification_email: 'root@example.org' diff --git a/files/acme.service b/files/acme.service new file mode 100644 index 0000000..3535ea2 --- /dev/null +++ b/files/acme.service @@ -0,0 +1,14 @@ +[Unit] +Description = Update Let's Encrypt certificates + +[Service] +ExecStart = /usr/bin/acmetool --batch reconcile + +#User = acme +#Group = acme + +PrivateTmp = True +PrivateDevices = True +ProtectSystem = True +ProtectHome = True +NoNewPrivileges = True diff --git a/files/acme.timer b/files/acme.timer new file mode 100644 index 0000000..0148fba --- /dev/null +++ b/files/acme.timer @@ -0,0 +1,11 @@ +[Unit] +Description = Timer unit to update Let's Encrypt certificates once a day +After = connection.service + +[Timer] +OnCalendar = *-*-* 20:00:00 +Unit = acme.service +Persistent = True + +[Install] +WantedBy = multi-user.target diff --git a/files/response-file.yml.j2 b/files/response-file.yml.j2 new file mode 100644 index 0000000..38569ae --- /dev/null +++ b/files/response-file.yml.j2 @@ -0,0 +1,17 @@ +"acme-enter-email": "{{ acme_notification_email }}" + +"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true + +"acmetool-quickstart-choose-server": https://acme-v01.api.letsencrypt.org/directory + +"acmetool-quickstart-choose-method": "webroot" +"acmetool-quickstart-webroot-path": "/var/run/acme/acme-challenge" + +"acmetool-quickstart-complete": true +"acmetool-quickstart-install-cronjob": false +"acmetool-quickstart-install-haproxy-script": false +"acmetool-quickstart-install-redirector-systemd": false + +"acmetool-quickstart-key-type": ecdsa +"acmetool-quickstart-rsa-key-size": 4096 +"acmetool-quickstart-ecdsa-curve": nistp256 diff --git a/files/restart b/files/restart new file mode 100644 index 0000000..420f18b --- /dev/null +++ b/files/restart @@ -0,0 +1,48 @@ +#!/bin/sh +## This script is similar to the default 'reload' script by acmetool but +## for services that need a full restart. + +# This file restarts services when the preferred certificate for a hostname +# changes. A list of commonly used daemons is preconfigured. You can override +# this list by setting $SERVICES in /etc/{default,conf.d}/acme-restart. +# +# Configuration options: +# /etc/{default,conf.d}/acme-restart +# Sourced if they exist. Specify variables here. +# Please note that most of the time, you don't need to specify anything. +# +# $SERVICES +# Space-separated list of daemons to restart. +# Append with SERVICES="$SERVICES mydaemon". + +############################################################################### +set -e +EVENT_NAME="$1" +[ "$EVENT_NAME" = "live-updated" ] || exit 42 + +SERVICES="" +[ -e "/etc/default/acme-restart" ] && . /etc/default/acme-restart +[ -e "/etc/conf.d/acme-restart" ] && . /etc/conf.d/acme-restart +[ -z "$ACME_STATE_DIR" ] && ACME_STATE_DIR="/var/lib/acme" + +# Restart services. +if which service >/dev/null 2>/dev/null; then + for x in $SERVICES; do + service "$x" restart >/dev/null 2>/dev/null || true + done + exit 0 +fi + +if which systemctl >/dev/null 2>/dev/null; then + for x in $SERVICES; do + [ -e "/lib/systemd/system/$x.service" -o -e "/etc/systemd/system/$x.service" ] && systemctl restart "$x.service" >/dev/null 2>/dev/null || true + done + exit 0 +fi + +if [ -e "/etc/init.d" ]; then + for x in $SERVICES; do + /etc/init.d/$x restart >/dev/null 2>/dev/null || true + done + exit 0 +fi diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..aac2c38 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,8 @@ +--- + +- name: Reload systemd and enable units + systemd: + name: 'acme.timer' + daemon_reload: yes + enabled: yes + state: started diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..47f9a86 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,71 @@ +--- + +- name: Install acmetool + package: + name: 'acmetool' + state: present + tags: + - installation + + +- name: Install systemd units for acmetool + template: + src: 'files/{{ item }}' + dest: '/etc/systemd/system/{{ item }}' + owner: root + group: root + mode: 'u=rw,g=r,o=r' + with_items: + - 'acme.service' + - 'acme.timer' + notify: + - Reload systemd and enable units + tags: + - installation + - configuration + - acme + + +- name: Create directory for acmetool response file + file: + name: '/var/lib/acme/conf' + state: directory + owner: root + group: root + mode: 'u=rwx,g=rx,o=rx' + tags: + - installation + + +- name: Copy acmetool response file + template: + src: 'files/response-file.yml.j2' + dest: '/var/lib/acme/conf/responses' + owner: root + group: root + mode: 'u=rw,g=r,o=r' + tags: + - configuration + - acme + + +- name: Perform acmetool quickstart + command: acmetool quickstart --expert + args: + creates: '/var/lib/acme/conf/target' + tags: + - configuration + - operation + - acme + + +- name: Copy hook to enable acmetool to restart services + copy: + src: 'files/restart' + dest: '/usr/libexec/acme/hooks/' + owner: root + group: root + mode: 'u=rx,g=rx,o=rx' + tags: + - configuration + - acme