forked from ccchb/ansible
Renew Let's Encrypt certificates
This commit is contained in:
parent
7192608aee
commit
98a412c27b
9 changed files with 173 additions and 1 deletions
|
@ -43,7 +43,7 @@
|
||||||
state: directory
|
state: directory
|
||||||
owner: vmail
|
owner: vmail
|
||||||
group: vmail
|
group: vmail
|
||||||
mode: 0750
|
mode: 0755
|
||||||
|
|
||||||
- name: Create /var/spool/postfix
|
- name: Create /var/spool/postfix
|
||||||
file:
|
file:
|
||||||
|
|
|
@ -12,3 +12,6 @@
|
||||||
|
|
||||||
- name: Reload HAProxy
|
- name: Reload HAProxy
|
||||||
command: s6-svc -2 /run/service/haproxy
|
command: s6-svc -2 /run/service/haproxy
|
||||||
|
|
||||||
|
- name: Restart acme-renew
|
||||||
|
command: s6-svc -wU -T 5000 -ru /run/service/acme-renew
|
||||||
|
|
|
@ -266,3 +266,60 @@
|
||||||
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
|
creates: '/usr/local/etc/haproxy/{{ item }}.pem'
|
||||||
with_items:
|
with_items:
|
||||||
- '{{ ansible_fqdn }}'
|
- '{{ ansible_fqdn }}'
|
||||||
|
|
||||||
|
- name: Create acme.sh renew service directories
|
||||||
|
file:
|
||||||
|
path: '/etc/s6-rc/service/{{ item }}'
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
group: wheel
|
||||||
|
mode: 0755
|
||||||
|
with_items: '{{ acme_service_dirs }}'
|
||||||
|
notify:
|
||||||
|
- Reload s6-rc
|
||||||
|
- Restart acme-renew
|
||||||
|
|
||||||
|
- name: Generate acme.sh renew service scripts
|
||||||
|
template:
|
||||||
|
dest: '/etc/s6-rc/service/{{ item }}'
|
||||||
|
src: '{{ item }}.j2'
|
||||||
|
mode: 0555
|
||||||
|
owner: root
|
||||||
|
group: wheel
|
||||||
|
with_items: '{{ acme_service_scripts }}'
|
||||||
|
notify:
|
||||||
|
- Reload s6-rc
|
||||||
|
- Restart acme-renew
|
||||||
|
|
||||||
|
- name: Generate acme.sh renew service configuration
|
||||||
|
copy:
|
||||||
|
dest: '/etc/s6-rc/service/{{ item.name }}'
|
||||||
|
content: '{{ item.content }}'
|
||||||
|
mode: 0444
|
||||||
|
owner: root
|
||||||
|
group: wheel
|
||||||
|
loop_control:
|
||||||
|
label: '{{ item.name }} = {{ item.content }}'
|
||||||
|
with_items: '{{ acme_service_config }}'
|
||||||
|
notify:
|
||||||
|
- Reload s6-rc
|
||||||
|
- Restart acme-renew
|
||||||
|
|
||||||
|
- name: Flush handlers
|
||||||
|
meta: flush_handlers
|
||||||
|
|
||||||
|
- name: Start acme renew service
|
||||||
|
command: fdmove -c 2 1 s6-rc -u -v 2 change acme-renew
|
||||||
|
register: change
|
||||||
|
changed_when: change.stdout | length > 0
|
||||||
|
|
||||||
|
- name: Enable acme-renew
|
||||||
|
lineinfile:
|
||||||
|
path: /etc/s6-rc/service/enabled/contents
|
||||||
|
regexp: "^acme-renew$"
|
||||||
|
line: "acme-renew"
|
||||||
|
notify:
|
||||||
|
- Reload s6-rc
|
||||||
|
|
||||||
|
- name: Flush handlers (again)
|
||||||
|
meta: flush_handlers
|
||||||
|
|
13
roles/haproxy/templates/acme-renew-log/finish.j2
Normal file
13
roles/haproxy/templates/acme-renew-log/finish.j2
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
#!/usr/local/bin/execlineb -S2
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
s6-envdir ./env
|
||||||
|
multisubstitute {
|
||||||
|
importas -i -u NAME NAME
|
||||||
|
}
|
||||||
|
|
||||||
|
fdmove -c 1 2
|
||||||
|
ifelse { test "${1}" -eq 0 } {
|
||||||
|
echo "${NAME}: Stopped."
|
||||||
|
}
|
||||||
|
echo "${NAME}: Failed with exit status (${1}, ${2})."
|
23
roles/haproxy/templates/acme-renew-log/run.j2
Normal file
23
roles/haproxy/templates/acme-renew-log/run.j2
Normal file
|
@ -0,0 +1,23 @@
|
||||||
|
#!/usr/local/bin/execlineb -P
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
s6-envdir ./env
|
||||||
|
multisubstitute {
|
||||||
|
importas -i -u NAME NAME
|
||||||
|
importas -i -u USER USER
|
||||||
|
importas -i -u GROUP GROUP
|
||||||
|
importas -i -u MODE MODE
|
||||||
|
importas -i -u DIR DIR
|
||||||
|
}
|
||||||
|
|
||||||
|
foreground { fdmove -c 1 2 echo "${NAME} log: Starting." }
|
||||||
|
|
||||||
|
ifelse -n { install -d -o "${USER}" -g "${GROUP}" -m "${MODE}" "$DIR" } {
|
||||||
|
foreground { fdmove -c 1 2 echo "${NAME} log: Failed to create logging directory." }
|
||||||
|
false
|
||||||
|
}
|
||||||
|
|
||||||
|
fdmove -c 2 1
|
||||||
|
|
||||||
|
s6-envuidgid $USER
|
||||||
|
s6-log -d 3 T $DIR
|
5
roles/haproxy/templates/acme-renew/data/job.j2
Normal file
5
roles/haproxy/templates/acme-renew/data/job.j2
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
#!/bin/sh
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
sudo -u acme acme.sh --debug --home /var/db/acme --standalone --httpport 8080 --renew-all
|
||||||
|
sudo -u acme acme.sh --debug --home /var/db/acme --standalone --httpport 8080 --deploy --domain {{ ansible_fqdn }} --deploy-hook haproxy
|
14
roles/haproxy/templates/acme-renew/finish.j2
Normal file
14
roles/haproxy/templates/acme-renew/finish.j2
Normal file
|
@ -0,0 +1,14 @@
|
||||||
|
#!/usr/local/bin/execlineb -S2
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
s6-envdir ./env
|
||||||
|
multisubstitute {
|
||||||
|
importas -i -u NAME NAME
|
||||||
|
}
|
||||||
|
|
||||||
|
fdmove -c 1 2
|
||||||
|
ifelse { test "${1}" -eq 0 } {
|
||||||
|
echo "${NAME}: Stopped."
|
||||||
|
}
|
||||||
|
|
||||||
|
echo "${NAME}: Failed with exit status (${1}, ${2})."
|
12
roles/haproxy/templates/acme-renew/run.j2
Normal file
12
roles/haproxy/templates/acme-renew/run.j2
Normal file
|
@ -0,0 +1,12 @@
|
||||||
|
#!/usr/local/bin/execlineb -P
|
||||||
|
# {{ ansible_managed }}
|
||||||
|
|
||||||
|
s6-envdir ./env
|
||||||
|
multisubstitute {
|
||||||
|
importas -i -u NAME NAME
|
||||||
|
}
|
||||||
|
|
||||||
|
foreground { fdmove -c 1 2 echo "${NAME}: Starting." }
|
||||||
|
|
||||||
|
fdmove -c 2 1
|
||||||
|
snooze -v data/job
|
|
@ -12,3 +12,48 @@ haproxy_s6_templates:
|
||||||
- run
|
- run
|
||||||
- finish
|
- finish
|
||||||
- data/check
|
- data/check
|
||||||
|
|
||||||
|
acme_service_dirs:
|
||||||
|
- acme-renew
|
||||||
|
- acme-renew/env
|
||||||
|
- acme-renew/data
|
||||||
|
- acme-renew-log
|
||||||
|
- acme-renew-log/env
|
||||||
|
|
||||||
|
acme_service_scripts:
|
||||||
|
- acme-renew/run
|
||||||
|
- acme-renew/finish
|
||||||
|
- acme-renew/data/job
|
||||||
|
- acme-renew-log/run
|
||||||
|
- acme-renew-log/finish
|
||||||
|
|
||||||
|
acme_service_config:
|
||||||
|
- name: acme-renew/type
|
||||||
|
content: longrun
|
||||||
|
- name: acme-renew/dependencies
|
||||||
|
content: postfix
|
||||||
|
- name: acme-renew/env/NAME
|
||||||
|
content: acme-renew
|
||||||
|
- name: acme-renew/env/PATH
|
||||||
|
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
||||||
|
- name: acme-renew/producer-for
|
||||||
|
content: acme-renew-log
|
||||||
|
|
||||||
|
- name: acme-renew-log/type
|
||||||
|
content: longrun
|
||||||
|
- name: acme-renew-log/notification-fd
|
||||||
|
content: '3'
|
||||||
|
- name: acme-renew-log/consumer-for
|
||||||
|
content: acme-renew
|
||||||
|
- name: acme-renew-log/env/NAME
|
||||||
|
content: acme-renew
|
||||||
|
- name: acme-renew-log/env/PATH
|
||||||
|
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
|
||||||
|
- name: acme-renew-log/env/MODE
|
||||||
|
content: '750'
|
||||||
|
- name: acme-renew-log/env/USER
|
||||||
|
content: s6-log
|
||||||
|
- name: acme-renew-log/env/GROUP
|
||||||
|
content: s6-log
|
||||||
|
- name: acme-renew-log/env/DIR
|
||||||
|
content: /var/log/acme-renew
|
||||||
|
|
Loading…
Reference in a new issue