Renew Let's Encrypt certificates

This commit is contained in:
genofire 2021-01-31 19:16:27 +01:00
parent 7192608aee
commit 98a412c27b
9 changed files with 173 additions and 1 deletions

View file

@ -43,7 +43,7 @@
state: directory state: directory
owner: vmail owner: vmail
group: vmail group: vmail
mode: 0750 mode: 0755
- name: Create /var/spool/postfix - name: Create /var/spool/postfix
file: file:

View file

@ -12,3 +12,6 @@
- name: Reload HAProxy - name: Reload HAProxy
command: s6-svc -2 /run/service/haproxy command: s6-svc -2 /run/service/haproxy
- name: Restart acme-renew
command: s6-svc -wU -T 5000 -ru /run/service/acme-renew

View file

@ -266,3 +266,60 @@
creates: '/usr/local/etc/haproxy/{{ item }}.pem' creates: '/usr/local/etc/haproxy/{{ item }}.pem'
with_items: with_items:
- '{{ ansible_fqdn }}' - '{{ ansible_fqdn }}'
- name: Create acme.sh renew service directories
file:
path: '/etc/s6-rc/service/{{ item }}'
state: directory
owner: root
group: wheel
mode: 0755
with_items: '{{ acme_service_dirs }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Generate acme.sh renew service scripts
template:
dest: '/etc/s6-rc/service/{{ item }}'
src: '{{ item }}.j2'
mode: 0555
owner: root
group: wheel
with_items: '{{ acme_service_scripts }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Generate acme.sh renew service configuration
copy:
dest: '/etc/s6-rc/service/{{ item.name }}'
content: '{{ item.content }}'
mode: 0444
owner: root
group: wheel
loop_control:
label: '{{ item.name }} = {{ item.content }}'
with_items: '{{ acme_service_config }}'
notify:
- Reload s6-rc
- Restart acme-renew
- name: Flush handlers
meta: flush_handlers
- name: Start acme renew service
command: fdmove -c 2 1 s6-rc -u -v 2 change acme-renew
register: change
changed_when: change.stdout | length > 0
- name: Enable acme-renew
lineinfile:
path: /etc/s6-rc/service/enabled/contents
regexp: "^acme-renew$"
line: "acme-renew"
notify:
- Reload s6-rc
- name: Flush handlers (again)
meta: flush_handlers

View file

@ -0,0 +1,13 @@
#!/usr/local/bin/execlineb -S2
# {{ ansible_managed }}
s6-envdir ./env
multisubstitute {
importas -i -u NAME NAME
}
fdmove -c 1 2
ifelse { test "${1}" -eq 0 } {
echo "${NAME}: Stopped."
}
echo "${NAME}: Failed with exit status (${1}, ${2})."

View file

@ -0,0 +1,23 @@
#!/usr/local/bin/execlineb -P
# {{ ansible_managed }}
s6-envdir ./env
multisubstitute {
importas -i -u NAME NAME
importas -i -u USER USER
importas -i -u GROUP GROUP
importas -i -u MODE MODE
importas -i -u DIR DIR
}
foreground { fdmove -c 1 2 echo "${NAME} log: Starting." }
ifelse -n { install -d -o "${USER}" -g "${GROUP}" -m "${MODE}" "$DIR" } {
foreground { fdmove -c 1 2 echo "${NAME} log: Failed to create logging directory." }
false
}
fdmove -c 2 1
s6-envuidgid $USER
s6-log -d 3 T $DIR

View file

@ -0,0 +1,5 @@
#!/bin/sh
# {{ ansible_managed }}
sudo -u acme acme.sh --debug --home /var/db/acme --standalone --httpport 8080 --renew-all
sudo -u acme acme.sh --debug --home /var/db/acme --standalone --httpport 8080 --deploy --domain {{ ansible_fqdn }} --deploy-hook haproxy

View file

@ -0,0 +1,14 @@
#!/usr/local/bin/execlineb -S2
# {{ ansible_managed }}
s6-envdir ./env
multisubstitute {
importas -i -u NAME NAME
}
fdmove -c 1 2
ifelse { test "${1}" -eq 0 } {
echo "${NAME}: Stopped."
}
echo "${NAME}: Failed with exit status (${1}, ${2})."

View file

@ -0,0 +1,12 @@
#!/usr/local/bin/execlineb -P
# {{ ansible_managed }}
s6-envdir ./env
multisubstitute {
importas -i -u NAME NAME
}
foreground { fdmove -c 1 2 echo "${NAME}: Starting." }
fdmove -c 2 1
snooze -v data/job

View file

@ -12,3 +12,48 @@ haproxy_s6_templates:
- run - run
- finish - finish
- data/check - data/check
acme_service_dirs:
- acme-renew
- acme-renew/env
- acme-renew/data
- acme-renew-log
- acme-renew-log/env
acme_service_scripts:
- acme-renew/run
- acme-renew/finish
- acme-renew/data/job
- acme-renew-log/run
- acme-renew-log/finish
acme_service_config:
- name: acme-renew/type
content: longrun
- name: acme-renew/dependencies
content: postfix
- name: acme-renew/env/NAME
content: acme-renew
- name: acme-renew/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: acme-renew/producer-for
content: acme-renew-log
- name: acme-renew-log/type
content: longrun
- name: acme-renew-log/notification-fd
content: '3'
- name: acme-renew-log/consumer-for
content: acme-renew
- name: acme-renew-log/env/NAME
content: acme-renew
- name: acme-renew-log/env/PATH
content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin
- name: acme-renew-log/env/MODE
content: '750'
- name: acme-renew-log/env/USER
content: s6-log
- name: acme-renew-log/env/GROUP
content: s6-log
- name: acme-renew-log/env/DIR
content: /var/log/acme-renew