From e53a68a73b4e14df50006b783ab3ee15da0ecda9 Mon Sep 17 00:00:00 2001 From: Someone Date: Fri, 4 Oct 2024 13:42:46 +0200 Subject: [PATCH] [roles/util/letsencrypt-cert] request letsencrypt-cert helper role --- roles/util/letsencrypt-cert/defaults/main.yml | 11 +++ roles/util/letsencrypt-cert/meta/main.yml | 9 +++ roles/util/letsencrypt-cert/tasks/main.yml | 80 +++++++++++++++++++ 3 files changed, 100 insertions(+) create mode 100644 roles/util/letsencrypt-cert/defaults/main.yml create mode 100644 roles/util/letsencrypt-cert/meta/main.yml create mode 100644 roles/util/letsencrypt-cert/tasks/main.yml diff --git a/roles/util/letsencrypt-cert/defaults/main.yml b/roles/util/letsencrypt-cert/defaults/main.yml new file mode 100644 index 0000000..5e85db5 --- /dev/null +++ b/roles/util/letsencrypt-cert/defaults/main.yml @@ -0,0 +1,11 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +# If not overridden in inventory or as a parameter, this is the value that will be used +# +--- +letsencrypt_cert_domain: "" +letsencrypt_cert_domain_alias: "" diff --git a/roles/util/letsencrypt-cert/meta/main.yml b/roles/util/letsencrypt-cert/meta/main.yml new file mode 100644 index 0000000..2240736 --- /dev/null +++ b/roles/util/letsencrypt-cert/meta/main.yml @@ -0,0 +1,9 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +#dependencies: +# - { role: server/letsencrypt-bot } diff --git a/roles/util/letsencrypt-cert/tasks/main.yml b/roles/util/letsencrypt-cert/tasks/main.yml new file mode 100644 index 0000000..dfb409a --- /dev/null +++ b/roles/util/letsencrypt-cert/tasks/main.yml @@ -0,0 +1,80 @@ +##################################### +### someone's ansible provisioner ### +##################################### +# Part of: https://git.somenet.org/root/pub/somesible.git +# 2017-2024 by someone +# +--- +- name: append {{letsencrypt_cert_domain}} to domains.txt + lineinfile: + line: "{{letsencrypt_cert_domain}} {{letsencrypt_cert_domain_alias}}" + path: "/etc/dehydrated/domains.txt" + mode: 0640 + owner: "letsencrypt" + group: "letsencrypt" + changed_when: False + when: letsencrypt_cert_domain != "" + + +- name: create domains.txt.ansible.tmp for {{letsencrypt_cert_domain}} + copy: + content: "{{letsencrypt_cert_domain}} {{letsencrypt_cert_domain_alias}}\n" + dest: "/etc/dehydrated/domains.txt.ansible.tmp" + mode: 0640 + owner: "letsencrypt" + group: "letsencrypt" + changed_when: False + when: letsencrypt_cert_domain != "" + + +- name: request cert for {{letsencrypt_cert_domain}} + shell: "/usr/bin/dehydrated -c" + args: + creates: "/etc/ssl/letsencrypt/{{letsencrypt_cert_domain}}/cert.pem" + environment: + DOMAINS_TXT: '/etc/dehydrated/domains.txt.ansible.tmp' + become: true + become_user: "letsencrypt" + tags: "online" + when: letsencrypt_cert_domain != "" + + +- name: request cert-rsa for {{letsencrypt_cert_domain}} + shell: "/usr/bin/dehydrated -f /etc/dehydrated/config-rsa -c" + args: + creates: "/etc/ssl/letsencrypt-rsa/{{letsencrypt_cert_domain}}/cert.pem" + environment: + DOMAINS_TXT: '/etc/dehydrated/domains.txt.ansible.tmp' + become: true + become_user: "letsencrypt" + tags: "online" + when: letsencrypt_cert_domain != "" + + +- name: fix permissions for /etc/ssl/letsencrypt/{{letsencrypt_cert_domain}} + file: + path: "/etc/ssl/letsencrypt/{{letsencrypt_cert_domain}}" + state: directory + recurse: yes + mode: "u+rwX,g+rX,o-rwx" + owner: "letsencrypt" + group: "ssl-cert" + when: letsencrypt_cert_domain != "" + + +- name: fix permissions for /etc/ssl/letsencrypt-rsa/{{letsencrypt_cert_domain}} + file: + path: "/etc/ssl/letsencrypt-rsa/{{letsencrypt_cert_domain}}" + state: directory + recurse: yes + mode: "u+rwX,g+rX,o-rwx" + owner: "letsencrypt" + group: "ssl-cert" + when: letsencrypt_cert_domain != "" + + +- name: remove domains.txt.ansible.tmp + file: + path: "/etc/dehydrated/domains.txt.ansible.tmp" + state: absent + changed_when: False -- 2.43.0