aboutsummaryrefslogtreecommitdiffstats
path: root/roles/acme
diff options
context:
space:
mode:
authorRomain Gonçalves <me@rgoncalves.se>2023-01-14 15:56:48 +0100
committerRomain Gonçalves <me@rgoncalves.se>2023-04-02 11:45:09 +0200
commit5582074f59640eaad0b879c7c3b45bc3b0beefc8 (patch)
tree8100f01f64a4e762d96db2ff7b68c6585a6dbec8 /roles/acme
parent28332d389dd3644aeb3973d4ca472820f6b45b07 (diff)
downloadrules-5582074f59640eaad0b879c7c3b45bc3b0beefc8.tar.gz
feat(roles/acme): add argument specs
Diffstat (limited to 'roles/acme')
-rw-r--r--roles/acme/defaults/main.yml10
-rw-r--r--roles/acme/meta/main.yml53
-rw-r--r--roles/acme/tasks/main.yml19
-rw-r--r--roles/acme/templates/acme-client.conf.j227
4 files changed, 80 insertions, 29 deletions
diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml
index 66ca704..cd713c6 100644
--- a/roles/acme/defaults/main.yml
+++ b/roles/acme/defaults/main.yml
@@ -1,6 +1,10 @@
---
-acme_rules: {}
-
acme_configuration_file: /etc/acme-client.conf
-acme_domain_name: null
+acme_certificates_dir: /etc/ssl
+acme_keys_dir: /etc/ssl/private
+
+acme_authority:
+ name: letsencrypt
+ url: https://acme-v02.api.letsencrypt.org/directory
+ key: /etc/acme/letsencrypt-privkey.pem
diff --git a/roles/acme/meta/main.yml b/roles/acme/meta/main.yml
new file mode 100644
index 0000000..924fd90
--- /dev/null
+++ b/roles/acme/meta/main.yml
@@ -0,0 +1,53 @@
+---
+
+argument_specs:
+ main:
+ short_description: acme main entrypoint.
+ options:
+
+ acme_rules:
+ type: list
+ elements: dict
+ required: true
+ options:
+ domain:
+ type: str
+ required: true
+ description: Acme domain name
+
+ acme_authority:
+ type: dict
+ required: true
+ options:
+ name:
+ type: str
+ required: true
+ description: Acme authority name
+ url:
+ type: str
+ required: true
+ description: Acme authority api url
+ key:
+ type: path
+ required: true
+ description: Acme authority key file
+
+ acme_certificates_dir:
+ type: path
+ required: true
+ description: Acme certificates directory
+
+ acme_keys_dir:
+ type: path
+ required: true
+ description: Acme keys directory
+
+ acme_configuration_file:
+ type: path
+ required: true
+ description: Acme configuration file
+
+ relayd_connected_hosts:
+ type: str
+ required: true
+ description: Group name of hosts for generating certificates
diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml
index f2d4ba3..c068ab5 100644
--- a/roles/acme/tasks/main.yml
+++ b/roles/acme/tasks/main.yml
@@ -8,23 +8,24 @@
group: 0
mode: "0644"
-- name: retrieve enabled domains # noqa: no-changed-when
+- name: retrieve enabled domains
ansible.builtin.shell: |
set -o pipefail
grep "^domain" /etc/acme-client.conf | cut -d " " -f 2
- register: subdomains
+ register: acme_result_subdomains
+ changed_when: false
-- name: generate acme certificates # noqa: no-changed-when
+- name: generate acme certificates
ansible.builtin.command: acme-client -v {{ item }}
- loop: "{{ subdomains.stdout_lines }}"
+ loop: "{{ acme_result_subdomains.stdout_lines }}"
register: acme_result_generation
- failed_when:
- - acme_result_generation.rc != 0
- - "'certificate valid' not in acme_result_generation.stderr"
+ failed_when: acme_result_generation.rc == 1
+ changed_when: acme_result_generation.rc != 2
- name: display registered certificates
ansible.builtin.debug:
- msg: "{{ acme_result_generation.results | map(attribute='stderr') }}"
+ msg: "{{ acme_result_generation.results | map(attribute='stderr')
+ | join('\n') }}"
- name: enable automatic acme certificates update
ansible.builtin.cron:
@@ -32,4 +33,4 @@
minute: 0
hour: 6,18
job: "acme-client -v {{ item }} && rcctl reload relayd"
- loop: "{{ subdomains.stdout_lines }}"
+ loop: "{{ acme_result_subdomains.stdout_lines }}"
diff --git a/roles/acme/templates/acme-client.conf.j2 b/roles/acme/templates/acme-client.conf.j2
index 583c3d5..a6516c6 100644
--- a/roles/acme/templates/acme-client.conf.j2
+++ b/roles/acme/templates/acme-client.conf.j2
@@ -1,26 +1,19 @@
# managed by Ansible
{% import 'macros.j2' as macros with context %}
-authority letsencrypt {
- api url "https://acme-v02.api.letsencrypt.org/directory"
- account key "/etc/acme/letsencrypt-privkey.pem"
+authority {{ acme_authority.name }} {
+ api url "{{ acme_authority.url }}"
+ account key "{{ acme_authority.key }}"
}
-domain {{ acme_domain_name }} {
- alternative names { www.{{ acme_domain_name }} }
- domain key "/etc/ssl/private/{{ acme_domain_name }}.key"
- domain full chain certificate "/etc/ssl/{{ acme_domain_name }}.crt"
- sign with letsencrypt
-}
+{% call(h) macros.loop_valid_hosts(relayd_connected_hosts) -%}
+{% for rule in h.acme_rules %}
-{% call(h) macros.loop_valid_hosts("servers") -%}
-{% for name, rules in h.acme_rules.items() if rules.domain is defined %}
-domain {{ rules.domain }}.{{ acme_domain_name }} {
- {% set domain = rules.domain ~ "." ~ acme_domain_name %}
- alternative names { www.{{ domain }} }
- domain key "/etc/ssl/private/{{ domain }}.key"
- domain full chain certificate "/etc/ssl/{{ domain }}.crt"
- sign with letsencrypt
+domain {{ rule.domain }} {
+ alternative names { www.{{ rule.domain }} }
+ domain key "{{ acme_keys_dir }}/{{ rule.domain }}.key"
+ domain full chain certificate "{{ acme_certificates_dir }}/{{ rule.domain }}.crt"
+ sign with {{ acme_authority.name }}
}
{% endfor %}
{%- endcall %}
remember that computers suck.