From de3373e97d133e0ac76fb44deb5dea27c18d8815 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Romain=20Gon=C3=A7alves?= Date: Sat, 11 Dec 2021 18:50:33 +0000 Subject: roles: Add pf and relayd roles for domain controller --- roles/acme/defaults/main.yml | 2 ++ roles/acme/tasks/main.yml | 31 +++++++++++++++++++++++++++++++ roles/acme/templates/acme-client.conf.j2 | 26 ++++++++++++++++++++++++++ 3 files changed, 59 insertions(+) create mode 100644 roles/acme/defaults/main.yml create mode 100644 roles/acme/tasks/main.yml create mode 100644 roles/acme/templates/acme-client.conf.j2 (limited to 'roles/acme') diff --git a/roles/acme/defaults/main.yml b/roles/acme/defaults/main.yml new file mode 100644 index 0000000..80c091a --- /dev/null +++ b/roles/acme/defaults/main.yml @@ -0,0 +1,2 @@ +acme_configuration_file: /etc/acme-client.conf +acme_domain_name: null diff --git a/roles/acme/tasks/main.yml b/roles/acme/tasks/main.yml new file mode 100644 index 0000000..aad4342 --- /dev/null +++ b/roles/acme/tasks/main.yml @@ -0,0 +1,31 @@ +- name: generate acme-client configuration + template: + src: acme-client.conf.j2 + dest: "{{ acme_configuration_file }}" + owner: 0 + group: 0 + mode: 0644 + +- name: retrieve enabled domains + shell: grep "^domain" /etc/acme-client.conf | cut -d " " -f 2 + register: subdomains + +- name: generate acme certificates + command: acme-client -v {{ item }} + loop: "{{ subdomains.stdout_lines }}" + register: result + failed_when: + - result.rc != 0 + - "'certificate valid' not in result.stderr" + +- name: display registered certificates + debug: + var: result + +- name: enable automatic acme certificates update + cron: + name: "automatic acme certificates update for subdomain : {{ item }}" + minute: 0 + hour: 6,18 + job: "acme-client -v {{ item }} && rcctl reload relayd" + loop: "{{ subdomains.stdout_lines }}" diff --git a/roles/acme/templates/acme-client.conf.j2 b/roles/acme/templates/acme-client.conf.j2 new file mode 100644 index 0000000..3792009 --- /dev/null +++ b/roles/acme/templates/acme-client.conf.j2 @@ -0,0 +1,26 @@ +# managed by Ansible +{% import 'macros.j2' as macros with context %} + +authority letsencrypt { + api url "https://acme-v02.api.letsencrypt.org/directory" + account key "/etc/acme/letsencrypt-privkey.pem" +} + +domain {{ acme_domain_name }} { + alternative names { www.{{ acme_domain_name }} } + domain key "/etc/ssl/private/{{ acme_domain_name }}.key" + domain full chain certificate "/etc/ssl/{{ acme_domain_name }}.crt" + sign with letsencrypt +} + +{% call(h) macros.loop_valid_hosts("servers") -%} +{% for service in h.__services if service.domain is defined %} +domain {{ service.domain }}.{{ acme_domain_name }} { + {% set domain = service.domain ~ "." ~ acme_domain_name %} + alternative names { www.{{ domain }} } + domain key "/etc/ssl/private/{{ domain }}.key" + domain full chain certificate "/etc/ssl/{{ domain }}.crt" + sign with letsencrypt +} +{% endfor %} +{%- endcall %} -- cgit v1.2.3