Merge pull request 'import-dehydrated-role' (#9) from dkdent/netz39-infra-ansible:import-dehydrated-role into master
This commit is contained in:
commit
8af3743fc6
9 changed files with 2 additions and 346 deletions
|
@ -3,3 +3,5 @@
|
|||
version: v1.9.0
|
||||
- src: git+https://github.com/adriagalin/ansible.timezone.git
|
||||
version: 3.0.0
|
||||
- src: git+https://github.com/24367dfa/ansible-role-dehydrated.git
|
||||
version: 1.0.0
|
|
@ -1,20 +0,0 @@
|
|||
# Dehydrated
|
||||
|
||||
Ansible role to configure dehydrated
|
||||
|
||||
## Usage
|
||||
|
||||
```yaml
|
||||
vars:
|
||||
dehydrated_force_update: True
|
||||
dehydrated_domains:
|
||||
- name: example.com
|
||||
alternate_names:
|
||||
- www.example.com
|
||||
- web.example.com
|
||||
deploy_challenge_hook: printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
|
||||
clean_challenge_hook: printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
|
||||
|
||||
roles:
|
||||
- role: dehydrated
|
||||
```
|
|
@ -1,9 +0,0 @@
|
|||
---
|
||||
dehydrated_version: "v0.7.0"
|
||||
dehydrated_contact_email: ""
|
||||
dehydrated_location: "/usr/local/share/dehydrated"
|
||||
dehydrated_binary: "/usr/local/bin/dehydrated"
|
||||
dehydrated_config_dir: "/usr/local/etc/dehydrated"
|
||||
dehydrated_certs_dir: "{{ dehydrated_config_dir }}/certs"
|
||||
dehydrated_wellknown_dir: "{{ dehydrated_config_dir }}/challenge"
|
||||
dehydrated_domains:
|
|
@ -1,7 +0,0 @@
|
|||
---
|
||||
- name: dehydrated register
|
||||
command: "{{ dehydrated_binary }} --register --accept-terms"
|
||||
|
||||
- name: dehydrated run
|
||||
command: "{{ dehydrated_binary }} --cron"
|
||||
when: dehydrated_force_update|default(False)|bool
|
|
@ -1,19 +0,0 @@
|
|||
---
|
||||
- name: Ensure domain directories are present.
|
||||
file:
|
||||
name: "{{ dehydrated_certs_dir }}/{{ item.name }}"
|
||||
state: directory
|
||||
with_items: "{{ dehydrated_domains }}"
|
||||
|
||||
- name: Render hook script templates.
|
||||
template:
|
||||
src: hook.sh.j2
|
||||
dest: "{{ dehydrated_certs_dir }}/{{ item.name }}/hook.sh"
|
||||
with_items: "{{ dehydrated_domains }}"
|
||||
|
||||
- name: Ensure Domains are in domains.txt
|
||||
lineinfile:
|
||||
path: "{{ dehydrated_config_dir }}/domains.txt"
|
||||
line: "{{ item.name }}{% if 'alternate_names' in item %}{% for an in item.alternate_names %} {{ an|default(omit) }}{% endfor %}{% endif %}"
|
||||
with_items: "{{ dehydrated_domains }}"
|
||||
notify: dehydrated run
|
|
@ -1,52 +0,0 @@
|
|||
---
|
||||
- name: Gather package facts.
|
||||
package_facts:
|
||||
manager: "auto"
|
||||
|
||||
- name: Ensure git and curl are installed.
|
||||
package:
|
||||
name:
|
||||
- git
|
||||
- curl
|
||||
state: present
|
||||
|
||||
- name: Clone dehydrated repo.
|
||||
git:
|
||||
repo: 'https://github.com/dehydrated-io/dehydrated.git'
|
||||
dest: "{{ dehydrated_location }}"
|
||||
version: "{{ dehydrated_version }}"
|
||||
|
||||
- name: Ensure dehydrated symlink is present.
|
||||
file:
|
||||
src: "{{ dehydrated_location }}/dehydrated"
|
||||
dest: "{{ dehydrated_binary }}"
|
||||
state: link
|
||||
|
||||
- name: Ensure config directory is present.
|
||||
file:
|
||||
path: "{{ dehydrated_config_dir }}"
|
||||
state: directory
|
||||
mode: "0711"
|
||||
|
||||
- name: Ensure wellknown directory is present.
|
||||
file:
|
||||
path: "{{ dehydrated_wellknown_dir }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Ensure certs directory is present.
|
||||
file:
|
||||
path: "{{ dehydrated_certs_dir }}"
|
||||
state: directory
|
||||
mode: "0700"
|
||||
|
||||
- name: Ensure domains.txt is present.
|
||||
file:
|
||||
path: "{{ dehydrated_config_dir }}/domains.txt"
|
||||
state: touch
|
||||
|
||||
- name: Ensure config is present.
|
||||
template:
|
||||
src: config.j2
|
||||
dest: "{{ dehydrated_config_dir }}/config"
|
||||
notify: dehydrated register
|
|
@ -1,4 +0,0 @@
|
|||
---
|
||||
- include_tasks: install.yml
|
||||
- include_tasks: domains.yml
|
||||
when: dehydrated_domains is iterable
|
|
@ -1,2 +0,0 @@
|
|||
WELLKNOWN={{ dehydrated_wellknown_dir }}
|
||||
CONTACT_EMAIL={{ dehydrated_contact_email }}
|
|
@ -1,233 +0,0 @@
|
|||
#!/usr/bin/env bash
|
||||
|
||||
# This Script is copied from https://github.com/dehydrated-io/dehydrated/blob/v0.7.0/docs/examples/hook.sh
|
||||
# and modified to accept per domain hooks as item.*_hook when using ansible.template
|
||||
|
||||
deploy_challenge() {
|
||||
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
|
||||
|
||||
# This hook is called once for every domain that needs to be
|
||||
# validated, including any alternative names you may have listed.
|
||||
#
|
||||
# Parameters:
|
||||
# - DOMAIN
|
||||
# The domain name (CN or subject alternative name) being
|
||||
# validated.
|
||||
# - TOKEN_FILENAME
|
||||
# The name of the file containing the token to be served for HTTP
|
||||
# validation. Should be served by your web server as
|
||||
# /.well-known/acme-challenge/${TOKEN_FILENAME}.
|
||||
# - TOKEN_VALUE
|
||||
# The token value that needs to be served for validation. For DNS
|
||||
# validation, this is what you want to put in the _acme-challenge
|
||||
# TXT record. For HTTP validation it is the value that is expected
|
||||
# be found in the $TOKEN_FILENAME file.
|
||||
|
||||
# Simple example: Use nsupdate with local named
|
||||
# printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
|
||||
{{ item.deploy_challenge_hook|default("") }}
|
||||
}
|
||||
|
||||
clean_challenge() {
|
||||
local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
|
||||
|
||||
# This hook is called after attempting to validate each domain,
|
||||
# whether or not validation was successful. Here you can delete
|
||||
# files or DNS records that are no longer needed.
|
||||
#
|
||||
# The parameters are the same as for deploy_challenge.
|
||||
|
||||
# Simple example: Use nsupdate with local named
|
||||
# printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
|
||||
{{ item.clean_challenge_hook|default("") }}
|
||||
}
|
||||
|
||||
sync_cert() {
|
||||
local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
|
||||
|
||||
# This hook is called after the certificates have been created but before
|
||||
# they are symlinked. This allows you to sync the files to disk to prevent
|
||||
# creating a symlink to empty files on unexpected system crashes.
|
||||
#
|
||||
# This hook is not intended to be used for further processing of certificate
|
||||
# files, see deploy_cert for that.
|
||||
#
|
||||
# Parameters:
|
||||
# - KEYFILE
|
||||
# The path of the file containing the private key.
|
||||
# - CERTFILE
|
||||
# The path of the file containing the signed certificate.
|
||||
# - FULLCHAINFILE
|
||||
# The path of the file containing the full certificate chain.
|
||||
# - CHAINFILE
|
||||
# The path of the file containing the intermediate certificate(s).
|
||||
# - REQUESTFILE
|
||||
# The path of the file containing the certificate signing request.
|
||||
|
||||
# Simple example: sync the files before symlinking them
|
||||
# sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
|
||||
{{ item.sync_cert_hook|default("") }}
|
||||
}
|
||||
|
||||
deploy_cert() {
|
||||
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
|
||||
|
||||
# This hook is called once for each certificate that has been
|
||||
# produced. Here you might, for instance, copy your new certificates
|
||||
# to service-specific locations and reload the service.
|
||||
#
|
||||
# Parameters:
|
||||
# - DOMAIN
|
||||
# The primary domain name, i.e. the certificate common
|
||||
# name (CN).
|
||||
# - KEYFILE
|
||||
# The path of the file containing the private key.
|
||||
# - CERTFILE
|
||||
# The path of the file containing the signed certificate.
|
||||
# - FULLCHAINFILE
|
||||
# The path of the file containing the full certificate chain.
|
||||
# - CHAINFILE
|
||||
# The path of the file containing the intermediate certificate(s).
|
||||
# - TIMESTAMP
|
||||
# Timestamp when the specified certificate was created.
|
||||
|
||||
# Simple example: Copy file to nginx config
|
||||
# cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
|
||||
# systemctl reload nginx
|
||||
{{ item.deploy_cert_hook|default("") }}
|
||||
}
|
||||
|
||||
deploy_ocsp() {
|
||||
local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
|
||||
|
||||
# This hook is called once for each updated ocsp stapling file that has
|
||||
# been produced. Here you might, for instance, copy your new ocsp stapling
|
||||
# files to service-specific locations and reload the service.
|
||||
#
|
||||
# Parameters:
|
||||
# - DOMAIN
|
||||
# The primary domain name, i.e. the certificate common
|
||||
# name (CN).
|
||||
# - OCSPFILE
|
||||
# The path of the ocsp stapling file
|
||||
# - TIMESTAMP
|
||||
# Timestamp when the specified ocsp stapling file was created.
|
||||
|
||||
# Simple example: Copy file to nginx config
|
||||
# cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
|
||||
# systemctl reload nginx
|
||||
{{ item.deploy_ocsp_hook|default("") }}
|
||||
}
|
||||
|
||||
|
||||
unchanged_cert() {
|
||||
local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
|
||||
|
||||
# This hook is called once for each certificate that is still
|
||||
# valid and therefore wasn't reissued.
|
||||
#
|
||||
# Parameters:
|
||||
# - DOMAIN
|
||||
# The primary domain name, i.e. the certificate common
|
||||
# name (CN).
|
||||
# - KEYFILE
|
||||
# The path of the file containing the private key.
|
||||
# - CERTFILE
|
||||
# The path of the file containing the signed certificate.
|
||||
# - FULLCHAINFILE
|
||||
# The path of the file containing the full certificate chain.
|
||||
# - CHAINFILE
|
||||
# The path of the file containing the intermediate certificate(s).
|
||||
{{ item.unchanged_cert_hook|default("") }}
|
||||
}
|
||||
|
||||
invalid_challenge() {
|
||||
local DOMAIN="${1}" RESPONSE="${2}"
|
||||
|
||||
# This hook is called if the challenge response has failed, so domain
|
||||
# owners can be aware and act accordingly.
|
||||
#
|
||||
# Parameters:
|
||||
# - DOMAIN
|
||||
# The primary domain name, i.e. the certificate common
|
||||
# name (CN).
|
||||
# - RESPONSE
|
||||
# The response that the verification server returned
|
||||
|
||||
# Simple example: Send mail to root
|
||||
# printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
|
||||
{{ item.invalid_challenge_hook|default("") }}
|
||||
}
|
||||
|
||||
request_failure() {
|
||||
local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
|
||||
|
||||
# This hook is called when an HTTP request fails (e.g., when the ACME
|
||||
# server is busy, returns an error, etc). It will be called upon any
|
||||
# response code that does not start with '2'. Useful to alert admins
|
||||
# about problems with requests.
|
||||
#
|
||||
# Parameters:
|
||||
# - STATUSCODE
|
||||
# The HTML status code that originated the error.
|
||||
# - REASON
|
||||
# The specified reason for the error.
|
||||
# - REQTYPE
|
||||
# The kind of request that was made (GET, POST...)
|
||||
# - HEADERS
|
||||
# HTTP headers returned by the CA
|
||||
|
||||
# Simple example: Send mail to root
|
||||
# printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
|
||||
{{ item.request_failure_hook|default("") }}
|
||||
}
|
||||
|
||||
generate_csr() {
|
||||
local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
|
||||
|
||||
# This hook is called before any certificate signing operation takes place.
|
||||
# It can be used to generate or fetch a certificate signing request with external
|
||||
# tools.
|
||||
# The output should be just the certificate signing request formatted as PEM.
|
||||
#
|
||||
# Parameters:
|
||||
# - DOMAIN
|
||||
# The primary domain as specified in domains.txt. This does not need to
|
||||
# match with the domains in the CSR, it's basically just the directory name.
|
||||
# - CERTDIR
|
||||
# Certificate output directory for this particular certificate. Can be used
|
||||
# for storing additional files.
|
||||
# - ALTNAMES
|
||||
# All domain names for the current certificate as specified in domains.txt.
|
||||
# Again, this doesn't need to match with the CSR, it's just there for convenience.
|
||||
|
||||
# Simple example: Look for pre-generated CSRs
|
||||
# if [ -e "${CERTDIR}/pre-generated.csr" ]; then
|
||||
# cat "${CERTDIR}/pre-generated.csr"
|
||||
# fi
|
||||
{{ item.startup_hook|default("") }}
|
||||
|
||||
}
|
||||
|
||||
startup_hook() {
|
||||
# This hook is called before the cron command to do some initial tasks
|
||||
# (e.g. starting a webserver).
|
||||
{{ item.startup_hook|default("") }}
|
||||
:
|
||||
}
|
||||
|
||||
exit_hook() {
|
||||
local ERROR="${1:-}"
|
||||
# This hook is called at the end of the cron command and can be used to
|
||||
# do some final (cleanup or other) tasks.
|
||||
#
|
||||
# Parameters:
|
||||
# - ERROR
|
||||
# Contains error message if dehydrated exits with error
|
||||
{{ item.exit_hook|default("") }}
|
||||
}
|
||||
|
||||
HANDLER="$1"; shift
|
||||
if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
|
||||
"$HANDLER" "$@"
|
||||
fi
|
Loading…
Reference in a new issue