From 90051fd68ad04582d444ac7cbb44a87b7d2e495c Mon Sep 17 00:00:00 2001 From: David Kilias Date: Sun, 7 Mar 2021 20:22:37 +0100 Subject: [PATCH 1/2] add dehydrated role to requirements --- requirements.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/requirements.yml b/requirements.yml index 0e5a058..83440c2 100644 --- a/requirements.yml +++ b/requirements.yml @@ -3,3 +3,5 @@ version: v1.9.0 - src: git+https://github.com/adriagalin/ansible.timezone.git version: 3.0.0 +- src: git+https://github.com/24367dfa/ansible-role-dehydrated.git + version: 1.0.0 \ No newline at end of file From b687eac43ea6c5d9d9757b776c3a1ee37b821496 Mon Sep 17 00:00:00 2001 From: David Kilias Date: Sun, 7 Mar 2021 20:31:34 +0100 Subject: [PATCH 2/2] remove local dehydrated role --- roles/dehydrated/README.md | 20 --- roles/dehydrated/defaults/main.yml | 9 - roles/dehydrated/handlers/main.yml | 7 - roles/dehydrated/tasks/domains.yml | 19 --- roles/dehydrated/tasks/install.yml | 52 ------ roles/dehydrated/tasks/main.yml | 4 - roles/dehydrated/templates/config.j2 | 2 - roles/dehydrated/templates/hook.sh.j2 | 233 -------------------------- 8 files changed, 346 deletions(-) delete mode 100644 roles/dehydrated/README.md delete mode 100644 roles/dehydrated/defaults/main.yml delete mode 100644 roles/dehydrated/handlers/main.yml delete mode 100644 roles/dehydrated/tasks/domains.yml delete mode 100644 roles/dehydrated/tasks/install.yml delete mode 100644 roles/dehydrated/tasks/main.yml delete mode 100644 roles/dehydrated/templates/config.j2 delete mode 100644 roles/dehydrated/templates/hook.sh.j2 diff --git a/roles/dehydrated/README.md b/roles/dehydrated/README.md deleted file mode 100644 index ada63a9..0000000 --- a/roles/dehydrated/README.md +++ /dev/null @@ -1,20 +0,0 @@ -# Dehydrated - -Ansible role to configure dehydrated - -## Usage - -```yaml -vars: - dehydrated_force_update: True - dehydrated_domains: - - name: example.com - alternate_names: - - www.example.com - - web.example.com - deploy_challenge_hook: printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key - clean_challenge_hook: printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key - -roles: - - role: dehydrated -``` \ No newline at end of file diff --git a/roles/dehydrated/defaults/main.yml b/roles/dehydrated/defaults/main.yml deleted file mode 100644 index 41442df..0000000 --- a/roles/dehydrated/defaults/main.yml +++ /dev/null @@ -1,9 +0,0 @@ ---- -dehydrated_version: "v0.7.0" -dehydrated_contact_email: "" -dehydrated_location: "/usr/local/share/dehydrated" -dehydrated_binary: "/usr/local/bin/dehydrated" -dehydrated_config_dir: "/usr/local/etc/dehydrated" -dehydrated_certs_dir: "{{ dehydrated_config_dir }}/certs" -dehydrated_wellknown_dir: "{{ dehydrated_config_dir }}/challenge" -dehydrated_domains: \ No newline at end of file diff --git a/roles/dehydrated/handlers/main.yml b/roles/dehydrated/handlers/main.yml deleted file mode 100644 index 5a55b3a..0000000 --- a/roles/dehydrated/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: dehydrated register - command: "{{ dehydrated_binary }} --register --accept-terms" - -- name: dehydrated run - command: "{{ dehydrated_binary }} --cron" - when: dehydrated_force_update|default(False)|bool \ No newline at end of file diff --git a/roles/dehydrated/tasks/domains.yml b/roles/dehydrated/tasks/domains.yml deleted file mode 100644 index aa020d4..0000000 --- a/roles/dehydrated/tasks/domains.yml +++ /dev/null @@ -1,19 +0,0 @@ ---- -- name: Ensure domain directories are present. - file: - name: "{{ dehydrated_certs_dir }}/{{ item.name }}" - state: directory - with_items: "{{ dehydrated_domains }}" - -- name: Render hook script templates. - template: - src: hook.sh.j2 - dest: "{{ dehydrated_certs_dir }}/{{ item.name }}/hook.sh" - with_items: "{{ dehydrated_domains }}" - -- name: Ensure Domains are in domains.txt - lineinfile: - path: "{{ dehydrated_config_dir }}/domains.txt" - line: "{{ item.name }}{% if 'alternate_names' in item %}{% for an in item.alternate_names %} {{ an|default(omit) }}{% endfor %}{% endif %}" - with_items: "{{ dehydrated_domains }}" - notify: dehydrated run \ No newline at end of file diff --git a/roles/dehydrated/tasks/install.yml b/roles/dehydrated/tasks/install.yml deleted file mode 100644 index b1e2065..0000000 --- a/roles/dehydrated/tasks/install.yml +++ /dev/null @@ -1,52 +0,0 @@ ---- -- name: Gather package facts. - package_facts: - manager: "auto" - -- name: Ensure git and curl are installed. - package: - name: - - git - - curl - state: present - -- name: Clone dehydrated repo. - git: - repo: 'https://github.com/dehydrated-io/dehydrated.git' - dest: "{{ dehydrated_location }}" - version: "{{ dehydrated_version }}" - -- name: Ensure dehydrated symlink is present. - file: - src: "{{ dehydrated_location }}/dehydrated" - dest: "{{ dehydrated_binary }}" - state: link - -- name: Ensure config directory is present. - file: - path: "{{ dehydrated_config_dir }}" - state: directory - mode: "0711" - -- name: Ensure wellknown directory is present. - file: - path: "{{ dehydrated_wellknown_dir }}" - state: directory - mode: "0755" - -- name: Ensure certs directory is present. - file: - path: "{{ dehydrated_certs_dir }}" - state: directory - mode: "0700" - -- name: Ensure domains.txt is present. - file: - path: "{{ dehydrated_config_dir }}/domains.txt" - state: touch - -- name: Ensure config is present. - template: - src: config.j2 - dest: "{{ dehydrated_config_dir }}/config" - notify: dehydrated register \ No newline at end of file diff --git a/roles/dehydrated/tasks/main.yml b/roles/dehydrated/tasks/main.yml deleted file mode 100644 index f440275..0000000 --- a/roles/dehydrated/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- include_tasks: install.yml -- include_tasks: domains.yml - when: dehydrated_domains is iterable \ No newline at end of file diff --git a/roles/dehydrated/templates/config.j2 b/roles/dehydrated/templates/config.j2 deleted file mode 100644 index 113d8dc..0000000 --- a/roles/dehydrated/templates/config.j2 +++ /dev/null @@ -1,2 +0,0 @@ -WELLKNOWN={{ dehydrated_wellknown_dir }} -CONTACT_EMAIL={{ dehydrated_contact_email }} diff --git a/roles/dehydrated/templates/hook.sh.j2 b/roles/dehydrated/templates/hook.sh.j2 deleted file mode 100644 index ebd8bbd..0000000 --- a/roles/dehydrated/templates/hook.sh.j2 +++ /dev/null @@ -1,233 +0,0 @@ -#!/usr/bin/env bash - -# This Script is copied from https://github.com/dehydrated-io/dehydrated/blob/v0.7.0/docs/examples/hook.sh -# and modified to accept per domain hooks as item.*_hook when using ansible.template - -deploy_challenge() { - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - - # This hook is called once for every domain that needs to be - # validated, including any alternative names you may have listed. - # - # Parameters: - # - DOMAIN - # The domain name (CN or subject alternative name) being - # validated. - # - TOKEN_FILENAME - # The name of the file containing the token to be served for HTTP - # validation. Should be served by your web server as - # /.well-known/acme-challenge/${TOKEN_FILENAME}. - # - TOKEN_VALUE - # The token value that needs to be served for validation. For DNS - # validation, this is what you want to put in the _acme-challenge - # TXT record. For HTTP validation it is the value that is expected - # be found in the $TOKEN_FILENAME file. - - # Simple example: Use nsupdate with local named - # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key - {{ item.deploy_challenge_hook|default("") }} -} - -clean_challenge() { - local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}" - - # This hook is called after attempting to validate each domain, - # whether or not validation was successful. Here you can delete - # files or DNS records that are no longer needed. - # - # The parameters are the same as for deploy_challenge. - - # Simple example: Use nsupdate with local named - # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key - {{ item.clean_challenge_hook|default("") }} -} - -sync_cert() { - local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}" - - # This hook is called after the certificates have been created but before - # they are symlinked. This allows you to sync the files to disk to prevent - # creating a symlink to empty files on unexpected system crashes. - # - # This hook is not intended to be used for further processing of certificate - # files, see deploy_cert for that. - # - # Parameters: - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - REQUESTFILE - # The path of the file containing the certificate signing request. - - # Simple example: sync the files before symlinking them - # sync "${KEYFILE}" "${CERTFILE}" "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}" - {{ item.sync_cert_hook|default("") }} -} - -deploy_cert() { - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}" - - # This hook is called once for each certificate that has been - # produced. Here you might, for instance, copy your new certificates - # to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - # - TIMESTAMP - # Timestamp when the specified certificate was created. - - # Simple example: Copy file to nginx config - # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl - # systemctl reload nginx - {{ item.deploy_cert_hook|default("") }} -} - -deploy_ocsp() { - local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}" - - # This hook is called once for each updated ocsp stapling file that has - # been produced. Here you might, for instance, copy your new ocsp stapling - # files to service-specific locations and reload the service. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - OCSPFILE - # The path of the ocsp stapling file - # - TIMESTAMP - # Timestamp when the specified ocsp stapling file was created. - - # Simple example: Copy file to nginx config - # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl - # systemctl reload nginx - {{ item.deploy_ocsp_hook|default("") }} -} - - -unchanged_cert() { - local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" - - # This hook is called once for each certificate that is still - # valid and therefore wasn't reissued. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - KEYFILE - # The path of the file containing the private key. - # - CERTFILE - # The path of the file containing the signed certificate. - # - FULLCHAINFILE - # The path of the file containing the full certificate chain. - # - CHAINFILE - # The path of the file containing the intermediate certificate(s). - {{ item.unchanged_cert_hook|default("") }} -} - -invalid_challenge() { - local DOMAIN="${1}" RESPONSE="${2}" - - # This hook is called if the challenge response has failed, so domain - # owners can be aware and act accordingly. - # - # Parameters: - # - DOMAIN - # The primary domain name, i.e. the certificate common - # name (CN). - # - RESPONSE - # The response that the verification server returned - - # Simple example: Send mail to root - # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root - {{ item.invalid_challenge_hook|default("") }} -} - -request_failure() { - local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}" - - # This hook is called when an HTTP request fails (e.g., when the ACME - # server is busy, returns an error, etc). It will be called upon any - # response code that does not start with '2'. Useful to alert admins - # about problems with requests. - # - # Parameters: - # - STATUSCODE - # The HTML status code that originated the error. - # - REASON - # The specified reason for the error. - # - REQTYPE - # The kind of request that was made (GET, POST...) - # - HEADERS - # HTTP headers returned by the CA - - # Simple example: Send mail to root - # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root - {{ item.request_failure_hook|default("") }} -} - -generate_csr() { - local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}" - - # This hook is called before any certificate signing operation takes place. - # It can be used to generate or fetch a certificate signing request with external - # tools. - # The output should be just the certificate signing request formatted as PEM. - # - # Parameters: - # - DOMAIN - # The primary domain as specified in domains.txt. This does not need to - # match with the domains in the CSR, it's basically just the directory name. - # - CERTDIR - # Certificate output directory for this particular certificate. Can be used - # for storing additional files. - # - ALTNAMES - # All domain names for the current certificate as specified in domains.txt. - # Again, this doesn't need to match with the CSR, it's just there for convenience. - - # Simple example: Look for pre-generated CSRs - # if [ -e "${CERTDIR}/pre-generated.csr" ]; then - # cat "${CERTDIR}/pre-generated.csr" - # fi - {{ item.startup_hook|default("") }} - -} - -startup_hook() { - # This hook is called before the cron command to do some initial tasks - # (e.g. starting a webserver). - {{ item.startup_hook|default("") }} - : -} - -exit_hook() { - local ERROR="${1:-}" - # This hook is called at the end of the cron command and can be used to - # do some final (cleanup or other) tasks. - # - # Parameters: - # - ERROR - # Contains error message if dehydrated exits with error - {{ item.exit_hook|default("") }} -} - -HANDLER="$1"; shift -if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then - "$HANDLER" "$@" -fi \ No newline at end of file