Added roles for automatic certificate issue with acme.sh

README.md

@@ -6,3 +6,6 @@ This playbook defines the configuration for all servers / devices controlled by
 
 Following roles have been defined to make creating a server configuration easy:
 
+- **acme** defines roles for handling the automatic handling of certificates with *acme.sh*
+  - **application** installs main application
+  - **certificate** issues a given certificate

roles/acme/application/defaults/main.yml

@@ -0,0 +1,8 @@
+---
+
+acme_source_directory: "/usr/local/src/acme.sh"
+acme_source_repository: "https://github.com/Neilpang/acme.sh.git"
+acme_source_version: "master"
+acme_account_mail: felix.stupp@outlook.com
+
+acme_certificates_directory: "/root/certificates"

roles/acme/application/tasks/main.yml

@@ -0,0 +1,49 @@
+---
+
+- name: Create source directory
+  file:
+    path: "{{ acme_source_directory | dirname }}"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+
+- name: Download acme.sh
+  git:
+    repo: "{{ acme_source_repository }}"
+    version: "{{ acme_source_version }}"
+    dest: "{{ acme_source_directory }}"
+    update: no
+
+- name: Configure acme.sh
+  command: >-
+    ./acme.sh --install --log
+    --days 30
+    --accountemail {{ acme_account_mail }}
+  args:
+    chdir: "{{ acme_source_directory }}"
+    creates: "~/.acme.sh/acme.sh"
+
+- name: Determine if acme.sh is installed
+  stat:
+    path: "~/.acme.sh/acme.sh"
+  register: acme_installed
+
+- name: Upgrade acme.sh
+  command: ./acme.sh --upgrade
+  args:
+    chdir: "~/.acme.sh"
+  when:
+    - acme_installed.stat.exists
+  register: acme_upgrade_results
+  changed_when: acme_upgrade_results.rc == 0 and "Upgrade success" in acme_upgrade_results.stdout
+
+- name: Create directory for certificates
+  file:
+    path: "{{ acme_certificates_directory }}"
+    state: "directory"
+
+- name: Create directory for validation
+  file:
+    path: "/var/www/validation"
+    state: "directory"

roles/acme/certificate/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+
+acme_certificate_prefix: "{{ acme_certificates_directory }}/{{ domain }}"
+acme_certificate_location: "{{ acme_certificate_prefix }}.crt"
+acme_key_location: "{{ acme_certificate_prefix }}.key"

roles/acme/certificate/meta/main.yml

@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: acme/application

roles/acme/certificate/tasks/main.yml

@@ -0,0 +1,26 @@
+---
+
+- meta: flush_handlers
+
+- name: "Issue certificate for {{ domain }}"
+  command: >-
+    ./acme.sh --issue
+    --domain "{{ domain }}"
+    --webroot "/var/www/validation"
+  args:
+    chdir: "~/.acme.sh"
+  register: acme_issue_result
+  failed_when: acme_issue_result.rc != 0 and "Domains not changed" not in acme_issue_result.stdout
+
+- name: "Install certificate for {{ domain }}"
+  command: >-
+    ./acme.sh --install-cert
+    --domain "{{ domain }}"
+    --key-file "{{ acme_key_location }}"
+    --fullchain-file "{{ acme_certificate_location }}"
+    --reloadcmd "service nginx force-reload"
+  args:
+    chdir: "~/.acme.sh"
+    creates: "{{ acme_key_location }}"
+  register: acme_install_result
+  failed_when: acme_install_result.rc != 0 and "Reload error for" not in acme_install_result.stderr