From 4862b9dd69328b320c5a57acff76f563f1f3afff Mon Sep 17 00:00:00 2001
From: Felix Stupp <felix.stupp@outlook.com>
Date: Mon, 15 Apr 2019 18:56:13 +0200
Subject: [PATCH] Added roles for automatic certificate issue with acme.sh

---
 README.md                                |  3 ++
 roles/acme/application/defaults/main.yml |  8 ++++
 roles/acme/application/tasks/main.yml    | 49 ++++++++++++++++++++++++
 roles/acme/certificate/defaults/main.yml |  5 +++
 roles/acme/certificate/meta/main.yml     |  4 ++
 roles/acme/certificate/tasks/main.yml    | 26 +++++++++++++
 6 files changed, 95 insertions(+)
 create mode 100644 roles/acme/application/defaults/main.yml
 create mode 100644 roles/acme/application/tasks/main.yml
 create mode 100644 roles/acme/certificate/defaults/main.yml
 create mode 100644 roles/acme/certificate/meta/main.yml
 create mode 100644 roles/acme/certificate/tasks/main.yml

diff --git a/README.md b/README.md
index 2e3b6e2..acad8d3 100644
--- a/README.md
+++ b/README.md
@@ -6,3 +6,6 @@ This playbook defines the configuration for all servers / devices controlled by
 
 Following roles have been defined to make creating a server configuration easy:
 
+- **acme** defines roles for handling the automatic handling of certificates with *acme.sh*
+  - **application** installs main application
+  - **certificate** issues a given certificate
diff --git a/roles/acme/application/defaults/main.yml b/roles/acme/application/defaults/main.yml
new file mode 100644
index 0000000..12b684a
--- /dev/null
+++ b/roles/acme/application/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+
+acme_source_directory: "/usr/local/src/acme.sh"
+acme_source_repository: "https://github.com/Neilpang/acme.sh.git"
+acme_source_version: "master"
+acme_account_mail: felix.stupp@outlook.com
+
+acme_certificates_directory: "/root/certificates"
diff --git a/roles/acme/application/tasks/main.yml b/roles/acme/application/tasks/main.yml
new file mode 100644
index 0000000..ad5fc48
--- /dev/null
+++ b/roles/acme/application/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Create source directory
+  file:
+    path: "{{ acme_source_directory | dirname }}"
+    state: "directory"
+    owner: "root"
+    group: "root"
+    mode: "0755"
+
+- name: Download acme.sh
+  git:
+    repo: "{{ acme_source_repository }}"
+    version: "{{ acme_source_version }}"
+    dest: "{{ acme_source_directory }}"
+    update: no
+
+- name: Configure acme.sh
+  command: >-
+    ./acme.sh --install --log
+    --days 30
+    --accountemail {{ acme_account_mail }}
+  args:
+    chdir: "{{ acme_source_directory }}"
+    creates: "~/.acme.sh/acme.sh"
+
+- name: Determine if acme.sh is installed
+  stat:
+    path: "~/.acme.sh/acme.sh"
+  register: acme_installed
+
+- name: Upgrade acme.sh
+  command: ./acme.sh --upgrade
+  args:
+    chdir: "~/.acme.sh"
+  when:
+    - acme_installed.stat.exists
+  register: acme_upgrade_results
+  changed_when: acme_upgrade_results.rc == 0 and "Upgrade success" in acme_upgrade_results.stdout
+
+- name: Create directory for certificates
+  file:
+    path: "{{ acme_certificates_directory }}"
+    state: "directory"
+
+- name: Create directory for validation
+  file:
+    path: "/var/www/validation"
+    state: "directory"
diff --git a/roles/acme/certificate/defaults/main.yml b/roles/acme/certificate/defaults/main.yml
new file mode 100644
index 0000000..a92c3ab
--- /dev/null
+++ b/roles/acme/certificate/defaults/main.yml
@@ -0,0 +1,5 @@
+---
+
+acme_certificate_prefix: "{{ acme_certificates_directory }}/{{ domain }}"
+acme_certificate_location: "{{ acme_certificate_prefix }}.crt"
+acme_key_location: "{{ acme_certificate_prefix }}.key"
diff --git a/roles/acme/certificate/meta/main.yml b/roles/acme/certificate/meta/main.yml
new file mode 100644
index 0000000..c805781
--- /dev/null
+++ b/roles/acme/certificate/meta/main.yml
@@ -0,0 +1,4 @@
+---
+
+dependencies:
+  - role: acme/application
diff --git a/roles/acme/certificate/tasks/main.yml b/roles/acme/certificate/tasks/main.yml
new file mode 100644
index 0000000..dd08220
--- /dev/null
+++ b/roles/acme/certificate/tasks/main.yml
@@ -0,0 +1,26 @@
+---
+
+- meta: flush_handlers
+
+- name: "Issue certificate for {{ domain }}"
+  command: >-
+    ./acme.sh --issue
+    --domain "{{ domain }}"
+    --webroot "/var/www/validation"
+  args:
+    chdir: "~/.acme.sh"
+  register: acme_issue_result
+  failed_when: acme_issue_result.rc != 0 and "Domains not changed" not in acme_issue_result.stdout
+
+- name: "Install certificate for {{ domain }}"
+  command: >-
+    ./acme.sh --install-cert
+    --domain "{{ domain }}"
+    --key-file "{{ acme_key_location }}"
+    --fullchain-file "{{ acme_certificate_location }}"
+    --reloadcmd "service nginx force-reload"
+  args:
+    chdir: "~/.acme.sh"
+    creates: "{{ acme_key_location }}"
+  register: acme_install_result
+  failed_when: acme_install_result.rc != 0 and "Reload error for" not in acme_install_result.stderr