banananetwork
/
ansible
1
0
Fork 0
Code Issues Pull Requests Releases Activity

acme: Moved certificate handling to custom system user

Browse Source 
Avoided using root for acme.sh
Modified also role nginx/application
wip
Felix Stupp 5 years ago
parent 9e20b807f1
commit a3fde6aa3c
Signed by: zocker
GPG Key ID: 93E1BD26F6B02FB7
7 changed files with 53 additions and 29 deletions
Show Stats Download Patch File Download Diff File

11
roles/acme/application/defaults/main.yml
Unescape Escape View File

@ -1,8 +1,15 @@
---
acme_source_directory: "/usr/local/src/acme.sh"
acme_system_user: "acme"
acme_user_directory: "/var/{{ acme_system_user }}"
acme_source_directory: "{{ acme_user_directory }}/repository"
acme_source_repository: "https://github.com/Neilpang/acme.sh.git"
acme_source_version: "master"
acme_account_mail: felix.stupp@outlook.com
acme_certificates_directory: "/root/certificates"
acme_installation_directory: "{{ acme_user_directory }}/application"
acme_configuration_directory: "{{ acme_user_directory }}/configuration"
acme_internal_certificates_directory: "{{ acme_configuration_directory }}/certificates"
acme_certificates_directory: "{{ acme_user_directory }}/certificates"

4
roles/acme/application/meta/main.yml
Unescape Escape View File

@ -3,4 +3,6 @@
allow_duplicates: no
dependencies:
- role: nginx/application
- role: misc/system_user
system_user: "{{ acme_system_user }}"
user_directory: "{{ acme_user_directory }}"

30
roles/acme/application/tasks/main.yml
Unescape Escape View File

@ -1,39 +1,37 @@
---
- name: Create source directory
file:
path: "{{ acme_source_directory | dirname }}"
state: "directory"
owner: "root"
group: "root"
mode: "0755"
- name: Download acme.sh
become_user: "{{ acme_system_user }}"
git:
repo: "{{ acme_source_repository }}"
version: "{{ acme_source_version }}"
dest: "{{ acme_source_directory }}"
update: no
# TODO Create custom user for certificate validations
- name: Configure acme.sh
become_user: "{{ acme_system_user }}"
command: >-
./acme.sh --install --log
--days 30
--accountemail {{ acme_account_mail }}
./acme.sh --install
--home {{ acme_installation_directory | quote }}
--config-home {{ acme_configuration_directory | quote }}
--cert-home {{ acme_internal_certificates_directory | quote }}
--accountemail {{ acme_account_mail | quote }}
args:
chdir: "{{ acme_source_directory }}"
creates: "~/.acme.sh/acme.sh"
creates: "{{ acme_installation_directory }}"
- name: Upgrade acme.sh
become_user: "{{ acme_system_user }}"
command: ./acme.sh --upgrade
args:
chdir: "~/.acme.sh"
chdir: "{{ acme_installation_directory }}"
register: acme_upgrade_results
changed_when: acme_upgrade_results.rc == 0 and "Upgrade success" in acme_upgrade_results.stdout
- name: Create directory for certificates
file:
path: "{{ acme_certificates_directory }}"
state: "directory"
state: directory
owner: "{{ acme_system_user }}"
group: "{{ acme_system_user }}"
mode: "u=rwx,g=,o="

1
roles/acme/certificate/meta/main.yml
Unescape Escape View File

@ -4,3 +4,4 @@ allow_duplicates: yes
dependencies:
- role: acme/application
- role: nginx/application

20
roles/acme/certificate/tasks/main.yml
Unescape Escape View File

@ -3,26 +3,30 @@
- meta: flush_handlers
- name: "Issue certificate for {{ domain }}"
become_user: "{{ acme_system_user }}"
command: >-
./acme.sh --issue
--domain "{{ domain }}"
--webroot "{{ nginx_validation_root_directory }}"
--domain "{{ domain | quote }}"
chdir: "{{ acme_installation_directory }}"
--webroot "{{ nginx_validation_root_directory | quote }}"
--ecc
--ocsp-must-staple
args:
chdir: "~/.acme.sh"
chdir: "{{ acme_installation_directory }}"
register: acme_issue_result
changed_when: acme_issue_result.rc != 2 or "Domains not changed" not in acme_issue_result.stdout
failed_when: acme_issue_result.rc != 0 and "Domains not changed" not in acme_issue_result.stdout
- name: "Install certificate for {{ domain }}"
become_user: "{{ acme_system_user }}"
command: >-
./acme.sh --install-cert
--domain "{{ domain }}"
--key-file "{{ acme_key_location }}"
--fullchain-file "{{ acme_certificate_location }}"
--reloadcmd "service nginx force-reload"
--domain "{{ domain | quote }}"
--key-file "{{ acme_key_location | quote }}"
--fullchain-file "{{ acme_certificate_location | quote }}"
--reloadcmd "systemctl force-reload nginx"
args:
chdir: "~/.acme.sh"
chdir: "{{ acme_installation_directory }}"
creates: "{{ acme_key_location }}"
register: acme_install_result
failed_when: acme_install_result.rc != 0 and "Reload error for" not in acme_install_result.stderr

3
roles/nginx/application/meta/main.yml
Unescape Escape View File

@ -1,3 +1,6 @@
---
allow_duplicates: no
dependencies:
- role: acme/application

13
roles/nginx/application/tasks/main.yml
Unescape Escape View File

@ -24,8 +24,6 @@
- "{{ nginx_sites_directory }}"
- "{{ nginx_streams_directory }}"
- "{{ nginx_snippets_directory }}"
- "{{ nginx_validation_root_directory }}"
- "{{ nginx_validation_test_file | dirname }}"
- "{{ global_webservers_directory }}"
- name: Upload snippets to nginx
@ -38,6 +36,17 @@
with_items: "{{ nginx_snippets }}"
notify: reload nginx
- name: Configure validation directory
file:
state: directory
name: "{{ item }}"
owner: root
group: "{{ acme_system_user }}"
mode: "u=rwx,g=rwx,o=rx"
loop:
- "{{ nginx_validation_root_directory }}"
- "{{ nginx_validation_test_file | dirname }}"
- name: Configure test file for validation directory
copy:
content: "{{ ansible_fqdn }}"

Write Preview
Loading…
Cancel
Save