From d43588eecf1d61a1ceae8c29ba7d15407f0ea99d Mon Sep 17 00:00:00 2001 From: Jean-Marie Mineau Date: Sun, 7 Aug 2022 18:39:24 +0200 Subject: [PATCH] cerbot role --- README.md | 53 ++++++++++++++++++++++++++++++++++++++++++++++++++ meta/main.yml | 2 ++ tasks/main.yml | 49 ++++++++++++++++++++++++++++++++++++++++++++++ 3 files changed, 104 insertions(+) create mode 100644 README.md create mode 100644 meta/main.yml create mode 100644 tasks/main.yml diff --git a/README.md b/README.md new file mode 100644 index 0000000..0c1f66e --- /dev/null +++ b/README.md @@ -0,0 +1,53 @@ +# Certbot ansible role + +Install certbot for debian and request certificats. + +This role is part of my ansible roles. It is made to interact with other roles that are listed here, and require some variables. + +In particular, the `nginx` role allows to proxy the request from a machine cut from the internet to the LE server. + +## Role required: + +- `nginx`: https://gitea.auro.re/Pains-Perdus/nginx.git + +## Variable required: + +``` +ip_LE_proxy: str, optionnal, the IP of the proxy to LE +certbot_certs: + `domaine_name`: + links: str[], list of links pointing to the certificate/key (the keychain link will be suffixed by `.crt`, the key by `.key`) + hooks: str[], optional, list of commands to run after renewing the certificat +``` + +`certbot_certs` is a dictionnary, where the keys are the domaine names for the certificates. + +## Optionnal variables + +``` +http_sites: dictionnary of sites, used by the nginx role +``` + +## Add role to you ansible playbook: + +To add this role to your project, you can use git submodules: + +``` +git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/certbot.git roles/certbot +git submodule init +``` + +## Http Sites + +The variable `http_sites` is a dictionnary of the http site managed by nginx. The additionnal (and optionnal) field `use_certbot` can be added to the variable of a site so that certbot generat its certificate. + +``` +http_sites: + `server_name`: + ... + use_certbot: bool, optionnal (default false), if set to true, add an entry to `certbot_certs` automagically. +``` + +## Copyright + +Copyright 2021 Jean-Marie Mineau diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..69891c7 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,2 @@ +dependencies: + - role: nginx diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..54faeba --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,49 @@ +--- +- name: Install certbot + apt: + update_cache: true + name: certbot + state: latest + +- name: Add LE proxy to /etc/host + lineinfile: + path: /etc/hosts + line: "{{ ip_LE_proxy }} {{ item }}" + insertafter: "# Ansible managed:" + search_string: "{{ item }}" + when: ip_LE_proxy is defined + loop: + - "acme-v02.api.letsencrypt.org" + - "r3.o.lencr.org" + +- name: Collect certificate + set_fact: + all_certbot_certs: "{{ certbot_certs | default({}) }}" + +- name: Collect certificate for nginx website + set_fact: + all_certbot_certs: "{{ all_certbot_certs | combine({item: {'links': ['/etc/nginx/certs/'+item],'hooks': ['systemctl reload nginx']}}) }}" + loop: "{{ http_sites | default({}) | dict2items | selectattr('value.use_cerbot', 'defined') | selectattr('value.use_cerbot', '==', True) | map(attribute='key')}}" + +- name: Create certificate links + file: + src: "/etc/letsencrypt/live/{{ item.0.key }}/fullchain.pem" + dest: "{{ item.1 }}.crt" + state: link + force: yes + loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}" + +- name: Create key links + file: + src: "/etc/letsencrypt/live/{{ item.0.key }}/privkey.pem" + dest: "{{ item.1 }}.key" + state: link + force: yes + loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}" + +- name: Generate Certificate for Domains + shell: "certbot certonly --agree-tos --register-unsafely-without-email --domain {{ item.key }} --non-interactive --webroot --webroot-path /var/www/well-known/acme-challenge {% if item.value.hooks is defined %}--post-hook '{{ item.value.hooks | join('; ') }}'{% endif %}" + args: + creates: "/etc/letsencrypt/live/{{ item.key }}/cert.pem" + loop: "{{ all_certbot_certs | dict2items }}" +