diff options
author | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:23:43 -0500 |
---|---|---|
committer | Stonewall Jackson <stonewall@sacredheartsc.com> | 2023-02-04 01:52:13 -0500 |
commit | 0261e875679f1bf63c8d689da7fc7e014597885d (patch) | |
tree | 3f19cd74a0c1070944f75437f30b098d6ef2ffcb /roles/certbot | |
download | selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.tar.gz selfhosted-0261e875679f1bf63c8d689da7fc7e014597885d.zip |
initial commit
Diffstat (limited to 'roles/certbot')
-rw-r--r-- | roles/certbot/defaults/main.yml | 10 | ||||
-rw-r--r-- | roles/certbot/files/etc/pki/tls/certbot-post.sh | 40 | ||||
-rw-r--r-- | roles/certbot/meta/main.yml | 4 | ||||
-rw-r--r-- | roles/certbot/tasks/main.yml | 50 | ||||
-rw-r--r-- | roles/certbot/vars/main.yml | 13 |
5 files changed, 117 insertions, 0 deletions
diff --git a/roles/certbot/defaults/main.yml b/roles/certbot/defaults/main.yml new file mode 100644 index 0000000..9174deb --- /dev/null +++ b/roles/certbot/defaults/main.yml @@ -0,0 +1,10 @@ +certificate_email: 'root@{{ email_domain }}' + +certificate_sans: '{{ [ansible_fqdn] + cnames }}' +certificate_type: ecdsa +certificate_size: 2048 + +certificate_owner: root +certificate_mode: 0400 + +certificate_use_apache: no diff --git a/roles/certbot/files/etc/pki/tls/certbot-post.sh b/roles/certbot/files/etc/pki/tls/certbot-post.sh new file mode 100644 index 0000000..b39ef67 --- /dev/null +++ b/roles/certbot/files/etc/pki/tls/certbot-post.sh @@ -0,0 +1,40 @@ +#!/bin/bash + +exec 1> >(logger -s -t $(basename "$0")) 2>&1 + +usage() { + echo "$0 -c CERT_PATH -k KEY_PATH [-o OWNER] [-m MODE] [POST_COMMAND ...]" + exit 1 +} + +OWNER=root:root +MODE=400 + +while getopts ':c:k:m:o:' opt; do + case $opt in + c) CERT_PATH=$OPTARG ;; + k) KEY_PATH=$OPTARG ;; + m) MODE=$OPTARG ;; + o) OWNER=$OPTARG ;; + *) usage ;; + esac +done + +shift $((OPTIND-1)) + +if [ -z "$CERT_PATH" -o -z "$KEY_PATH" ]; then + usage +fi + +OWNER_USER=${OWNER%:*} +OWNER_GROUP=${OWNER#*:} +OWNER_GROUP=${OWNER_GROUP:-$OWNER_USER} + +install -v -m "$MODE" -o "${OWNER_USER}" -g "${OWNER_GROUP}" "${RENEWED_LINEAGE}/fullchain.pem" "$CERT_PATH" +install -v -m "$MODE" -o "${OWNER_USER}" -g "${OWNER_GROUP}" "${RENEWED_LINEAGE}/privkey.pem" "$KEY_PATH" + +# run post-command +if (($#)); then + echo "running post-command: $*" + "$@" +fi diff --git a/roles/certbot/meta/main.yml b/roles/certbot/meta/main.yml new file mode 100644 index 0000000..29230f9 --- /dev/null +++ b/roles/certbot/meta/main.yml @@ -0,0 +1,4 @@ +dependencies: + - role: yum + yum_repositories: epel + tags: yum diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml new file mode 100644 index 0000000..3df7304 --- /dev/null +++ b/roles/certbot/tasks/main.yml @@ -0,0 +1,50 @@ +- name: install certbot + dnf: + name: certbot + state: installed + +- name: allow HTTP through firewall + firewalld: + service: http + permanent: yes + immediate: yes + state: enabled + tags: firewalld + +- name: copy certbot hook script + copy: + src: etc/pki/tls/certbot-post.sh + dest: '{{ certificate_postcmd_path }}' + mode: 0555 + +- name: create certbot webroot path + file: + path: '{{ certificate_webroot_path }}' + state: directory + when: certificate_use_apache + +- name: retrieve certificate from letsencrypt + command: + cmd: >- + certbot certonly + --noninteractive + --agree-tos + --no-eff-email + --key-type {{ certificate_type | lower }} + --rsa-key-size {{ certificate_size }} + --email {{ certificate_email }} + {% if certificate_use_apache %} + --webroot + --webroot-path {{ certificate_webroot_path }} + {% else %} + --standalone + {% endif %} + --deploy-hook {{ certificate_postcmd_argv | quote }} + --domains {{ certificate_sans | join(',') }} + creates: '{{ certificate_path }}' + +- name: enable certbot renew timer + systemd: + name: certbot-renew.timer + enabled: yes + state: started diff --git a/roles/certbot/vars/main.yml b/roles/certbot/vars/main.yml new file mode 100644 index 0000000..9045602 --- /dev/null +++ b/roles/certbot/vars/main.yml @@ -0,0 +1,13 @@ +certificate_postcmd_path: /etc/pki/tls/certbot-post.sh + +certificate_postcmd_argv: >- + {{ certificate_postcmd_path }} + -o {{ certificate_owner }} + -m {{ '%0o' % certificate_mode }} + -k {{ certificate_key_path }} + -c {{ certificate_path }} + {% if certificate_hook is defined %} + {{ certificate_hook }} + {% endif %} + +certificate_webroot_path: /var/www/letsencrypt |