feat: standalone, webroot

abe1e3af · Lukas Koenen · 1788a9e0 · abe1e3af · abe1e3af · abe1e3af
Commit abe1e3af authored 2 years ago by Lukas Koenen
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
+---
+ansible_lint:
+  image: 'registry.code.fbi.h-da.de/hdacloud/images/netci'
+  script:
+    - ansible-lint
--- a/LICENSE
+++ b/LICENSE
+Copyright (c) 2023 hdacloud
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
--- a/README.md
+++ b/README.md
@@ -16,3 +16,8 @@ Including an example of how to use your role (for instance, with variables passe
    - hosts: servers
      roles:
         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+See [LICENSE](LICENSE)
--- a/defaults/main.yml
+++ b/defaults/main.yml
 ---
-# defaults file for ansible-certbot
+# certbot settings
+certbot_fqdn:
+  - example.de
+certbot_admin_email: "admin@example.de"
+# certbot_webroot: "/var/www/example"                          # if undefined use --standalone
+
+# application settings
+# certbot_application: "example"                               # if defined copy certs to application dir and setup deploy hooks
+certbot_application_dir: "/etc/{{ certbot_application }}"
+certbot_application_deploy_hook: |
+  #!/bin/sh
+
+  cp {{ certbot_live_dir }}/fullchain.pem {{ certbot_application_dir }}
+  cp {{ certbot_live_dir }}/privkey.pem {{ certbot_application_dir }}
+
+  systemctl restart {{ certbot_application }}.service
--- a/files/.gitkeep
+++ b/files/.gitkeep
--- a/handlers/main.yml
+++ b/handlers/main.yml
---
-# handlers file for ansible-certbot
--- a/meta/main.yml
+++ b/meta/main.yml
 galaxy_info:
-  author: your name
-  description: your role description
-  company: your company (optional)
-
-  # If the issue tracker for your role is not on github, uncomment the
-  # next line and provide a value
-  # issue_tracker_url: http://example.com/issue/tracker
-
-  # Choose a valid license ID from https://spdx.org - some suggested licenses:
-  # - BSD-3-Clause (default)
-  # - MIT
-  # - GPL-2.0-or-later
-  # - GPL-3.0-only
-  # - Apache-2.0
-  # - CC-BY-4.0
-  license: license (GPL-2.0-or-later, MIT, etc)
-
-  min_ansible_version: 2.1
-
-  # If this a Container Enabled role, provide the minimum Ansible Container version.
-  # min_ansible_container_version:
-
-  #
-  # Provide a list of supported platforms, and for each platform a list of versions.
-  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
-  # To view available platforms and versions (or releases), visit:
-  # https://galaxy.ansible.com/api/v1/platforms/
-  #
-  # platforms:
-  # - name: Fedora
-  #   versions:
-  #   - all
-  #   - 25
-  # - name: SomePlatform
-  #   versions:
-  #   - all
-  #   - 1.0
-  #   - 7
-  #   - 99.99
-
-  galaxy_tags: []
-    # List tags for your role here, one per line. A tag is a keyword that describes
-    # and categorizes the role. Users find roles by searching for tags. Be sure to
-    # remove the '[]' above, if you add tags to this list.
-    #
-    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
-    #       Maximum 20 tags per role.
+  author: hdacloud
+  description: Ansible role to deploy certbot and enable auto-renew
+  license: MIT
+  min_ansible_version: "2.12"
+  platforms:
+    - name: Ubuntu
+    - name: EL # CentOS
+    - name: Debian
+    - name: Fedora
+    - name: Ubuntu

 dependencies: []
-  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
-  # if you add dependencies to this list.
--- a/tasks/CentOS-packages.yml
+++ b/tasks/CentOS-packages.yml
+---
+- name: Install Certbot
+  ansible.builtin.package:
+    name: # sadly doesn't as a list
+      - "{{ item }}"
+    state: present
+  loop:
+    - epel-release
+    - certbot
+  become: true
--- a/tasks/CentOS-timer.yml
+++ b/tasks/CentOS-timer.yml
+---
+- name: Enable Letsencrypt Renew Timer
+  ansible.builtin.systemd:
+    name: certbot-renew.timer
+    state: started
+    enabled: true
+  become: true
--- a/tasks/Debian-packages.yml
+++ b/tasks/Debian-packages.yml
+---
+- name: Install Certbot
+  ansible.builtin.apt:
+    name: certbot
+    state: present
+    update_cache: true
+  become: true
--- a/tasks/Debian-timer.yml
+++ b/tasks/Debian-timer.yml
+---
+- name: Enable Letsencrypt Renew Timer
+  ansible.builtin.systemd:
+    name: certbot.timer
+    state: started
+    enabled: true
+  become: true
--- a/tasks/Fedora-packages.yml
+++ b/tasks/Fedora-packages.yml
+---
+- name: Install Certbot
+  ansible.builtin.package:
+    name: certbot
+    state: present
+  become: true
--- a/tasks/Fedora-timer.yml
+++ b/tasks/Fedora-timer.yml
+---
+- name: Enable Letsencrypt Renew Timer
+  ansible.builtin.systemd:
+    name: certbot-renew.timer
+    state: started
+    enabled: true
+  become: true
--- a/tasks/Ubuntu-packages.yml
+++ b/tasks/Ubuntu-packages.yml
+---
+- name: Install Certbot
+  ansible.builtin.apt:
+    name: certbot
+    state: present
+    update_cache: true
+  become: true
--- a/tasks/Ubuntu-timer.yml
+++ b/tasks/Ubuntu-timer.yml
+---
+- name: Enable Letsencrypt Renew Timer
+  ansible.builtin.systemd:
+    name: certbot.timer
+    state: started
+    enabled: true
+  become: true
--- a/tasks/application.yml
+++ b/tasks/application.yml
+---
+- name: Ensure Application Certificate Directory exists
+  ansible.builtin.file:
+    path: "{{ certbot_application_dir }}"
+    state: directory
+    owner: root
+    group: root
+    mode: "0755"
+  become: true
+
+- name: Check Whether Application Cert Exists
+  ansible.builtin.stat:
+    path: "{{ certbot_application_dir }}/fullchain.pem"
+  register: leoacert
+  become: true
+
+- name: Setup Application Deploy Hook
+  ansible.builtin.copy:
+    dest: "/etc/letsencrypt/renewal-hooks/deploy/{{ certbot_application }}"
+    content: "{{ certbot_application_deploy_hook }}"
+    mode: "0755"
+  become: true
+
+- name: Copy Application Cert If Necessary
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "{{ certbot_application_dir }}"
+    remote_src: true
+    mode: "0644"
+  loop:
+    - "{{ certbot_live_dir }}/fullchain.pem"
+    - "{{ certbot_live_dir }}/privkey.pem"
+  when: not leoacert.stat.exists
+  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
 ---
-# tasks file for ansible-certbot
+# TODO:
+#   - dns challenge
+
+- name: Install Packages Based On Distribution
+  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-packages.yml"
+
+- name: Check Whether Cert Exists
+  ansible.builtin.stat:
+    path: "{{ certbot_live_dir }}/cert.pem"
+  register: lecert
+  become: true
+
+- name: Ensure Deploy Hook Dir Exists
+  ansible.builtin.file:
+    path: "{{ item }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  loop:
+    - /etc/letsencrypt/renewal-hooks
+    - /etc/letsencrypt/renewal-hooks/deploy
+  become: true
+
+- name: Request Cert If Necessary - Standalone
+  ansible.builtin.command: >-
+    certbot certonly --standalone --noninteractive --agree-tos
+    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
+  when: not lecert.stat.exists and not certbot_webroot is defined
+  register: cbstandalone
+  changed_when: cbstandalone.rc == 0
+  become: true
+
+- name: Ensure Webroot Path Exists
+  ansible.builtin.file:
+    path: "{{ certbot_webroot }}"
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  when: not lecert.stat.exists and certbot_webroot is defined
+
+- name: Request Cert If Necessary - Webroot
+  ansible.builtin.command: >-
+    certbot certonly --webroot --webroot-path {{ certbot_webroot }} --noninteractive --agree-tos
+    --email {{ certbot_admin_email }} -d {{ certbot_dflag }}
+  when: not lecert.stat.exists and certbot_webroot is defined
+  register: cbwebroot
+  changed_when: cbwebroot.rc == 0
+  become: true
+
+- name: Setup Certbot With Application
+  ansible.builtin.include_tasks: "application.yml"
+  when: certbot_application is defined
+
+- name: Enable Letsencrypt Renew Timer Based On Distribution
+  ansible.builtin.include_tasks: "{{ ansible_facts.distribution }}-timer.yml"
--- a/templates/.gitkeep
+++ b/templates/.gitkeep
--- a/tests/inventory
+++ b/tests/inventory
-localhost
-
--- a/tests/test.yml
+++ b/tests/test.yml
---
- hosts: localhost
-  remote_user: root
-  roles:
-    - ansible-certbot