From 4a7f888994a3d97cc0c977ea8b14b2e0129bb088 Mon Sep 17 00:00:00 2001 From: Ryan Cavicchioni Date: Sun, 14 Apr 2024 17:29:18 -0500 Subject: [PATCH] Refactor certbot role --- roles/certbot/defaults/main.yaml | 35 ++++++--- roles/certbot/handlers/main.yaml | 6 +- roles/certbot/tasks/configure-linode.yaml | 23 ++++++ roles/certbot/tasks/default.yaml | 0 roles/certbot/tasks/issue.yaml | 8 -- roles/certbot/tasks/main.yaml | 86 +++++++++------------- roles/certbot/templates/certbot.service.j2 | 14 ++++ roles/certbot/templates/certbot.timer.j2 | 7 ++ 8 files changed, 106 insertions(+), 73 deletions(-) create mode 100644 roles/certbot/tasks/configure-linode.yaml create mode 100644 roles/certbot/tasks/default.yaml create mode 100644 roles/certbot/templates/certbot.service.j2 diff --git a/roles/certbot/defaults/main.yaml b/roles/certbot/defaults/main.yaml index 4198941..dabb581 100644 --- a/roles/certbot/defaults/main.yaml +++ b/roles/certbot/defaults/main.yaml @@ -1,22 +1,35 @@ --- certbot_package_name: certbot -certbot_package_state: present +certbot_package_state: latest + +certbot_plugins: + - certbot-dns-cloudflare + - certbot-dns-digitalocean + - certbot-dns-dnsimple + - certbot-dns-dnsmadeeasy + - certbot-dns-gehirn + - certbot-dns-google + - certbot-dns-linode + - certbot-dns-luadns + - certbot-dns-nsone + - certbot-dns-ovh + - certbot-dns-rfc2136 + - certbot-dns-route53 + - certbot-dns-sakuracloud certbot_service_name: certbot.service +certbot_bin_path: /usr/local/bin +certbot_path: "{{ certbot_bin_path }}/certbot" + certbot_timer_name: certbot.timer certbot_timer_state: started -certbot_timer_enabled: yes +certbot_timer_enabled: true -certbot_cron_state: present -certbot_cron_user: root -certbot_cron_file_path: /etc/cron.d/certbot -certbot_cron_env: - path: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin - shell: /bin/sh -certbot_cron_command: test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew -certbot_cron_hour: "*/12" -certbot_cron_minute: "0" +certbot_etc_path: /etc/letsencrypt +certbot_live_path: "{{ certbot_etc_path }}/live" certbot_system_timer_on_calender: "*-*-* 00,12:00:00" certbot_system_timer_randomized_delay_sec: 43200 + +certbot_credential_path: /root/.secrets/certbot \ No newline at end of file diff --git a/roles/certbot/handlers/main.yaml b/roles/certbot/handlers/main.yaml index bda969d..d3bd3fa 100644 --- a/roles/certbot/handlers/main.yaml +++ b/roles/certbot/handlers/main.yaml @@ -1,6 +1,4 @@ --- - name: systemd daemon-reload - systemd: - name: "{{ certbot_service_name }}" - daemon_reload: yes - state: restarted + ansible.builtin.systemd: + daemon_reload: true \ No newline at end of file diff --git a/roles/certbot/tasks/configure-linode.yaml b/roles/certbot/tasks/configure-linode.yaml new file mode 100644 index 0000000..74510e2 --- /dev/null +++ b/roles/certbot/tasks/configure-linode.yaml @@ -0,0 +1,23 @@ +--- +- name: configure linode credentials + ansible.builtin.copy: + dest: "{{ certbot_credential_path }}/linode.ini" + owner: root + group: root + mode: 0600 + content: "{{ certbot_dns_linode_credentials }}" + no_log: true + +- name: certbot (linode) + ansible.builtin.shell: > + certbot certonly \ + --dns-linode \ + --dns-linode-credentials "{{ certbot_credential_path }}/linode.ini" \ + --quiet \ + --agree-tos \ + --noninteractive \ + --email "{{ item.email }}" \ + --domain "{{ item.domains | join(',') }}" + args: + creates: "{{ certbot_live_path }}/{{ item.domains | first }}/cert.pem" + loop: "{{ certbot_certificates | default([]) }}" diff --git a/roles/certbot/tasks/default.yaml b/roles/certbot/tasks/default.yaml new file mode 100644 index 0000000..e69de29 diff --git a/roles/certbot/tasks/issue.yaml b/roles/certbot/tasks/issue.yaml index c1e55ae..ed97d53 100644 --- a/roles/certbot/tasks/issue.yaml +++ b/roles/certbot/tasks/issue.yaml @@ -1,9 +1 @@ --- -- name: "determine if certificate for {{ item.domains | join(', ') }}" - stat: - path: "/etc/letsencrypt/live/{{ item.domains | first }}/cert.pem" - register: st - -- name: "request certificate for {{ item.domains | join(', ') }}" - command: "certbot certonly -q --webroot -w {{ certbot_challenge_webroot_path }} --agree-tos --noninteractive --email {{ item.email }} -d {{ item.domains | join(',') }}" - when: not st.stat.exists diff --git a/roles/certbot/tasks/main.yaml b/roles/certbot/tasks/main.yaml index 2a603f9..98f492a 100644 --- a/roles/certbot/tasks/main.yaml +++ b/roles/certbot/tasks/main.yaml @@ -23,65 +23,51 @@ paths: - tasks -- name: install certbot modules - package: +- name: install certbot + ansible.builtin.pip: name: "{{ certbot_package_name }}" state: "{{ certbot_package_state }}" -- name: configure challenge webroot - file: - path: "{{ certbot_challenge_webroot_path }}" - state: "directory" +- name: install certbot plugins + ansible.builtin.pip: + name: "{{ certbot_plugins }}" + state: latest + +- name: create credential path + ansible.builtin.file: + path: "{{ certbot_credential_path }}" owner: root group: root - mode: 0755 + mode: 0700 + state: directory - name: request certificates ansible.builtin.include_tasks: "issue.yaml" loop: "{{ certbot_certificates }}" -- name: configure systemd timer - block: - - name: create systemd timer override directory - file: - path: "/etc/systemd/system/{{ certbot_timer_name }}.d" - owner: root - group: root - mode: 0755 - state: directory +- name: include linode tasks + ansible.builtin.include_tasks: configure-linode.yaml - - name: configure systemd timer options - template: - src: certbot.timer.j2 - dest: "/etc/systemd/system/{{ certbot_timer_name }}.d/override.conf" - owner: root - group: root - mode: 0644 - notify: systemd daemon-reload - - name: enable the timer - systemd: - name: "{{ certbot_timer_name }}" - state: "{{ certbot_timer_state }}" - enabled: "{{ certbot_timer_enabled }}" - when: ansible_service_mgr == "systemd" +- name: configure renewal service + ansible.builtin.template: + src: certbot.service.j2 + dest: "/etc/systemd/system/certbot.service" + owner: root + group: root + mode: 0644 + notify: systemd daemon-reload -- name: configure cron job - block: - - name: configure env - cron: - name: "{{ item.key | upper }}" - env: yes - job: "{{ item.value }}" - user: "{{ certbot_cron_user }}" - cron_file: "{{ certbot_cron_file_path }}" - state: "{{ certbot_cron_state }}" - loop: "{{ certbot_cron_env | dict2items }}" - - name: create job - cron: - name: certbot - user: "{{ certbot_cron_user }}" - hour: "{{ certbot_cron_hour }}" - minute: "{{ certbot_cron_minute }}" - cron_file: "{{ certbot_cron_file_path }}" - job: "{{ certbot_cron_command }}" - state: "{{ certbot_cron_state }}" +- name: configure renewal timer + ansible.builtin.template: + src: certbot.timer.j2 + dest: "/etc/systemd/system/certbot.timer" + owner: root + group: root + mode: 0644 + notify: systemd daemon-reload + +- name: manage timer + ansible.builtin.systemd: + name: "{{ certbot_timer_name }}" + enabled: "{{ certbot_timer_enabled }}" + state: "{{ certbot_timer_state }}" \ No newline at end of file diff --git a/roles/certbot/templates/certbot.service.j2 b/roles/certbot/templates/certbot.service.j2 new file mode 100644 index 0000000..d6d2a21 --- /dev/null +++ b/roles/certbot/templates/certbot.service.j2 @@ -0,0 +1,14 @@ +# {{ ansible_managed }} + +[Unit] +Description=Certbot renewal +After=network-online.target +Wants=network-online.target +Wants={{ certbot_timer_name }} + +[Service] +Type=oneshot +ExecStart={{ certbot_path }} --quiet renew + +[Install] +WantedBy=multi-user.target \ No newline at end of file diff --git a/roles/certbot/templates/certbot.timer.j2 b/roles/certbot/templates/certbot.timer.j2 index 31970c6..db24892 100644 --- a/roles/certbot/templates/certbot.timer.j2 +++ b/roles/certbot/templates/certbot.timer.j2 @@ -1,5 +1,12 @@ # {{ ansible_managed }} +[Unit] +Description=Certbot renewal +Requires={{ certbot_service_name }} + [Timer] OnCalendar={{ certbot_system_timer_on_calender }} RandomizedDelaySec={{ certbot_system_timer_randomized_delay_sec }} + +[Install] +WantedBy=timers.target \ No newline at end of file