Refactor certbot role

2024-04-14 17:29:18 -05:00 · 2024-04-14 17:29:18 -05:00 · 4a7f888994
commit 4a7f888994
parent 8b24c9fad9
8 changed files with 106 additions and 73 deletions
--- a/roles/certbot/defaults/main.yaml
+++ b/roles/certbot/defaults/main.yaml
@ -1,22 +1,35 @@
 ---
 certbot_package_name: certbot
-certbot_package_state: present
+certbot_package_state: latest
+
+certbot_plugins:
+  - certbot-dns-cloudflare
+  - certbot-dns-digitalocean
+  - certbot-dns-dnsimple
+  - certbot-dns-dnsmadeeasy
+  - certbot-dns-gehirn
+  - certbot-dns-google
+  - certbot-dns-linode
+  - certbot-dns-luadns
+  - certbot-dns-nsone
+  - certbot-dns-ovh
+  - certbot-dns-rfc2136
+  - certbot-dns-route53
+  - certbot-dns-sakuracloud

 certbot_service_name: certbot.service

+certbot_bin_path: /usr/local/bin
+certbot_path: "{{ certbot_bin_path }}/certbot"
+
 certbot_timer_name: certbot.timer
 certbot_timer_state: started
-certbot_timer_enabled: yes
+certbot_timer_enabled: true

-certbot_cron_state: present
-certbot_cron_user: root
-certbot_cron_file_path: /etc/cron.d/certbot
-certbot_cron_env:
-  path: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-  shell: /bin/sh
-certbot_cron_command: test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
-certbot_cron_hour: "*/12"
-certbot_cron_minute: "0"
+certbot_etc_path: /etc/letsencrypt
+certbot_live_path: "{{ certbot_etc_path }}/live"

 certbot_system_timer_on_calender: "*-*-* 00,12:00:00"
 certbot_system_timer_randomized_delay_sec: 43200
+
+certbot_credential_path: /root/.secrets/certbot
--- a/roles/certbot/handlers/main.yaml
+++ b/roles/certbot/handlers/main.yaml
@ -1,6 +1,4 @@
 ---
 - name: systemd daemon-reload
-  systemd:
-    name: "{{ certbot_service_name }}"
-    daemon_reload: yes
-    state: restarted
+  ansible.builtin.systemd:
+    daemon_reload: true
--- a/roles/certbot/tasks/configure-linode.yaml
+++ b/roles/certbot/tasks/configure-linode.yaml
@ -0,0 +1,23 @@
+---
+- name: configure linode credentials
+  ansible.builtin.copy:
+    dest: "{{ certbot_credential_path }}/linode.ini"
+    owner: root
+    group: root
+    mode: 0600
+    content: "{{ certbot_dns_linode_credentials }}"
+  no_log: true
+
+- name: certbot (linode)
+  ansible.builtin.shell: >
+    certbot certonly \
+      --dns-linode \
+      --dns-linode-credentials "{{ certbot_credential_path }}/linode.ini" \
+      --quiet \
+      --agree-tos \
+      --noninteractive \
+      --email "{{ item.email }}" \
+      --domain "{{ item.domains | join(',') }}"
+  args:
+    creates: "{{ certbot_live_path }}/{{ item.domains | first }}/cert.pem"
+  loop: "{{ certbot_certificates | default([]) }}"
--- a/roles/certbot/tasks/default.yaml
+++ b/roles/certbot/tasks/default.yaml
--- a/roles/certbot/tasks/issue.yaml
+++ b/roles/certbot/tasks/issue.yaml
@ -1,9 +1 @@
 ---
- name: "determine if certificate for {{ item.domains | join(', ') }}" 
-  stat:
-    path: "/etc/letsencrypt/live/{{ item.domains | first }}/cert.pem"
-  register: st
-
- name: "request certificate for {{ item.domains | join(', ') }}"
-  command: "certbot certonly -q --webroot -w {{ certbot_challenge_webroot_path }} --agree-tos --noninteractive --email {{ item.email }} -d {{ item.domains | join(',') }}"
-  when: not st.stat.exists
--- a/roles/certbot/tasks/main.yaml
+++ b/roles/certbot/tasks/main.yaml
@ -23,65 +23,51 @@
      paths:
        - tasks

- name: install certbot modules
-  package:
+- name: install certbot
+  ansible.builtin.pip:
    name: "{{ certbot_package_name }}"
    state: "{{ certbot_package_state }}"

- name: configure challenge webroot
-  file:
-    path: "{{ certbot_challenge_webroot_path }}"
-    state: "directory"
+- name: install certbot plugins
+  ansible.builtin.pip:
+    name: "{{ certbot_plugins }}"
+    state: latest
+
+- name: create credential path
+  ansible.builtin.file:
+    path: "{{ certbot_credential_path }}"
    owner: root
    group: root
-    mode: 0755
+    mode: 0700
+    state: directory

 - name: request certificates
  ansible.builtin.include_tasks: "issue.yaml"
  loop: "{{ certbot_certificates }}"

- name: configure systemd timer
-  block:
-    - name: create systemd timer override directory
-      file:
-        path: "/etc/systemd/system/{{ certbot_timer_name }}.d"
-        owner: root
-        group: root
-        mode: 0755
-        state: directory
+- name: include linode tasks
+  ansible.builtin.include_tasks: configure-linode.yaml

-    - name: configure systemd timer options
-      template:
-        src: certbot.timer.j2
-        dest: "/etc/systemd/system/{{ certbot_timer_name }}.d/override.conf"
+- name: configure renewal service
+  ansible.builtin.template:
+    src: certbot.service.j2
+    dest: "/etc/systemd/system/certbot.service"
    owner: root
    group: root
    mode: 0644
  notify: systemd daemon-reload
-    - name: enable the timer
-      systemd:
-        name: "{{ certbot_timer_name }}"
-        state: "{{ certbot_timer_state }}"
-        enabled: "{{ certbot_timer_enabled }}"
-  when: ansible_service_mgr == "systemd"

- name: configure cron job
-  block:
-    - name: configure env
-      cron:
-        name: "{{ item.key | upper }}"
-        env: yes
-        job: "{{ item.value }}"
-        user: "{{ certbot_cron_user }}"
-        cron_file: "{{ certbot_cron_file_path }}"
-        state: "{{ certbot_cron_state }}"
-      loop: "{{ certbot_cron_env | dict2items }}"
-    - name: create job
-      cron:
-        name: certbot
-        user: "{{ certbot_cron_user }}"
-        hour: "{{ certbot_cron_hour }}"
-        minute: "{{ certbot_cron_minute }}"
-        cron_file: "{{ certbot_cron_file_path }}"
-        job: "{{ certbot_cron_command }}"
-        state: "{{ certbot_cron_state }}"
+- name: configure renewal timer
+  ansible.builtin.template:
+    src: certbot.timer.j2
+    dest: "/etc/systemd/system/certbot.timer"
+    owner: root
+    group: root
+    mode: 0644
+  notify: systemd daemon-reload
+
+- name: manage timer
+  ansible.builtin.systemd:
+    name: "{{ certbot_timer_name }}"
+    enabled: "{{ certbot_timer_enabled }}"
+    state: "{{ certbot_timer_state }}"
--- a/roles/certbot/templates/certbot.service.j2
+++ b/roles/certbot/templates/certbot.service.j2
@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Certbot renewal
+After=network-online.target
+Wants=network-online.target
+Wants={{ certbot_timer_name }}
+
+[Service]
+Type=oneshot
+ExecStart={{ certbot_path }} --quiet renew
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/certbot/templates/certbot.timer.j2
+++ b/roles/certbot/templates/certbot.timer.j2
@ -1,5 +1,12 @@
 # {{ ansible_managed }}

+[Unit]
+Description=Certbot renewal
+Requires={{ certbot_service_name }}
+
 [Timer]
 OnCalendar={{ certbot_system_timer_on_calender }} 
 RandomizedDelaySec={{ certbot_system_timer_randomized_delay_sec }}
+
+[Install]
+WantedBy=timers.target