ansible/xoxys.lego
0
0
Fork 0
Code Issues Pull Requests Releases Activity

use systemd for renew job
Some checks failed
ci/woodpecker/push/lint Pipeline was successful
Details
ci/woodpecker/push/test Pipeline failed
Details
ci/woodpecker/push/docs unknown status
Details
ci/woodpecker/push/notify Pipeline was successful
Details

Browse Source
This commit is contained in:
Robert Kaussow 2024-09-28 22:22:42 +02:00
parent dba7380bad
commit 086bfba7d3
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
6 changed files with 67 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
handlers/main.yml Normal file
View File

@ -0,0 +1,7 @@
---
- name: Restart lego renew
ansible.builtin.service:
state: restarted
daemon_reload: True
name: lego-renew.service
listen: __lego_restart

46
tasks/main.yml
View File

@ -10,7 +10,7 @@
- name: Create lego base dir - name: Create lego base dir
ansible.builtin.file: ansible.builtin.file:
path: "{{ __lego_base_dir }}/bin" path: "{{ __lego_base_dir }}/hooks"
state: directory state: directory
owner: root owner: root
group: root group: root
@ -28,7 +28,7 @@
- name: Create hook scripts - name: Create hook scripts
ansible.builtin.copy: ansible.builtin.copy:
content: "{{ item.hook }}" content: "{{ item.hook }}"
dest: "{{ __lego_base_dir }}/bin/hook-{{ item.name }}.sh" dest: "{{ __lego_base_dir }}/hooks/{{ item.name }}.sh"
owner: root owner: root
group: root group: root
mode: "0700" mode: "0700"
@ -47,7 +47,7 @@
--dns="cloudflare" --dns="cloudflare"
{{ '--dns.resolvers="' + lego_dns_resolvers | join(',') + '"' if lego_dns_resolvers | length > 0 else '' }} {{ '--dns.resolvers="' + lego_dns_resolvers | join(',') + '"' if lego_dns_resolvers | length > 0 else '' }}
run run
{{ '--run-hook="' + __lego_base_dir + '/bin/hook-' + item.name + '.sh"' if item.hook is defined else '' }} {{ '--run-hook="' + __lego_base_dir + '/hooks/' + item.name + '.sh"' if item.hook is defined else '' }}
args: args:
creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt" creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt"
environment: environment:
@ -59,20 +59,30 @@
loop_control: loop_control:
label: "{{ item.name }}" label: "{{ item.name }}"
- name: Add cron scipt to renew certificates - name: Write environment file
ansible.builtin.template: ansible.builtin.template:
dest: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh" src: etc/sysconfig/lego.j2
mode: "0700" dest: /etc/sysconfig/lego
owner: root mode: "0600"
group: root notify: __lego_restart
src: cron-lego-renew.sh.j2
- name: Add cron job to renew certificates - name: Write timer file
ansible.builtin.cron: ansible.builtin.template:
name: "lego-renew" src: etc/systemd/system/lego-renew.timer.j2
cron_file: "lego-renew" dest: /etc/systemd/system/lego-renew.timer
job: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh >> {{ __lego_base_dir }}/cron_lego_renew.log 2>&1" mode: "0644"
hour: "{{ lego_cron_hour }}" notify: __lego_restart
minute: "{{ lego_cron_minute }}"
user: root - name: Write service file
state: "{{ 'present' if lego_cron_enabled | bool else 'absent' }}" ansible.builtin.template:
src: etc/systemd/system/lego-renew.service.j2
dest: /etc/systemd/system/lego-renew.service
mode: "0644"
notify: __lego_restart
- name: Ensure renew timer is up and running
ansible.builtin.service:
name: lego-renew.timer
daemon_reload: True
enabled: True
state: started

13
templates/cron-lego-renew.sh.j2
View File

@ -1,13 +0,0 @@
#!/usr/bin/env bash
# run this script daily to renew any letsencrypt certs that need renewing
# renew cert if it expires within 30 days
export LEGO_SERVER="{{ lego_acme_server }}/directory"
export LEGO_PATH="{{ __lego_base_dir }}/.lego"
export CLOUDFLARE_DNS_API_TOKEN="{{ lego_cloudflare_api_token }}"
{% for cert in lego_certificates %}
echo "$(date) checking for cert update for {{ ', '.join(cert.domains) }}."
{{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" {{ '--dns.resolvers="' + lego_dns_resolvers | join(',') + '"' if lego_dns_resolvers | length > 0 else '' }} renew {{ '--renew-hook="' + __lego_base_dir + '/bin/hook-' + cert.name + '.sh"' if cert.hook is defined else '' }} --days 30
{% endfor %}

6
templates/etc/sysconfig/lego.j2 Normal file
View File

@ -0,0 +1,6 @@
#jinja2:lstrip_blocks: True
{{ ansible_managed | comment }}
LEGO_SERVER="{{ lego_acme_server }}/directory"
LEGO_PATH="{{ __lego_base_dir }}/.lego"
CLOUDFLARE_DNS_API_TOKEN="{{ lego_cloudflare_api_token }}"
ARGS=--dns=cloudflare {{ '--dns.resolvers="' + lego_dns_resolvers | join(',') + '"' if lego_dns_resolvers | length > 0 else '' }} --key-type="{{ lego_key_type }}"

17
templates/etc/systemd/system/lego-renew.service.j2 Normal file
View File

@ -0,0 +1,17 @@
#jinja2:lstrip_blocks: True
{{ ansible_managed | comment }}
[Unit]
Description=Lego renew
Requires=network-online.target
After=network-online.target
[Service]
Type=oneshot
EnvironmentFile=/etc/sysconfig/lego
{% for cert in lego_certificates %}
ExecStart={{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} $ARGS renew {{ '--renew-hook="' + __lego_base_dir + '/hooks/' + cert.name + '.sh"' if cert.hook is defined else '' }} --days 30
{% endfor %}
[Install]
WantedBy=multi-user.target

9
templates/etc/systemd/system/lego-renew.timer.j2 Normal file
View File

@ -0,0 +1,9 @@
[Unit]
Description=Lego renew
[Timer]
OnCalendar={{ lego_renew_interval }}
Persistent=true
[Install]
WantedBy=timers.target