diff --git a/defaults/main.yml b/defaults/main.yml index d7385a6..62f97be 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -10,9 +10,17 @@ lego_key_type: "ec256" # @var lego_certificates:example: # lego_certificates: -# - domains: +# - name: example +# domains: # - example.com # - www.example.com +# hook: | +# #!/bin/env bash + +# install -m 0640 "$LEGO_CERT_PATH" /etc/pki/tls/certs/ucs.pem +# install -m 0600 "$LEGO_CERT_KEY_PATH" /etc/pki/tls/private/ucs.pem + +# systemctl reload apache2.service # skip_create: False # @end lego_certificates: [] diff --git a/tasks/main.yml b/tasks/main.yml index 0e390ee..2558801 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -25,13 +25,27 @@ mode: "0700" recurse: True +- name: Create hook scripts + ansible.builtin.copy: + content: "{{ item.hook }}" + dest: "{{ __lego_base_dir }}/bin/hook-{{ item.name }}.sh" + owner: root + group: root + mode: "0600" + when: item.hook is defined + loop: "{{ lego_certificates }}" + loop_control: + label: "{{ item.name }}" + - name: Obtain certificates for domains ansible.builtin.command: >- - {{ __lego_bin_file }} run + {{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ " --domains ".join(item.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" + run + {{ '--run-hook="{{ __lego_base_dir }}/bin/hook-{{ item.name }}.sh"' if item.hook is defined else '' }} args: creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt" environment: @@ -41,19 +55,19 @@ when: not item.skip_create | default(False) | bool loop: "{{ lego_certificates }}" loop_control: - label: "{{ item.domains[0] }}" + label: "{{ item.name }}" - name: Add cron scipt to renew certificates ansible.builtin.template: - dest: "{{ __lego_base_dir }}/bin/cron_lego_renew.sh" + dest: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh" mode: "0755" - src: cron_lego_renew.sh.j2 + src: cron-lego-renew.sh.j2 - name: Add cron job to renew certificates ansible.builtin.cron: name: "lego-renew" cron_file: "lego-renew" - job: "{{ __lego_base_dir }}/bin/cron_lego_renew.sh >> {{ __lego_base_dir }}/cron_lego_renew.log 2>&1" + job: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh >> {{ __lego_base_dir }}/cron_lego_renew.log 2>&1" hour: "{{ lego_cron_hour }}" minute: "{{ lego_cron_minute }}" user: root diff --git a/templates/cron_lego_renew.sh.j2 b/templates/cron-lego-renew.sh.j2 similarity index 81% rename from templates/cron_lego_renew.sh.j2 rename to templates/cron-lego-renew.sh.j2 index fba05be..e5757ce 100644 --- a/templates/cron_lego_renew.sh.j2 +++ b/templates/cron-lego-renew.sh.j2 @@ -8,6 +8,6 @@ export CLOUDFLARE_API_TOKEN="{{ lego_cloudflare_api_token }}" {% for cert in lego_certificates %} echo "$(date) checking for cert update for {{ ', '.join(cert.domains) }}." -{{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" renew --days 30 +{{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" renew {{ '--run-hook="hook-{{ item.name }}.sh"' if item.hook is defined else '' }} --days 30 {% endfor %}