ansible/xoxys.lego
0
0
Fork 0
Code Issues Pull Requests Releases Activity

add hook support
Some checks failed
ci/woodpecker/push/lint Pipeline was successful
Details
ci/woodpecker/push/test Pipeline failed
Details
ci/woodpecker/push/docs unknown status
Details
ci/woodpecker/push/notify Pipeline was successful
Details

Browse Source
This commit is contained in:
Robert Kaussow 2024-09-27 22:04:16 +02:00
parent dfd8dbcc3d
commit 1a9280fb2e
Signed by: xoxys
GPG Key ID: 4E692A2EAECC03C0
3 changed files with 29 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
defaults/main.yml
View File

@ -10,9 +10,17 @@ lego_key_type: "ec256"
# @var lego_certificates:example: # @var lego_certificates:example:
# lego_certificates: # lego_certificates:
# - domains: # - name: example
# domains:
# - example.com # - example.com
# - www.example.com # - www.example.com
# hook: |
# #!/bin/env bash
# install -m 0640 "$LEGO_CERT_PATH" /etc/pki/tls/certs/ucs.pem
# install -m 0600 "$LEGO_CERT_KEY_PATH" /etc/pki/tls/private/ucs.pem
# systemctl reload apache2.service
# skip_create: False # skip_create: False
# @end # @end
lego_certificates: [] lego_certificates: []

24
tasks/main.yml
View File

@ -25,13 +25,27 @@
mode: "0700" mode: "0700"
recurse: True recurse: True
- name: Create hook scripts
ansible.builtin.copy:
content: "{{ item.hook }}"
dest: "{{ __lego_base_dir }}/bin/hook-{{ item.name }}.sh"
owner: root
group: root
mode: "0600"
when: item.hook is defined
loop: "{{ lego_certificates }}"
loop_control:
label: "{{ item.name }}"
- name: Obtain certificates for domains - name: Obtain certificates for domains
ansible.builtin.command: >- ansible.builtin.command: >-
{{ __lego_bin_file }} run {{ __lego_bin_file }}
--email="{{ lego_acme_account_email }}" --email="{{ lego_acme_account_email }}"
--domains {{ " --domains ".join(item.domains) }} --domains {{ " --domains ".join(item.domains) }}
--key-type="{{ lego_key_type }}" --key-type="{{ lego_key_type }}"
--dns="cloudflare" --dns="cloudflare"
run
{{ '--run-hook="{{ __lego_base_dir }}/bin/hook-{{ item.name }}.sh"' if item.hook is defined else '' }}
args: args:
creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt" creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt"
environment: environment:
@ -41,19 +55,19 @@
when: not item.skip_create | default(False) | bool when: not item.skip_create | default(False) | bool
loop: "{{ lego_certificates }}" loop: "{{ lego_certificates }}"
loop_control: loop_control:
label: "{{ item.domains[0] }}" label: "{{ item.name }}"
- name: Add cron scipt to renew certificates - name: Add cron scipt to renew certificates
ansible.builtin.template: ansible.builtin.template:
dest: "{{ __lego_base_dir }}/bin/cron_lego_renew.sh" dest: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh"
mode: "0755" mode: "0755"
src: cron_lego_renew.sh.j2 src: cron-lego-renew.sh.j2
- name: Add cron job to renew certificates - name: Add cron job to renew certificates
ansible.builtin.cron: ansible.builtin.cron:
name: "lego-renew" name: "lego-renew"
cron_file: "lego-renew" cron_file: "lego-renew"
job: "{{ __lego_base_dir }}/bin/cron_lego_renew.sh >> {{ __lego_base_dir }}/cron_lego_renew.log 2>&1" job: "{{ __lego_base_dir }}/bin/cron-lego-renew.sh >> {{ __lego_base_dir }}/cron_lego_renew.log 2>&1"
hour: "{{ lego_cron_hour }}" hour: "{{ lego_cron_hour }}"
minute: "{{ lego_cron_minute }}" minute: "{{ lego_cron_minute }}"
user: root user: root

2
templates/cron_lego_renew.sh.j2 → templates/cron-lego-renew.sh.j2
View File

@ -8,6 +8,6 @@ export CLOUDFLARE_API_TOKEN="{{ lego_cloudflare_api_token }}"
{% for cert in lego_certificates %} {% for cert in lego_certificates %}
echo "$(date) checking for cert update for {{ ', '.join(cert.domains) }}." echo "$(date) checking for cert update for {{ ', '.join(cert.domains) }}."
{{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" renew --days 30 {{ __lego_bin_file }} --email="{{ lego_acme_account_email }}" --domains {{ ' --domains '.join(cert.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" renew {{ '--run-hook="hook-{{ item.name }}.sh"' if item.hook is defined else '' }} --days 30
{% endfor %} {% endfor %}