Skip to content
Snippets Groups Projects

Compare revisions

Changes are shown as if the source revision was being merged into the target revision. Learn more about comparing revisions.

Source

Select target project
No results found

Target

Select target project
  • forge/infra/ansible/collections/acme
1 result
Show changes
Commits on Source (3)
......@@ -14,6 +14,11 @@ acme_experimental_cname_support: false
acme_renew_interval: daily
acme_valid_min_days: 30
acme_postrun: ""
# If set to false, only new or changed servicess will be started when role is
# applied
acme_always_start_cert_services: true
acme_certificates: []
# Example of acme_certificates
......
......@@ -27,6 +27,7 @@
mode: 0755
loop:
- acme-fixperms.sh
register: copy_acme_scripts
- name: Copy ACME self-signed scripts
template:
......@@ -38,6 +39,7 @@
when: acme_preliminary_selfsigned
loop:
- acme-selfsigned-ca.sh
register: copy_acme_selfsigned_scripts
- name: Create ACME self-signed CA directory
file:
......@@ -62,6 +64,7 @@
mode: 0644
loop:
- acme-fixperms.service
register: copy_acme_services
- name: Save internal state for ACME services
changed_when: false
......@@ -72,6 +75,7 @@
| combine({ service_file: true }) }}"
loop:
- acme-fixperms.service
register: copy_acme_selfsigned_services
- name: Copy ACME self-signed services
template:
......@@ -98,18 +102,26 @@
daemon_reload: true
- name: Start ACME services
systemd:
systemd: # noqa no-handler
name: "{{ item }}"
state: started
enabled: false
loop:
- acme-fixperms
when: acme_always_start_cert_services or (
copy_acme_scripts.changed
or copy_acme_services.changed)
- name: Start ACME self-signed services
systemd:
name: "{{ item }}"
state: started
enabled: false
when: acme_preliminary_selfsigned
loop:
- acme-selfsigned-ca
when:
- acme_preliminary_selfsigned
- acme_always_start_cert_services or (
copy_acme_selfsigned_scripts.changed
or copy_acme_selfsigned_services.changed)
......@@ -46,6 +46,7 @@
group: acme
mode: 0755
when: acme_preliminary_selfsigned
register: copy_domain_selfsigned_script
- name: Copy {{ item.domain }} script
template:
......@@ -54,6 +55,7 @@
owner: acme
group: acme
mode: 0755
register: copy_domain_script
- name: Copy {{ item.domain }} postrun script
template:
......@@ -62,6 +64,7 @@
owner: acme
group: acme
mode: 0755
register: copy_domain_postrun_script
- name: Create {{ item.domain }} required directories
file:
......@@ -82,6 +85,7 @@
src: "acme-selfsigned.service"
dest: "/etc/systemd/system/acme-selfsigned-{{ item.domain }}.service"
mode: 0644
register: copy_domain_selfsigned_service
- name: Save internal state for {{ item.domain }} self-signed service
changed_when: false
......@@ -96,6 +100,7 @@
src: "acme.service"
dest: "/etc/systemd/system/acme-{{ item.domain }}.service"
mode: 0644
register: copy_domain_service
- name: Save internal state for {{ item.domain }} service
changed_when: false
......@@ -110,17 +115,26 @@
name: "{{ service }}"
state: started
enabled: false
when: acme_preliminary_selfsigned|bool
when:
- acme_preliminary_selfsigned|bool
- acme_always_start_cert_services or (
copy_domain_selfsigned_service.changed
or copy_domain_selfsigned_service.changed
or copy_domain_selfsigned_script.changed)
loop:
- "acme-selfsigned-{{ item.domain }}"
loop_control:
loop_var: service
- name: "Start ACME service for {{ item.domain }}"
systemd:
systemd: # noqa no-handler
name: "{{ service }}"
state: started
enabled: false
when: acme_always_start_cert_services or (
copy_domain_service.changed
or copy_domain_postrun_script.changed
or copy_domain_script.changed)
loop:
- "acme-{{ item.domain }}"
loop_control:
......
......@@ -11,6 +11,9 @@ acme_vault_client_mode: 750
acme_vault_client_postrun: ""
# This value *must* include ${ACME_DOMAIN}
acme_vault_certs_vault_path: "certs/${ACME_DOMAIN}"
# Determines whether vault download script must be run when role is applied and
# certs configuration hasn't changed
acme_vault_client_always_fetch_certs: true
# Configure those using https://learn.hashicorp.com/tutorials/vault/approle
# acme_vault_client_role_id:
......
......@@ -13,9 +13,14 @@
src: acme-vault-download.sh
dest: /usr/local/bin/acme-vault-download.sh
mode: 0755
register: copy_vault_dl_script
- name: Create cronjob for renewing certificates
cron:
name: Renew certificates from vault
special_time: "{{ acme_vault_client_renew_interval }}"
job: "/usr/local/bin/acme-vault-download.sh"
- name: Run vault download script
command: /usr/local/bin/acme-vault-download.sh # noqa no-handler
when: acme_vault_client_always_fetch_certs or copy_vault_dl_script.changed
......@@ -7,7 +7,7 @@
- name: Download and install vault binary
unarchive:
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ vault_host_arch_map }}.zip" # yamllint disable-line rule:line-length
src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ vault_host_arch }}.zip" # yamllint disable-line rule:line-length
dest: /usr/bin/
remote_src: true
mode: 0755