Charles Decoux · Charles Decoux · Charles Decoux · 7f4b2b7c · 7f4b2b7c · 7f4b2b7c
--- a/roles/acme/defaults/main.yml
+++ b/roles/acme/defaults/main.yml
@@ -14,6 +14,11 @@ acme_experimental_cname_support: false
 acme_renew_interval: daily
 acme_valid_min_days: 30
 acme_postrun: ""
+
+# If set to false, only new or changed servicess will be started when role is
+# applied
+acme_always_start_cert_services: true
+
 acme_certificates: []

 # Example of acme_certificates

--- a/roles/acme/tasks/acme.yml
+++ b/roles/acme/tasks/acme.yml
@@ -27,6 +27,7 @@
    mode: 0755
  loop:
    - acme-fixperms.sh
+  register: copy_acme_scripts

 - name: Copy ACME self-signed scripts
  template:
@@ -38,6 +39,7 @@
  when: acme_preliminary_selfsigned
  loop:
    - acme-selfsigned-ca.sh
+  register: copy_acme_selfsigned_scripts

 - name: Create ACME self-signed CA directory
  file:
@@ -62,6 +64,7 @@
    mode: 0644
  loop:
    - acme-fixperms.service
+  register: copy_acme_services

 - name: Save internal state for ACME services
  changed_when: false
@@ -72,6 +75,7 @@
                            | combine({ service_file: true }) }}"
  loop:
    - acme-fixperms.service
+  register: copy_acme_selfsigned_services

 - name: Copy ACME self-signed services
  template:
@@ -98,18 +102,26 @@
    daemon_reload: true

 - name: Start ACME services
-  systemd:
+  systemd:  # noqa no-handler
    name: "{{ item }}"
    state: started
    enabled: false
  loop:
    - acme-fixperms
+  when: acme_always_start_cert_services or (
+            copy_acme_scripts.changed
+         or copy_acme_services.changed)
+

 - name: Start ACME self-signed services
  systemd:
    name: "{{ item }}"
    state: started
    enabled: false
-  when: acme_preliminary_selfsigned
  loop:
    - acme-selfsigned-ca
+  when:
+    - acme_preliminary_selfsigned
+    - acme_always_start_cert_services or (
+           copy_acme_selfsigned_scripts.changed
+        or copy_acme_selfsigned_services.changed)
--- a/roles/acme/tasks/domain.yml
+++ b/roles/acme/tasks/domain.yml
@@ -46,6 +46,7 @@
    group: acme
    mode: 0755
  when: acme_preliminary_selfsigned
+  register: copy_domain_selfsigned_script

 - name: Copy {{ item.domain }} script
  template:
@@ -54,6 +55,7 @@
    owner: acme
    group: acme
    mode: 0755
+  register: copy_domain_script

 - name: Copy {{ item.domain }} postrun script
  template:
@@ -62,6 +64,7 @@
    owner: acme
    group: acme
    mode: 0755
+  register: copy_domain_postrun_script

 - name: Create {{ item.domain }} required directories
  file:
@@ -82,6 +85,7 @@
    src: "acme-selfsigned.service"
    dest: "/etc/systemd/system/acme-selfsigned-{{ item.domain }}.service"
    mode: 0644
+  register: copy_domain_selfsigned_service

 - name: Save internal state for {{ item.domain }} self-signed service
  changed_when: false
@@ -96,6 +100,7 @@
    src: "acme.service"
    dest: "/etc/systemd/system/acme-{{ item.domain }}.service"
    mode: 0644
+  register: copy_domain_service

 - name: Save internal state for {{ item.domain }} service
  changed_when: false
@@ -110,17 +115,26 @@
    name: "{{ service }}"
    state: started
    enabled: false
-  when: acme_preliminary_selfsigned|bool
+  when:
+    - acme_preliminary_selfsigned|bool
+    - acme_always_start_cert_services or (
+                copy_domain_selfsigned_service.changed
+             or copy_domain_selfsigned_service.changed
+             or copy_domain_selfsigned_script.changed)
  loop:
    - "acme-selfsigned-{{ item.domain }}"
  loop_control:
    loop_var: service

 - name: "Start ACME service for {{ item.domain }}"
-  systemd:
+  systemd:  # noqa no-handler
    name: "{{ service }}"
    state: started
    enabled: false
+  when: acme_always_start_cert_services or (
+            copy_domain_service.changed
+         or copy_domain_postrun_script.changed
+         or copy_domain_script.changed)
  loop:
    - "acme-{{ item.domain }}"
  loop_control:

--- a/roles/acme_vault_client/defaults/main.yml
+++ b/roles/acme_vault_client/defaults/main.yml
@@ -11,6 +11,9 @@ acme_vault_client_mode: 750
 acme_vault_client_postrun: ""
 # This value *must* include ${ACME_DOMAIN}
 acme_vault_certs_vault_path: "certs/${ACME_DOMAIN}"
+# Determines whether vault download script must be run when role is applied and
+# certs configuration hasn't changed
+acme_vault_client_always_fetch_certs: true

 # Configure those using https://learn.hashicorp.com/tutorials/vault/approle
 # acme_vault_client_role_id:

--- a/roles/acme_vault_client/tasks/main.yml
+++ b/roles/acme_vault_client/tasks/main.yml
@@ -13,9 +13,14 @@
    src: acme-vault-download.sh
    dest: /usr/local/bin/acme-vault-download.sh
    mode: 0755
+  register: copy_vault_dl_script

 - name: Create cronjob for renewing certificates
  cron:
    name: Renew certificates from vault
    special_time: "{{ acme_vault_client_renew_interval }}"
    job: "/usr/local/bin/acme-vault-download.sh"
+
+- name: Run vault download script
+  command: /usr/local/bin/acme-vault-download.sh  # noqa no-handler
+  when: acme_vault_client_always_fetch_certs or copy_vault_dl_script.changed
--- a/roles/vault_client/tasks/main.yml
+++ b/roles/vault_client/tasks/main.yml
@@ -7,7 +7,7 @@

 - name: Download and install vault binary
  unarchive:
-    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ vault_host_arch_map }}.zip"  # yamllint disable-line rule:line-length
+    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_{{ vault_host_arch }}.zip"  # yamllint disable-line rule:line-length
    dest: /usr/bin/
    remote_src: true
    mode: 0755
No results found