diff --git a/roles/certsync/defaults/main.yml b/roles/certsync/defaults/main.yml new file mode 100644 index 0000000..a0ceb3a --- /dev/null +++ b/roles/certsync/defaults/main.yml @@ -0,0 +1,5 @@ +--- +certsync_dir: /etc/ssl/certsync +certsync_host: srv02.hamburg.freifunk.net +certsync_key: /root/.ssh/certsync +certsync_script: /usr/local/sbin/certsync diff --git a/roles/certsync/tasks/main.yml b/roles/certsync/tasks/main.yml new file mode 100644 index 0000000..9c3cd10 --- /dev/null +++ b/roles/certsync/tasks/main.yml @@ -0,0 +1,24 @@ +--- +- name: create SSH key + command: ssh-keygen -b 4096 -C {{ ansible_nodename }} -f {{ certsync_key }} + args: + creates: "{{ certsync_key }}" + tags: certsync + +- name: template certsync script + template: + src: templates/certsync.j2 + dest: "{{ certsync_script }}" + owner: root + group: staff + mode: 0550 + tags: certsync + +- name: create cronjob + cron: + name: TLS Zertifikate synchronisieren + job: "{{ certsync_script }}" + minute: "0" + hour: "6" + day: "2" + tags: certsync diff --git a/roles/certsync/templates/certsync.j2 b/roles/certsync/templates/certsync.j2 new file mode 100755 index 0000000..30575ee --- /dev/null +++ b/roles/certsync/templates/certsync.j2 @@ -0,0 +1,20 @@ +#!/bin/bash + +PATH="/bin:/usr/bin:/sbin:/usr/sbin" +CERT_DIR="{{ certsync_dir }}" + +if [ ! -d $CERT_DIR ]; then + mkdir -p $CERT_DIR + chown root.root $CERT_DIR + chmod 750 $CERT_DIR +fi + +sftp -q -i {{ certsync_key }} certsync@{{ certsync_host }}:* "$CERT_DIR/" > /dev/null 2>&1 +if [ $? -ne 0 ]; then + echo "Error getting certificates" + exit 1 +fi +chown root.root $CERT_DIR/* +chmod 440 $CERT_DIR/* + +service nginx reload > /dev/null diff --git a/services.yml b/services.yml index e120996..3047ff2 100644 --- a/services.yml +++ b/services.yml @@ -5,4 +5,5 @@ - hosts: updates roles: + - certsync - website/updates