Add certsync role

roles/certsync/defaults/main.yml

@@ -0,0 +1,5 @@
+---
+certsync_dir: /etc/ssl/certsync
+certsync_host: srv02.hamburg.freifunk.net
+certsync_key: /root/.ssh/certsync
+certsync_script: /usr/local/sbin/certsync

roles/certsync/tasks/main.yml

@@ -0,0 +1,24 @@
+---
+- name: create SSH key
+  command: ssh-keygen -b 4096 -C {{ ansible_nodename }} -f {{ certsync_key }}
+  args:
+    creates: "{{ certsync_key }}"
+  tags: certsync
+
+- name: template certsync script
+  template:
+    src: templates/certsync.j2
+    dest: "{{ certsync_script }}"
+    owner: root
+    group: staff
+    mode: 0550
+  tags: certsync
+
+- name: create cronjob
+  cron:
+    name: TLS Zertifikate synchronisieren
+    job: "{{ certsync_script }}"
+    minute: "0"
+    hour: "6"
+    day: "2"
+  tags: certsync

roles/certsync/templates/certsync.j2

@@ -0,0 +1,20 @@
+#!/bin/bash
+
+PATH="/bin:/usr/bin:/sbin:/usr/sbin"
+CERT_DIR="{{ certsync_dir }}"
+
+if [ ! -d $CERT_DIR ]; then
+  mkdir -p $CERT_DIR
+  chown root.root $CERT_DIR
+  chmod 750 $CERT_DIR
+fi
+
+sftp -q -i {{ certsync_key }} certsync@{{ certsync_host }}:* "$CERT_DIR/" > /dev/null 2>&1
+if [ $? -ne 0 ]; then
+  echo "Error getting certificates"
+  exit 1
+fi
+chown root.root $CERT_DIR/*
+chmod 440 $CERT_DIR/*
+
+service nginx reload > /dev/null

services.yml

@@ -5,4 +5,5 @@
 
 - hosts: updates
   roles:
+    - certsync
     - website/updates