From cee2fde3acf7f301712b530bd1570ca1139ae1a6 Mon Sep 17 00:00:00 2001 From: Alexander Dietrich Date: Tue, 3 Oct 2017 16:05:22 +0200 Subject: [PATCH] Add letsrenew role --- basics.yml | 12 ++++++--- host_vars/srv04 | 2 ++ production | 9 +++++-- roles/letsrenew/defaults/main.yml | 3 +++ roles/letsrenew/tasks/main.yml | 40 ++++++++++++++++++++++++++++ roles/letsrenew/templates/cli.ini.j2 | 27 +++++++++++++++++++ 6 files changed, 87 insertions(+), 6 deletions(-) create mode 100644 roles/letsrenew/defaults/main.yml create mode 100644 roles/letsrenew/tasks/main.yml create mode 100644 roles/letsrenew/templates/cli.ini.j2 diff --git a/basics.yml b/basics.yml index 4a03000..b0d673b 100644 --- a/basics.yml +++ b/basics.yml @@ -1,7 +1,11 @@ --- - hosts: all roles: - - role: basics - tags: basics - - role: ffhh-basics - tags: basics + - basics + - ffhh-basics + tags: basics + +- hosts: letsrenew + roles: + - letsrenew + tags: letsrenew diff --git a/host_vars/srv04 b/host_vars/srv04 index 78e3d10..ce2b151 100644 --- a/host_vars/srv04 +++ b/host_vars/srv04 @@ -1 +1,3 @@ +letsrenew_email: alexander@hamburg.freifunk.net +letsrenew_webroot: /var/www/mail nginx_resolver: 80.252.105.162 80.252.105.194 diff --git a/production b/production index 2301e4d..55f3057 100644 --- a/production +++ b/production @@ -1,8 +1,13 @@ -[services] +[ffhh] +srv01 ansible_host=srv01.hamburg.freifunk.net srv03 ansible_host=srv03.hamburg.freifunk.net srv04 ansible_host=srv04.hamburg.freifunk.net -[ffhh] +[letsrenew] +srv01 +srv04 + +[services] srv03 srv04 diff --git a/roles/letsrenew/defaults/main.yml b/roles/letsrenew/defaults/main.yml new file mode 100644 index 0000000..83a1b3e --- /dev/null +++ b/roles/letsrenew/defaults/main.yml @@ -0,0 +1,3 @@ +--- +letsrenew_email: "" +letsrenew_webroot: /var/www/letsencrypt diff --git a/roles/letsrenew/tasks/main.yml b/roles/letsrenew/tasks/main.yml new file mode 100644 index 0000000..746500f --- /dev/null +++ b/roles/letsrenew/tasks/main.yml @@ -0,0 +1,40 @@ +--- +- name: create /opt/certbot + file: + path: /opt/certbot + mode: 0750 + state: directory + +- name: download certbot + get_url: + url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-auto + dest: /opt/certbot/certbot-auto + mode: 0550 + +- name: create webroot path + file: + path: "{{ letsrenew_webroot }}" + state: directory + +- name: create /etc/letsencrypt + file: + path: /etc/letsencrypt + state: directory + +- name: template cli.ini + template: + src: cli.ini.j2 + dest: /etc/letsencrypt/cli.ini + +- name: clone letsrenew + git: + repo: https://github.com/7adietri/letsrenew.git + dest: /opt/letsrenew + +- name: create cronjob + cron: + name: "Let's Encrypt certificate renewal" + job: "/opt/letsrenew/letsrenew {{ letsrenew_email }} /opt/certbot/certbot-auto" + minute: 0 + hour: 6 + weekday: 1 diff --git a/roles/letsrenew/templates/cli.ini.j2 b/roles/letsrenew/templates/cli.ini.j2 new file mode 100644 index 0000000..dff4752 --- /dev/null +++ b/roles/letsrenew/templates/cli.ini.j2 @@ -0,0 +1,27 @@ +agree-tos = True +non-interactive = True +renew-by-default = True +text = True + +# All flags used by the client can be configured here. Run Certbot with +# "--help" to learn more about the available options. +# +# Note that these options apply automatically to all use of Certbot for +# obtaining or renewing certificates, so options specific to a single +# certificate on a system with several certificates should not be placed +# here. + +# Use a 4096 bit RSA key instead of 2048 +rsa-key-size = 4096 + +# Uncomment and update to register with the specified e-mail address +email = backend@hamburg.freifunk.net + +# Uncomment to use the standalone authenticator on port 443 +# authenticator = standalone +# standalone-supported-challenges = tls-sni-01 + +# Uncomment to use the webroot authenticator. Replace webroot-path with the +# path to the public_html / webroot folder being served by your web server. +authenticator = webroot +webroot-path = {{ letsrenew_webroot }}