acme.sh role

This commit is contained in:
Kishi 2018-09-10 22:52:41 +02:00
parent b3d3888518
commit 9dcdbdf983
8 changed files with 117 additions and 4 deletions

View File

@ -0,0 +1,4 @@
---
acme_san_domains:
- "librenms.binary.kitchen"
- "racktables.binary.kitchen"

View File

@ -0,0 +1,10 @@
---
acme_home: "/opt/acme"
acme_staging: False
acme_nsupdate_key: "/opt/acme/nsupdate.key"
acme_nsupdate_keyalgo: "hmac-sha512"
acme_nsupdate_server: "neon.binary-kitchen.net"
acme_sh_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh"
acme_dns_nsupdate_url: "https://raw.githubusercontent.com/Neilpang/acme.sh/master/dnsapi/dns_nsupdate.sh"

0
roles/acme/files/reload.sh Executable file
View File

79
roles/acme/tasks/main.yml Normal file
View File

@ -0,0 +1,79 @@
---
- name: Create acme home directory
file:
path: "{{ acme_home }}"
state: "directory"
- name: Get nsupdate.key
shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'"
register: "pdns_nsupdate_key"
failed_when: "False"
changed_when: "False"
delegate_to: "{{ acme_nsupdate_server }}"
- name: Generate nsupdate.key
shell: "pdnsutil generate-tsig-key 'acme-{{ inventory_hostname }}.' '{{ acme_nsupdate_keyalgo }}'"
register: "pdns_nsupdate_genkey"
when: "pdns_nsupdate_key is defined and pdns_nsupdate_key.rc != 0"
delegate_to: "{{ acme_nsupdate_server }}"
- name: Get nsupdate.key again
shell: "pdnsutil list-tsig-keys | grep '^acme-{{ inventory_hostname }}. {{ acme_nsupdate_keyalgo }}'"
register: "pdns_nsupdate_key"
when: "pdns_nsupdate_genkey is defined"
changed_when: "False"
delegate_to: "{{ acme_nsupdate_server }}"
- name: Write nsupdate.key to file
template:
src: "nsupdate.key.j2"
dest: "{{ acme_nsupdate_key }}"
when: "pdns_nsupdate_key is defined"
- name: Check acme.sh exists
stat:
path: "{{ acme_home }}/acme.sh"
register: "stat_acme_sh"
- name: Fetch acme.sh
get_url:
url: "{{ acme_sh_url }}"
dest: "/tmp/acme.sh"
mode: "0755"
register: "fetch_acme_sh"
when: "not stat_acme_sh.stat.exists"
- name: Install acme.sh
shell: "./acme.sh --home '{{ acme_home }}' --install"
args:
chdir: "/tmp"
creates: "{{ acme_home }}/acme.sh"
when: "fetch_acme_sh is defined"
- name: Create acme dnsapi directory
file:
path: "{{ acme_home }}/dnsapi"
state: "directory"
- name: Fetch acme.sh dns_nsupdate
get_url:
url: "{{ acme_dns_nsupdate_url }}"
dest: "{{ acme_home }}/dnsapi/"
mode: "0755"
- name: Create acme certificate directory
file:
path: "{{ acme_home }}/{{ inventory_hostname }}"
state: "directory"
- name: Copy reload.sh
copy:
src: "reload.sh"
dest: "{{ acme_home }}/{{ inventory_hostname }}/reload.sh"
mode: "0755"
- name: Issue certificate
shell: "{{ lookup('template','acme.sh.request.j2').replace('\n',' ') }}"
args:
chdir: "{{ acme_home }}"
creates: "{{ acme_home }}/{{ inventory_hostname }}/{{ inventory_hostname }}.key"

View File

@ -0,0 +1,19 @@
NSUPDATE_KEY="{{ acme_nsupdate_key }}"
NSUPDATE_SERVER="{{ acme_nsupdate_server }}"
"{{ acme_home }}/acme.sh"
--home "{{ acme_home }}"
--reloadCmd "{{ acme_home }}/{{ inventory_hostname }}/reload.sh"
--log
--issue
-k 4096
-d "{{ inventory_hostname }}"
--dns dns_nsupdate
{% if acme_san_domains is defined %}
{% for domain in acme_san_domains %}
-d "{{ domain }}"
{% endfor %}
{% endif %}
{% if acme_staging is defined and acme_staging %}
--staging
{% endif %}
;

View File

@ -0,0 +1,4 @@
key acme-{{ inventory_hostname }}. {
algorithm {{ acme_nsupdate_keyalgo }};
secret "{{ pdns_nsupdate_key.stdout.split(' ')[2] }}";
};

4
simulatepb.sh Executable file → Normal file
View File

@ -1,4 +0,0 @@
#!/bin/bash
export ANSIBLE_NOCOWS=1
test -e ./ansible.log && rm ./ansible.log
ansible-playbook site.yml --check --diff

View File

@ -27,6 +27,7 @@
- librenms - librenms
- racktables - racktables
- uau - uau
- acme
- name: Install Check_MK Agent - name: Install Check_MK Agent
hosts: [bacon.binary.kitchen,forseti.binary.kitchen] hosts: [bacon.binary.kitchen,forseti.binary.kitchen]