From fb9602eabc84db2fdb5e7f8a197a96c738a877a5 Mon Sep 17 00:00:00 2001 From: Oleg Broytman Date: Fri, 26 Jul 2019 23:06:33 +0300 Subject: [PATCH] Feat(add_apache_vhost): Setup `dehydrated` for the virtual host --- .../roles/add_apache_vhost/files/dehydrated | 3 + .../add_apache_vhost/tasks/dehydrated.yml | 39 +++++++ .../roles/add_apache_vhost/tasks/main.yml | 2 + .../roles/add_apache_vhost/templates/config | 110 ++++++++++++++++++ .../add_apache_vhost/templates/dehydrated | 3 + .../add_apache_vhost/templates/domains.txt | 1 + 6 files changed, 158 insertions(+) create mode 100755 playbooks/debian/roles/add_apache_vhost/files/dehydrated create mode 100644 playbooks/debian/roles/add_apache_vhost/tasks/dehydrated.yml create mode 100644 playbooks/debian/roles/add_apache_vhost/templates/config create mode 100755 playbooks/debian/roles/add_apache_vhost/templates/dehydrated create mode 100644 playbooks/debian/roles/add_apache_vhost/templates/domains.txt diff --git a/playbooks/debian/roles/add_apache_vhost/files/dehydrated b/playbooks/debian/roles/add_apache_vhost/files/dehydrated new file mode 100755 index 0000000..b0b3f16 --- /dev/null +++ b/playbooks/debian/roles/add_apache_vhost/files/dehydrated @@ -0,0 +1,3 @@ +#!/bin/sh +cd "`dirname \"$0\"`" && +exec /usr/local/src/LetsEncrypt/dehydrated/dehydrated -c diff --git a/playbooks/debian/roles/add_apache_vhost/tasks/dehydrated.yml b/playbooks/debian/roles/add_apache_vhost/tasks/dehydrated.yml new file mode 100644 index 0000000..d1c38d8 --- /dev/null +++ b/playbooks/debian/roles/add_apache_vhost/tasks/dehydrated.yml @@ -0,0 +1,39 @@ +- name: Create dehydrated directory + become: true + file: + path: "/usr/local/apache2/.dehydrated/{{ virtual_host }}" + state: directory + owner: root + group: root + mode: '0700' + +- name: Configure dehydrated + become: true + template: + src: "{{ item }}" + dest: "/usr/local/apache2/.dehydrated/{{ virtual_host }}" + owner: root + group: root + mode: '0600' + force: no + loop: ['config', 'domains.txt'] + +- name: Configure dehydrated script + become: true + copy: + src: dehydrated + dest: "/usr/local/apache2/.dehydrated/{{ virtual_host }}" + owner: root + group: root + mode: '0700' + force: no + +- name: Configure dehydrated weekly run + become: true + template: + src: dehydrated + dest: /etc/cron.weekly + owner: root + group: root + mode: '0700' + force: no diff --git a/playbooks/debian/roles/add_apache_vhost/tasks/main.yml b/playbooks/debian/roles/add_apache_vhost/tasks/main.yml index a8bda13..8208d18 100644 --- a/playbooks/debian/roles/add_apache_vhost/tasks/main.yml +++ b/playbooks/debian/roles/add_apache_vhost/tasks/main.yml @@ -8,4 +8,6 @@ import_tasks: add_vhost.yml when: vhost.rc != 0 +- name: Run dehydrated for the vhost + import_tasks: dehydrated.yml when: vhost.rc != 0 diff --git a/playbooks/debian/roles/add_apache_vhost/templates/config b/playbooks/debian/roles/add_apache_vhost/templates/config new file mode 100644 index 0000000..b40241d --- /dev/null +++ b/playbooks/debian/roles/add_apache_vhost/templates/config @@ -0,0 +1,110 @@ +######################################################## +# This is the main config file for dehydrated # +# # +# This file is looked for in the following locations: # +# $SCRIPTDIR/config (next to this script) # +# /usr/local/etc/dehydrated/config # +# /etc/dehydrated/config # +# ${PWD}/config (in current working-directory) # +# # +# Default values of this config are in comments # +######################################################## + +# Resolve names to addresses of IP version only. (curl) +# supported values: 4, 6 +# default: +#IP_VERSION= + +# Path to certificate authority (default: https://acme-v01.api.letsencrypt.org/directory) +#CA="https://acme-staging.api.letsencrypt.org/directory" +CA="https://acme-v01.api.letsencrypt.org/directory" + +# Path to certificate authority license terms redirect (default: https://acme-v01.api.letsencrypt.org/terms) +#CA_TERMS="https://acme-staging.api.letsencrypt.org/terms" +CA_TERMS="https://acme-v01.api.letsencrypt.org/terms" + +# Path to license agreement (default: ) +#LICENSE="" + +# Which challenge should be used? Currently http-01 and dns-01 are supported +#CHALLENGETYPE="http-01" + +# Path to a directory containing additional config files, allowing to override +# the defaults found in the main configuration file. Additional config files +# in this directory needs to be named with a '.sh' ending. +# default: +#CONFIG_D= + +# Base directory for account key, generated certificates and list of domains (default: $SCRIPTDIR -- uses config directory if undefined) +#BASEDIR=$SCRIPTDIR + +# File containing the list of domains to request certificates for (default: $BASEDIR/domains.txt) +#DOMAINS_TXT="${BASEDIR}/domains.txt" + +# Output directory for generated certificates +#CERTDIR="${BASEDIR}/certs" + +# Directory for account keys and registration information +#ACCOUNTDIR="${BASEDIR}/accounts" + +# Output directory for challenge-tokens to be served by webserver or deployed in HOOK (default: /var/www/dehydrated) +#WELLKNOWN="/var/www/dehydrated" +WELLKNOWN="/usr/local/apache2/htdocs/.well-known/acme-challenge/" + +# Default keysize for private keys (default: 4096) +#KEYSIZE="4096" + +# Path to openssl config file (default: - tries to figure out system default) +#OPENSSL_CNF= + +# Path to OpenSSL binary (default: "openssl") +#OPENSSL="openssl" + +# Extra options passed to the curl binary (default: ) +#CURL_OPTS= + +# Program or function called in certain situations +# +# After generating the challenge-response, or after failed challenge (in this case altname is empty) +# Given arguments: clean_challenge|deploy_challenge altname token-filename token-content +# +# After successfully signing certificate +# Given arguments: deploy_cert domain path/to/privkey.pem path/to/cert.pem path/to/fullchain.pem +# +# BASEDIR and WELLKNOWN variables are exported and can be used in an external program +# default: +HOOK=./hook + +# Chain clean_challenge|deploy_challenge arguments together into one hook call per certificate (default: no) +#HOOK_CHAIN="no" + +# Minimum days before expiration to automatically renew certificate (default: 30) +#RENEW_DAYS="30" + +# Regenerate private keys instead of just signing new certificates on renewal (default: yes) +#PRIVATE_KEY_RENEW="yes" +PRIVATE_KEY_RENEW="no" + +# Create an extra private key for rollover (default: no) +#PRIVATE_KEY_ROLLOVER="no" + +# Which public key algorithm should be used? Supported: rsa, prime256v1 and secp384r1 +#KEY_ALGO=rsa + +# E-mail to use during the registration (default: ) +CONTACT_EMAIL=webmaster@{{ virtual_host }} + +# Lockfile location, to prevent concurrent access (default: $BASEDIR/lock) +#LOCKFILE="${BASEDIR}/lock" + +# Option to add CSR-flag indicating OCSP stapling to be mandatory (default: no) +#OCSP_MUST_STAPLE="no" + +# Fetch OCSP responses (default: no) +#OCSP_FETCH="no" + +# Issuer chain cache directory (default: $BASEDIR/chains) +#CHAINCACHE="${BASEDIR}/chains" + +# Automatic cleanup (default: no) +#AUTO_CLEANUP="no" diff --git a/playbooks/debian/roles/add_apache_vhost/templates/dehydrated b/playbooks/debian/roles/add_apache_vhost/templates/dehydrated new file mode 100755 index 0000000..9d9551a --- /dev/null +++ b/playbooks/debian/roles/add_apache_vhost/templates/dehydrated @@ -0,0 +1,3 @@ +#!/bin/sh +cd "`dirname \"$0\"`" && +exec /usr/local/apache2/.dehydrated/{{ virtual_host }}/dehydrated diff --git a/playbooks/debian/roles/add_apache_vhost/templates/domains.txt b/playbooks/debian/roles/add_apache_vhost/templates/domains.txt new file mode 100644 index 0000000..e5aefd5 --- /dev/null +++ b/playbooks/debian/roles/add_apache_vhost/templates/domains.txt @@ -0,0 +1 @@ +{{ virtual_host }} -- 2.39.2