From 98a412c27bcdc51b9bb98f555f4d55aaffedbc6a Mon Sep 17 00:00:00 2001 From: genofire Date: Sun, 31 Jan 2021 19:16:27 +0100 Subject: [PATCH] Renew Let's Encrypt certificates --- roles/dovecot/tasks/main.yml | 2 +- roles/haproxy/handlers/main.yml | 3 + roles/haproxy/tasks/main.yml | 57 +++++++++++++++++++ .../templates/acme-renew-log/finish.j2 | 13 +++++ roles/haproxy/templates/acme-renew-log/run.j2 | 23 ++++++++ .../haproxy/templates/acme-renew/data/job.j2 | 5 ++ roles/haproxy/templates/acme-renew/finish.j2 | 14 +++++ roles/haproxy/templates/acme-renew/run.j2 | 12 ++++ roles/haproxy/vars/main.yml | 45 +++++++++++++++ 9 files changed, 173 insertions(+), 1 deletion(-) create mode 100644 roles/haproxy/templates/acme-renew-log/finish.j2 create mode 100644 roles/haproxy/templates/acme-renew-log/run.j2 create mode 100644 roles/haproxy/templates/acme-renew/data/job.j2 create mode 100644 roles/haproxy/templates/acme-renew/finish.j2 create mode 100644 roles/haproxy/templates/acme-renew/run.j2 diff --git a/roles/dovecot/tasks/main.yml b/roles/dovecot/tasks/main.yml index ae68193..01cde91 100644 --- a/roles/dovecot/tasks/main.yml +++ b/roles/dovecot/tasks/main.yml @@ -43,7 +43,7 @@ state: directory owner: vmail group: vmail - mode: 0750 + mode: 0755 - name: Create /var/spool/postfix file: diff --git a/roles/haproxy/handlers/main.yml b/roles/haproxy/handlers/main.yml index e69b499..5329e82 100644 --- a/roles/haproxy/handlers/main.yml +++ b/roles/haproxy/handlers/main.yml @@ -12,3 +12,6 @@ - name: Reload HAProxy command: s6-svc -2 /run/service/haproxy + +- name: Restart acme-renew + command: s6-svc -wU -T 5000 -ru /run/service/acme-renew diff --git a/roles/haproxy/tasks/main.yml b/roles/haproxy/tasks/main.yml index 7c09a99..f542c5c 100644 --- a/roles/haproxy/tasks/main.yml +++ b/roles/haproxy/tasks/main.yml @@ -266,3 +266,60 @@ creates: '/usr/local/etc/haproxy/{{ item }}.pem' with_items: - '{{ ansible_fqdn }}' + +- name: Create acme.sh renew service directories + file: + path: '/etc/s6-rc/service/{{ item }}' + state: directory + owner: root + group: wheel + mode: 0755 + with_items: '{{ acme_service_dirs }}' + notify: + - Reload s6-rc + - Restart acme-renew + +- name: Generate acme.sh renew service scripts + template: + dest: '/etc/s6-rc/service/{{ item }}' + src: '{{ item }}.j2' + mode: 0555 + owner: root + group: wheel + with_items: '{{ acme_service_scripts }}' + notify: + - Reload s6-rc + - Restart acme-renew + +- name: Generate acme.sh renew service configuration + copy: + dest: '/etc/s6-rc/service/{{ item.name }}' + content: '{{ item.content }}' + mode: 0444 + owner: root + group: wheel + loop_control: + label: '{{ item.name }} = {{ item.content }}' + with_items: '{{ acme_service_config }}' + notify: + - Reload s6-rc + - Restart acme-renew + +- name: Flush handlers + meta: flush_handlers + +- name: Start acme renew service + command: fdmove -c 2 1 s6-rc -u -v 2 change acme-renew + register: change + changed_when: change.stdout | length > 0 + +- name: Enable acme-renew + lineinfile: + path: /etc/s6-rc/service/enabled/contents + regexp: "^acme-renew$" + line: "acme-renew" + notify: + - Reload s6-rc + +- name: Flush handlers (again) + meta: flush_handlers diff --git a/roles/haproxy/templates/acme-renew-log/finish.j2 b/roles/haproxy/templates/acme-renew-log/finish.j2 new file mode 100644 index 0000000..00e3945 --- /dev/null +++ b/roles/haproxy/templates/acme-renew-log/finish.j2 @@ -0,0 +1,13 @@ +#!/usr/local/bin/execlineb -S2 +# {{ ansible_managed }} + +s6-envdir ./env +multisubstitute { + importas -i -u NAME NAME +} + +fdmove -c 1 2 +ifelse { test "${1}" -eq 0 } { + echo "${NAME}: Stopped." +} + echo "${NAME}: Failed with exit status (${1}, ${2})." diff --git a/roles/haproxy/templates/acme-renew-log/run.j2 b/roles/haproxy/templates/acme-renew-log/run.j2 new file mode 100644 index 0000000..1804fdb --- /dev/null +++ b/roles/haproxy/templates/acme-renew-log/run.j2 @@ -0,0 +1,23 @@ +#!/usr/local/bin/execlineb -P +# {{ ansible_managed }} + +s6-envdir ./env +multisubstitute { + importas -i -u NAME NAME + importas -i -u USER USER + importas -i -u GROUP GROUP + importas -i -u MODE MODE + importas -i -u DIR DIR +} + +foreground { fdmove -c 1 2 echo "${NAME} log: Starting." } + +ifelse -n { install -d -o "${USER}" -g "${GROUP}" -m "${MODE}" "$DIR" } { + foreground { fdmove -c 1 2 echo "${NAME} log: Failed to create logging directory." } + false +} + +fdmove -c 2 1 + +s6-envuidgid $USER +s6-log -d 3 T $DIR diff --git a/roles/haproxy/templates/acme-renew/data/job.j2 b/roles/haproxy/templates/acme-renew/data/job.j2 new file mode 100644 index 0000000..b8d2d45 --- /dev/null +++ b/roles/haproxy/templates/acme-renew/data/job.j2 @@ -0,0 +1,5 @@ +#!/bin/sh +# {{ ansible_managed }} + +sudo -u acme acme.sh --debug --home /var/db/acme --standalone --httpport 8080 --renew-all +sudo -u acme acme.sh --debug --home /var/db/acme --standalone --httpport 8080 --deploy --domain {{ ansible_fqdn }} --deploy-hook haproxy diff --git a/roles/haproxy/templates/acme-renew/finish.j2 b/roles/haproxy/templates/acme-renew/finish.j2 new file mode 100644 index 0000000..82c4216 --- /dev/null +++ b/roles/haproxy/templates/acme-renew/finish.j2 @@ -0,0 +1,14 @@ +#!/usr/local/bin/execlineb -S2 +# {{ ansible_managed }} + +s6-envdir ./env +multisubstitute { + importas -i -u NAME NAME +} + +fdmove -c 1 2 +ifelse { test "${1}" -eq 0 } { + echo "${NAME}: Stopped." +} + +echo "${NAME}: Failed with exit status (${1}, ${2})." diff --git a/roles/haproxy/templates/acme-renew/run.j2 b/roles/haproxy/templates/acme-renew/run.j2 new file mode 100644 index 0000000..bf2858f --- /dev/null +++ b/roles/haproxy/templates/acme-renew/run.j2 @@ -0,0 +1,12 @@ +#!/usr/local/bin/execlineb -P +# {{ ansible_managed }} + +s6-envdir ./env +multisubstitute { + importas -i -u NAME NAME +} + +foreground { fdmove -c 1 2 echo "${NAME}: Starting." } + +fdmove -c 2 1 +snooze -v data/job diff --git a/roles/haproxy/vars/main.yml b/roles/haproxy/vars/main.yml index b73aa1d..53a2908 100644 --- a/roles/haproxy/vars/main.yml +++ b/roles/haproxy/vars/main.yml @@ -12,3 +12,48 @@ haproxy_s6_templates: - run - finish - data/check + +acme_service_dirs: + - acme-renew + - acme-renew/env + - acme-renew/data + - acme-renew-log + - acme-renew-log/env + +acme_service_scripts: + - acme-renew/run + - acme-renew/finish + - acme-renew/data/job + - acme-renew-log/run + - acme-renew-log/finish + +acme_service_config: + - name: acme-renew/type + content: longrun + - name: acme-renew/dependencies + content: postfix + - name: acme-renew/env/NAME + content: acme-renew + - name: acme-renew/env/PATH + content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin + - name: acme-renew/producer-for + content: acme-renew-log + + - name: acme-renew-log/type + content: longrun + - name: acme-renew-log/notification-fd + content: '3' + - name: acme-renew-log/consumer-for + content: acme-renew + - name: acme-renew-log/env/NAME + content: acme-renew + - name: acme-renew-log/env/PATH + content: /sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin:/root/bin + - name: acme-renew-log/env/MODE + content: '750' + - name: acme-renew-log/env/USER + content: s6-log + - name: acme-renew-log/env/GROUP + content: s6-log + - name: acme-renew-log/env/DIR + content: /var/log/acme-renew