From 5d70cad220e00306a231dd7e43c2c1176001e45e Mon Sep 17 00:00:00 2001 From: Sander Klein Date: Fri, 27 Mar 2020 16:45:30 +0100 Subject: [PATCH] Move steps to their own files. --- tasks/custom_command.yml | 9 ++ tasks/force_renew_cert.yml | 14 +++ tasks/install.yml | 48 ++++++++ tasks/install_cert.yml | 27 +++++ tasks/issue_cert.yml | 22 ++++ tasks/list_cert.yml | 14 +++ tasks/main.yml | 222 +++++++------------------------------ tasks/remove_cert.yml | 25 +++++ tasks/uninstall.yml | 16 +++ tasks/upgrade.yml | 9 ++ 10 files changed, 225 insertions(+), 181 deletions(-) create mode 100644 tasks/custom_command.yml create mode 100644 tasks/force_renew_cert.yml create mode 100644 tasks/install.yml create mode 100644 tasks/install_cert.yml create mode 100644 tasks/issue_cert.yml create mode 100644 tasks/list_cert.yml create mode 100644 tasks/remove_cert.yml create mode 100644 tasks/uninstall.yml create mode 100644 tasks/upgrade.yml diff --git a/tasks/custom_command.yml b/tasks/custom_command.yml new file mode 100644 index 0000000..d4d1be8 --- /dev/null +++ b/tasks/custom_command.yml @@ -0,0 +1,9 @@ +--- + +- name: Run custom acme.sh command + command: ./acme.sh {{ item.custom_command }} + args: + chdir: "~/.acme.sh" + environment: "{{ item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys) }}" + loop: "{{ acme_sh_domains }}" + become_user: "{{ acme_sh_become_user }}" diff --git a/tasks/force_renew_cert.yml b/tasks/force_renew_cert.yml new file mode 100644 index 0000000..b949e97 --- /dev/null +++ b/tasks/force_renew_cert.yml @@ -0,0 +1,14 @@ +--- + +- name: Force renew acme.sh certificate(s) + command: >- + ./acme.sh --renew -d {{ item.domains | first }} --force + {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} + {{ item.extra_flags_renew | default(acme_sh_default_extra_flags_renew) }} + args: + chdir: "~/.acme.sh" + loop: "{{ acme_sh_domains }}" + + become_user: "{{ acme_sh_become_user }}" + register: renew_result + failed_when: renew_result.rc != 0 and "Reload error for" not in renew_result.stderr diff --git a/tasks/install.yml b/tasks/install.yml new file mode 100644 index 0000000..e01467c --- /dev/null +++ b/tasks/install.yml @@ -0,0 +1,48 @@ +--- + +- name: Install dependencies + apt: + name: "{{ item }}" + update_cache: True + cache_valid_time: "{{ acme_sh_apt_cache_time }}" + loop: ["cron", "git", "wget"] + +- name: Create git clone path + file: + path: "{{ acme_sh_git_clone_dest | dirname }}" + state: "directory" + owner: "{{ acme_sh_become_user }}" + group: "{{ acme_sh_become_user }}" + mode: "0755" + +- name: Git clone https://github.com/Neilpang/acme.sh + git: + repo: "{{ acme_sh_git_url }}" + version: "{{ acme_sh_git_version }}" + dest: "{{ acme_sh_git_clone_dest }}" + update: "{{ acme_sh_git_update }}" + become_user: "{{ acme_sh_become_user }}" + +- name: Install acme.sh + command: >- + ./acme.sh --install --log + --days {{ acme_sh_renew_time_in_days }} + {{ "--accountemail " + acme_sh_account_email if acme_sh_account_email else "" }} + args: + chdir: "{{ acme_sh_git_clone_dest }}" + creates: "~/.acme.sh/acme.sh" + become_user: "{{ acme_sh_become_user }}" + +- name: Create certificate path + file: + path: "{{ acme_sh_copy_certs_to_path }}" + state: "directory" + owner: "{{ acme_sh_become_user }}" + group: "{{ acme_sh_become_user }}" + mode: "0755" + +- name: Determine if acme.sh is installed (post-install) + stat: + path: "~/.acme.sh/acme.sh" + register: is_acme_sh_installed + become_user: "{{ acme_sh_become_user }}" diff --git a/tasks/install_cert.yml b/tasks/install_cert.yml new file mode 100644 index 0000000..3cf877c --- /dev/null +++ b/tasks/install_cert.yml @@ -0,0 +1,27 @@ +--- + +- name: Ensure installed certificates have correct user / group ownership + file: + path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}*" + group: "{{ acme_sh_become_user }}" + owner: "{{ acme_sh_become_user }}" + loop: + - "{{ acme_sh_domains }}" + +- name: Install acme.sh certificate(s) + command: >- + ./acme.sh --install-cert -d {{ item.domains | first }} + --key-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}.key + --fullchain-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}.pem + --reloadcmd "{{ item.install_cert_reloadcmd | default(acme_sh_default_install_cert_reloadcmd) }}" + {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} + {{ item.extra_flags_install_cert | default(acme_sh_default_extra_flags_install_cert) }} + args: + chdir: "~/.acme.sh" + loop: "{{ acme_sh_domains }}" + loop_control: + index_var: domains_index + become_user: "{{ acme_sh_become_user }}" + register: install_cert_result + changed_when: issue_result.results[domains_index].changed or renew_result.results[domains_index].changed + failed_when: install_cert_result.rc != 0 and "Reload error for" not in install_cert_result.stderr diff --git a/tasks/issue_cert.yml b/tasks/issue_cert.yml new file mode 100644 index 0000000..2fe39b8 --- /dev/null +++ b/tasks/issue_cert.yml @@ -0,0 +1,22 @@ +--- + +- name: Issue acme.sh certificate(s) (this will sleep for dns_sleep seconds) + command: >- + ./acme.sh --issue -d {{ item.domains | join(" -d ") }} + --dns {{ item.dns_provider | default(acme_sh_default_dns_provider) }} + --dnssleep {{ item.dns_sleep | default(acme_sh_default_dns_sleep) }} + {{ "--force" if item.force_issue | default(acme_sh_default_force_issue) else "" }} + {{ "--staging" if item.staging | default(acme_sh_default_staging) else "" }} + {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} + {{ "--pre-hook " + '"' + item.issue_pre_hook | default(acme_sh_default_issue_pre_hook) + '"' if item.issue_pre_hook | default(acme_sh_default_issue_pre_hook) else "" }} + {{ "--post-hook " + '"' + item.issue_post_hook | default(acme_sh_default_issue_post_hook) + '"' if item.issue_post_hook | default(acme_sh_default_issue_post_hook) else "" }} + {{ "--renew-hook " + '"' + item.issue_renew_hook | default(acme_sh_default_issue_renew_hook) + '"' if item.issue_renew_hook | default(acme_sh_default_issue_renew_hook) else "" }} + {{ item.extra_flags_issue | default(acme_sh_default_extra_flags_issue) }} + args: + chdir: "~/.acme.sh" + environment: "{{ item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys) }}" + loop: "{{ acme_sh_domains }}" + become_user: "{{ acme_sh_become_user }}" + register: issue_result + changed_when: issue_result.rc == 0 and "Cert success" in issue_result.stdout + failed_when: issue_result.rc != 0 and "Domains not changed" not in issue_result.stdout diff --git a/tasks/list_cert.yml b/tasks/list_cert.yml new file mode 100644 index 0000000..3125259 --- /dev/null +++ b/tasks/list_cert.yml @@ -0,0 +1,14 @@ +--- + +- name: Register acme.sh certificate information + command: ./acme.sh --list + args: + chdir: "~/.acme.sh" + changed_when: False + register: list_domains + become_user: "{{ acme_sh_become_user }}" + +- name: List acme.sh certificate information + debug: + msg: "{{ list_domains.stdout_lines }}" + when: acme_sh_list_domains and not acme_sh_uninstall diff --git a/tasks/main.yml b/tasks/main.yml index e161884..f6e9948 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,131 +1,49 @@ --- -- name: Install dependencies - apt: - name: "{{ item }}" - update_cache: True - cache_valid_time: "{{ acme_sh_apt_cache_time }}" - loop: ["cron", "git", "wget"] - when: not acme_sh_uninstall - -- name: Create git clone path - file: - path: "{{ acme_sh_git_clone_dest | dirname }}" - state: "directory" - owner: "{{ acme_sh_become_user }}" - group: "{{ acme_sh_become_user }}" - mode: "0755" - when: not acme_sh_uninstall - -- name: Git clone https://github.com/Neilpang/acme.sh - git: - repo: "{{ acme_sh_git_url }}" - version: "{{ acme_sh_git_version }}" - dest: "{{ acme_sh_git_clone_dest }}" - update: "{{ acme_sh_git_update }}" - when: not acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" - -- name: Install acme.sh - command: >- - ./acme.sh --install --log - --days {{ acme_sh_renew_time_in_days }} - {{ "--accountemail " + acme_sh_account_email if acme_sh_account_email else "" }} - args: - chdir: "{{ acme_sh_git_clone_dest }}" - creates: "~/.acme.sh/acme.sh" - when: not acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" - - name: Determine if acme.sh is installed stat: path: "~/.acme.sh/acme.sh" register: is_acme_sh_installed become_user: "{{ acme_sh_become_user }}" -- name: Upgrade acme.sh - command: ./acme.sh --upgrade - args: - chdir: "~/.acme.sh" +- import_tasks: install.yml + tags: + - acme_sh + - acme_sh.install when: - - acme_sh_upgrade - - is_acme_sh_installed.stat.exists - not acme_sh_uninstall - register: upgrade_result - changed_when: upgrade_result.rc == 0 and "Upgrade success" in upgrade_result.stdout - become_user: "{{ acme_sh_become_user }}" + - not is_acme_sh_installed.stat.exists -- name: Create certificate path - file: - path: "{{ acme_sh_copy_certs_to_path }}" - state: "directory" - owner: "{{ acme_sh_become_user }}" - group: "{{ acme_sh_become_user }}" - mode: "0755" - when: not acme_sh_uninstall +- import_tasks: upgrade.yml + tags: + - acme_sh + - acme_sh.upgrade + when: + - is_acme_sh_installed.stat.exists is defined and is_acme_sh_installed.stat.exists + - acme_sh_upgrade == False + - not acme_sh_uninstall -- name: Uninstall acme.sh and disable all certificate renewals - command: ./acme.sh --uninstall - args: - chdir: "~/.acme.sh" +- import_tasks: uninstall.yml + tags: + - acme_sh + - acme_sh.uninstall when: - acme_sh_uninstall - is_acme_sh_installed.stat.exists - become_user: "{{ acme_sh_become_user }}" -- name: Remove acme.sh certificate(s) renewals from cron job - command: >- - ./acme.sh --remove -d {{ item.domains | first }} - {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} - args: - chdir: "~/.acme.sh" - removes: "~/.acme.sh/{{ item.domains | first }}" - loop: "{{ acme_sh_domains }}" - when: - - acme_sh_domains and item.domains is defined and item.domains - - item.remove is defined and item.remove - - not acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" - register: remove_result - -- name: Remove acme.sh internal certificate files - file: - path: "~/.acme.sh/{{ item.domains | first }}" - state: "absent" - when: - - acme_sh_domains and item.domains is defined and item.domains - - item.remove is defined and item.remove - - not acme_sh_uninstall - loop: "{{ acme_sh_domains }}" - become_user: "{{ acme_sh_become_user }}" - -- name: Remove acme.sh installed certificate files - file: - path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}*" - state: "absent" - loop: "{{ acme_sh_domains }}" +- import_tasks: remove_cert.yml + tags: + - acme_sh + - acme_sh.remove_cert when: - acme_sh_domains and item.domains is defined and item.domains - item.remove is defined and item.remove - not acme_sh_uninstall -- name: Remove acme.sh's cloned source code, installation path and log files - file: - path: "{{ item }}" - state: "absent" - loop: - - "{{ acme_sh_git_clone_dest }}" - - "~/.acme.sh" - when: - - acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" - -- name: Run custom acme.sh command - command: ./acme.sh {{ item.custom_command }} - args: - chdir: "~/.acme.sh" - environment: "{{ item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys) }}" - loop: "{{ acme_sh_domains }}" +- import_tasks: custom_command.yml + tags: + - acme_sh + - acme_sh.custom-command when: - acme_sh_domains and item.domains is defined and item.domains - item.dns_provider | default(acme_sh_default_dns_provider) @@ -133,24 +51,11 @@ - item.custom_command is defined and item.custom_command - item.remove is undefined or not item.remove - not acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" -- name: Issue acme.sh certificate(s) (this will sleep for dns_sleep seconds) - command: >- - ./acme.sh --issue -d {{ item.domains | join(" -d ") }} - --dns {{ item.dns_provider | default(acme_sh_default_dns_provider) }} - --dnssleep {{ item.dns_sleep | default(acme_sh_default_dns_sleep) }} - {{ "--force" if item.force_issue | default(acme_sh_default_force_issue) else "" }} - {{ "--staging" if item.staging | default(acme_sh_default_staging) else "" }} - {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} - {{ "--pre-hook " + '"' + item.issue_pre_hook | default(acme_sh_default_issue_pre_hook) + '"' if item.issue_pre_hook | default(acme_sh_default_issue_pre_hook) else "" }} - {{ "--post-hook " + '"' + item.issue_post_hook | default(acme_sh_default_issue_post_hook) + '"' if item.issue_post_hook | default(acme_sh_default_issue_post_hook) else "" }} - {{ "--renew-hook " + '"' + item.issue_renew_hook | default(acme_sh_default_issue_renew_hook) + '"' if item.issue_renew_hook | default(acme_sh_default_issue_renew_hook) else "" }} - {{ item.extra_flags_issue | default(acme_sh_default_extra_flags_issue) }} - args: - chdir: "~/.acme.sh" - environment: "{{ item.dns_provider_api_keys | default(acme_sh_default_dns_provider_api_keys) }}" - loop: "{{ acme_sh_domains }}" +- import_tasks: issue_cert.yml + tags: + - acme_sh + - acme_sh.issue_cert when: - acme_sh_domains and item.domains is defined and item.domains - item.dns_provider | default(acme_sh_default_dns_provider) @@ -159,75 +64,30 @@ - item.custom_command is undefined or not item.custom_command - item.remove is undefined or not item.remove - not acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" - register: issue_result - changed_when: issue_result.rc == 0 and "Cert success" in issue_result.stdout - failed_when: issue_result.rc != 0 and "Domains not changed" not in issue_result.stdout -- name: Force renew acme.sh certificate(s) - command: >- - ./acme.sh --renew -d {{ item.domains | first }} --force - {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} - {{ item.extra_flags_renew | default(acme_sh_default_extra_flags_renew) }} - args: - chdir: "~/.acme.sh" - loop: "{{ acme_sh_domains }}" +- import_tasks: force_renew_cert.yml + tags: + - acme_sh + - acme_sh.force_renew_cert when: - acme_sh_domains and item.domains is defined and item.domains - item.force_issue is undefined or not item.force_issue - item.force_renew is defined and item.force_renew - item.remove is undefined or not item.remove - not acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" - register: renew_result - failed_when: renew_result.rc != 0 and "Reload error for" not in renew_result.stderr -- name: Ensure installed certificates have correct user / group ownership - file: - path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}*" - group: "{{ acme_sh_become_user }}" - owner: "{{ acme_sh_become_user }}" - loop: - - "{{ acme_sh_domains }}" +- import_tasks: install_cert.yml + tags: + - acme_sh + - acme_sh.install_cert when: - acme_sh_domains and item.domains is defined and item.domains - item.custom_command is undefined or not item.custom_command - item.remove is undefined or not item.remove - not acme_sh_uninstall -- name: Install acme.sh certificate(s) - command: >- - ./acme.sh --install-cert -d {{ item.domains | first }} - --key-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}.key - --fullchain-file {{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}.pem - --reloadcmd "{{ item.install_cert_reloadcmd | default(acme_sh_default_install_cert_reloadcmd) }}" - {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} - {{ item.extra_flags_install_cert | default(acme_sh_default_extra_flags_install_cert) }} - args: - chdir: "~/.acme.sh" - loop: "{{ acme_sh_domains }}" - loop_control: - index_var: domains_index - when: - - acme_sh_domains and item.domains is defined and item.domains - - item.custom_command is undefined or not item.custom_command - - item.remove is undefined or not item.remove - - not acme_sh_uninstall - become_user: "{{ acme_sh_become_user }}" - register: install_cert_result - changed_when: issue_result.results[domains_index].changed or renew_result.results[domains_index].changed - failed_when: install_cert_result.rc != 0 and "Reload error for" not in install_cert_result.stderr - -- name: Register acme.sh certificate information - command: ./acme.sh --list - args: - chdir: "~/.acme.sh" - when: acme_sh_list_domains and not acme_sh_uninstall - changed_when: False - register: list_domains - become_user: "{{ acme_sh_become_user }}" - -- name: List acme.sh certificate information - debug: - msg: "{{ list_domains.stdout_lines }}" +- import_tasks: list_cert.yml + tags: + - acme_sh + - acme_sh.list when: acme_sh_list_domains and not acme_sh_uninstall diff --git a/tasks/remove_cert.yml b/tasks/remove_cert.yml new file mode 100644 index 0000000..1ace9f2 --- /dev/null +++ b/tasks/remove_cert.yml @@ -0,0 +1,25 @@ +--- + +- name: Remove acme.sh certificate(s) renewals from cron job + command: >- + ./acme.sh --remove -d {{ item.domains | first }} + {{ "--debug" if item.debug | default(acme_sh_default_debug) else "" }} + args: + chdir: "~/.acme.sh" + removes: "~/.acme.sh/{{ item.domains | first }}" + loop: "{{ acme_sh_domains }}" + become_user: "{{ acme_sh_become_user }}" + register: remove_result + +- name: Remove acme.sh internal certificate files + file: + path: "~/.acme.sh/{{ item.domains | first }}" + state: "absent" + loop: "{{ acme_sh_domains }}" + become_user: "{{ acme_sh_become_user }}" + +- name: Remove acme.sh installed certificate files + file: + path: "{{ acme_sh_copy_certs_to_path }}/{{ item.domains | first }}*" + state: "absent" + loop: "{{ acme_sh_domains }}" diff --git a/tasks/uninstall.yml b/tasks/uninstall.yml new file mode 100644 index 0000000..f654d09 --- /dev/null +++ b/tasks/uninstall.yml @@ -0,0 +1,16 @@ +--- + +- name: Uninstall acme.sh and disable all certificate renewals + command: ./acme.sh --uninstall + args: + chdir: "~/.acme.sh" + become_user: "{{ acme_sh_become_user }}" + +- name: Remove acme.sh's cloned source code, installation path and log files + file: + path: "{{ item }}" + state: "absent" + loop: + - "{{ acme_sh_git_clone_dest }}" + - "~/.acme.sh" + become_user: "{{ acme_sh_become_user }}" diff --git a/tasks/upgrade.yml b/tasks/upgrade.yml new file mode 100644 index 0000000..a5ead13 --- /dev/null +++ b/tasks/upgrade.yml @@ -0,0 +1,9 @@ +--- + +- name: Upgrade acme.sh + command: ./acme.sh --upgrade + args: + chdir: "~/.acme.sh" + register: upgrade_result + changed_when: upgrade_result.rc == 0 and "Upgrade success" in upgrade_result.stdout + become_user: "{{ acme_sh_become_user }}"