Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / acme / 845c7cac26f5a22d8f9a352b8590ec6121dbca11^! / . / tasks
commit845c7cac26f5a22d8f9a352b8590ec6121dbca11[log] [tgz]
authorZack Williams <zdw@opennetworking.org>Mon Jul 06 17:19:27 2020 -0700
committerZack Williams <zdw@opennetworking.org>Fri Oct 02 18:55:16 2020 -0700
tree07421072ddf2a791a9782f64f431c632a95fb04c
INF-113 acme.sh LetsEncrypt certificate role

initial commit

Change-Id: I36f733306b439a0cd92bded0726dd53a0a4b4084

diff --git a/tasks/Debian.yml b/tasks/Debian.yml
new file mode 100644
index 0000000..6329015
--- /dev/null
+++ b/tasks/Debian.yml

@@ -0,0 +1,15 @@
+---
+# acme tasks/Debian.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: Install tools required for acme.sh
+  apt:
+    name:
+      - curl
+      - git
+      - openssl
+    state: "present"
+    update_cache: true
+    cache_valid_time: 3600

diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..35237bc
--- /dev/null
+++ b/tasks/main.yml

@@ -0,0 +1,145 @@
+---
+# acme tasks/main.yml
+#
+# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
+# SPDX-License-Identifier: Apache-2.0
+
+- name: include OS-specific vars
+  include_vars: "{{ ansible_os_family }}.yml"
+
+- name: include OS-specific tasks
+  include_tasks: "{{ ansible_os_family }}.yml"
+
+- name: Create group for acme.sh
+  group:
+    name: "{{ acmesh_groupname }}"
+
+- name: Create user for acme.sh
+  user:
+    name: "{{ acmesh_username }}"
+    group: "{{ acmesh_groupname }}"
+    comment: "{{ acmesh_comment }}"
+    shell: "{{ acmesh_shell }}"
+    home: "{{ acmesh_base_dir }}/home"
+    create_home: no  # yamllint disable-line rule:truthy
+    password_lock: true
+
+- name: Allow acme.sh user to restart the webserver
+  template:
+    src: "acme_sudoers.j2"
+    dest: "/etc/sudoers.d/acme_sudoers"
+    owner: "root"
+    group: "root"
+    mode: 0644
+    validate: "visudo -c -s -f %s"
+
+- name: Create certificate dir
+  file:
+    path: "{{ certificate_dir }}"
+    state: directory
+    owner: "{{ acmesh_username }}"
+    group: "{{ webserver_groupname }}"
+    mode: "0750"
+
+- name: Create per-domain sub-dirs
+  file:
+    path: "{{ certificate_dir }}/{{ item.cert_names | first }}"
+    state: directory
+    owner: "{{ acmesh_username }}"
+    group: "{{ webserver_groupname }}"
+    mode: "0750"
+  with_items: "{{ acme_certs }}"
+
+- name: Create base dir for acme.sh
+  file:
+    path: "{{ acmesh_base_dir }}"
+    state: directory
+    owner: "{{ acmesh_username }}"
+    group: "{{ acmesh_groupname }}"
+    mode: "0755"
+
+- name: Create subdirs for home/dist of acme.sh
+  file:
+    path: "{{ item }}"
+    state: directory
+    owner: "{{ acmesh_username }}"
+    group: "{{ webserver_groupname }}"
+    mode: "0700"
+  with_items:
+    - "{{ acmesh_base_dir }}/dist"
+    - "{{ acmesh_base_dir }}/home"
+
+- name: Create log dir for acme.sh
+  file:
+    path: "{{ acmesh_log_dir }}"
+    state: directory
+    owner: "{{ acmesh_username }}"
+    group: "{{ acmesh_groupname }}"
+    mode: "0755"
+
+- name: Create acme-challenge webroot directory
+  file:
+    path: "{{ acme_challenge_dir }}"
+    state: directory
+    owner: "{{ acmesh_username }}"
+    group: "{{ webserver_groupname }}"
+    mode: "0755"
+
+- name: Checkout acme.sh into dist directory
+  become: true
+  become_user: "{{ acmesh_username }}"
+  git:
+    repo: "https://github.com/acmesh-official/acme.sh.git"
+    dest: "{{ acmesh_base_dir }}/dist"
+    version: "{{ acmesh_version }}"
+  register: acmesh_git
+
+- name: Install acme.sh
+  become: true
+  become_user: "{{ acmesh_username }}"
+  command:
+    chdir: "{{ acmesh_base_dir }}/dist"
+    cmd: >
+      ./acme.sh install
+      --log "{{ acmesh_log_dir }}/acmesh.log"
+      --config-home "{{ acmesh_base_dir }}/home"
+      --account_email "{{ acmesh_email }}"
+    creates: "{{ acmesh_base_dir }}/home/.acme.sh"
+
+- name: Issue certificates (HTTP challenge)
+  become: true
+  become_user: "{{ acmesh_username }}"
+  command:
+    chdir: "{{ acmesh_base_dir }}/home/.acme.sh"
+    cmd: >
+      ./acme.sh
+      --issue
+      -d {{ item.cert_names | join (" -d ") }}
+      --webroot {{ acme_challenge_dir }}
+    creates: |
+      {{ acmesh_base_dir }}/home/.acme.sh/{{ item.cert_names | first }}
+  with_items: "{{ acme_certs }}"
+  when: item.method is defined and item.method == "http"
+  notify:
+    install-certs
+
+- name: Issue certificates (DNS challenge)
+  become: true
+  become_user: "{{ acmesh_username }}"
+  environment: "{{ acmesh_dns_env_vars }}"
+  command:
+    chdir: "{{ acmesh_base_dir }}/home/.acme.sh"
+    cmd: >
+      ./acme.sh
+      --issue
+      -d {{ item.cert_names | join (" -d ") }}
+      --dns {{ acmesh_dns_provider }}
+    creates: |
+      {{ acmesh_base_dir }}/home/.acme.sh/{{ item.cert_names | first }}
+  with_items: "{{ acme_certs }}"
+  when: item.method is defined and item.method == "dns"
+  notify:
+    install-certs
+
+- name: Flush handlers to reconfigure before dependent roles run (nginx, etc.)
+  meta: flush_handlers