Replace lego with acme_sh

2026-03-28 20:21:42 +01:00 · 2026-03-28 20:21:42 +01:00 · 0237271b65
commit 0237271b65
parent 82f65d396f
24 changed files with 176 additions and 247 deletions
--- a/playbooks/roles/acme_sh/defaults/main.yml
+++ b/playbooks/roles/acme_sh/defaults/main.yml
@ -0,0 +1,25 @@
+---
+acme_sh_eab_key_id: "{{ undef() }}"
+acme_sh_eab_hmac_key: "{{ undef() }}"
+
+acme_sh_acmedns_user: "{{ undef() }}"
+acme_sh_acmedns_pass: "{{ undef() }}"
+acme_sh_acmedns_subd: "{{ undef() }}"
+
+acme_sh_ntfy_topic: "{{ undef() }}"
+acme_sh_ntfy_token: "{{ undef() }}"
+
+acme_sh_all_certificates: "{{ all_services | services_get_attr('certificates') | flatten }}"
+acme_sh_certificates: "{{ host_services | services_get_attr('certificates') | flatten }}"
+acme_sh_unwanted_certificates: "{{ acme_sh_all_certificates | difference(acme_sh_certificates) }}"
+
+
+acme_sh_env:
+  LE_WORKING_DIR: "{{ certificates_path }}"
+  ACMEDNS_BASE_URL: "https://{{ acme_dns.host }}"
+  ACMEDNS_USERNAME: "{{ acme_sh_acmedns_user | mandatory }}"
+  ACMEDNS_PASSWORD: "{{ acme_sh_acmedns_pass | mandatory }}"
+  ACMEDNS_SUBDOMAIN: "{{ acme_sh_acmedns_subd | mandatory }}"
+  NTFY_URL: "https://push.serguzim.me"
+  NTFY_TOPIC: "{{ acme_sh_ntfy_topic | mandatory }}"
+  NTFY_TOKEN: "{{ acme_sh_ntfy_token | mandatory }}"
--- a/playbooks/roles/acme_sh/files/acme_sh.timer
+++ b/playbooks/roles/acme_sh/files/acme_sh.timer
@ -0,0 +1,10 @@
+[Unit]
+Description=Daily renewal of certificates
+
+[Timer]
+OnCalendar=daily
+RandomizedDelaySec=2h
+Persistent=true
+
+[Install]
+WantedBy=timers.target
--- a/playbooks/roles/acme_sh/handlers/main.yml
+++ b/playbooks/roles/acme_sh/handlers/main.yml
@ -0,0 +1,3 @@
+---
+- name: Restart service {{ service_name }}
+  ansible.builtin.include_tasks: tasks/restart-service.yml
--- a/playbooks/roles/acme_sh/tasks/main.yml
+++ b/playbooks/roles/acme_sh/tasks/main.yml
@ -0,0 +1,69 @@
+---
+- name: Set common facts
+  ansible.builtin.import_tasks: tasks/set-default-facts.yml
+
+- name: Import tasks to create service directory
+  ansible.builtin.import_tasks: tasks/steps/create-service-directory.yml
+
+# noqa: command-instead-of-module
+- name: Install acme.sh
+  ansible.builtin.shell:
+    cmd: set -o pipefail && curl https://get.acme.sh | sh -s home={{ service_path }} --nocron
+    creates: "{{ (service_path, 'acme.sh') | path_join }}"
+  environment:
+    BRANCH: dev
+
+- name: Register zerossl account
+  ansible.builtin.command:
+    cmd: ./acme.sh --register-account --server zerossl --eab-kid {{ acme_sh_eab_key_id }} --eab-hmac-key {{ acme_sh_eab_hmac_key }}
+    chdir: "{{ service_path }}"
+  environment: "{{ acme_sh_env }}"
+  register: acme_sh_cmd_result
+  changed_when: not (acme_sh_cmd_result.stdout | regex_search('Already registered$', multiline=True))
+
+- name: Set default CA
+  ansible.builtin.command:
+    cmd: ./acme.sh --set-default-ca --server zerossl
+    chdir: "{{ service_path }}"
+  environment: "{{ acme_sh_env }}"
+  changed_when: false
+
+- name: Set notifications
+  ansible.builtin.command:
+    cmd: ./acme.sh --set-notify --notify-hook ntfy
+    chdir: "{{ service_path }}"
+  environment: "{{ acme_sh_env }}"
+  changed_when: false
+
+- name: Remove unwanted certificates
+  ansible.builtin.command:
+    cmd: ./acme.sh --remove -d {{ item.domain }}
+    chdir: "{{ service_path }}"
+  environment: "{{ acme_sh_env }}"
+  loop: "{{ acme_sh_unwanted_certificates }}"
+  register: acme_sh_cmd_result
+  changed_when: acme_sh_cmd_result.rc == 0
+  failed_when: false
+
+- name: Get certificates
+  ansible.builtin.command:
+    cmd: ./acme.sh --issue --dns dns_acmedns -d {{ item.domain }}
+    chdir: "{{ service_path }}"
+  environment: "{{ acme_sh_env }}"
+  loop: "{{ acme_sh_certificates }}"
+  register: acme_sh_cmd_result
+  changed_when: true # TODO
+  failed_when: not acme_sh_cmd_result.rc in [0, 2]
+
+- name: Deploy certificates
+  ansible.builtin.command:
+    cmd: ./acme.sh --deploy --deploy-hook {{ item.hook }} -d {{ item.domain }}
+    chdir: "{{ service_path }}"
+  environment: "{{ acme_sh_env | combine(item.parameters) }}"
+  loop: "{{ acme_sh_certificates }}"
+  register: acme_sh_cmd_result
+  changed_when: true # TODO
+  become: true
+
+- name: Import systemd tasks
+  ansible.builtin.import_tasks: systemd.yml
--- a/playbooks/roles/acme_sh/tasks/systemd.yml
+++ b/playbooks/roles/acme_sh/tasks/systemd.yml
@ -0,0 +1,22 @@
+---
+- name: Copy the system service
+  ansible.builtin.template:
+    src: acme_sh.service.j2
+    dest: /etc/systemd/system/acme_sh.service
+    mode: "0644"
+  become: true
+
+- name: Copy the system timer
+  ansible.builtin.copy:
+    src: acme_sh.timer
+    dest: /etc/systemd/system/acme_sh.timer
+    mode: "0644"
+  become: true
+
+- name: Enable the system timer
+  ansible.builtin.systemd_service:
+    name: acme_sh.timer
+    state: started
+    enabled: true
+    daemon_reload: true
+  become: true
--- a/playbooks/roles/acme_sh/templates/acme_sh.service.j2
+++ b/playbooks/roles/acme_sh/templates/acme_sh.service.j2
@ -0,0 +1,9 @@
+[Unit]
+Description=Renew certificates using acme.sh
+After=network-online.target nss-lookup.target
+
+[Service]
+Type=oneshot
+SyslogIdentifier=acme.sh
+Environment=LE_WORKING_DIR="{{ acme_sh_env.LE_WORKING_DIR }}"
+ExecStart={{ (service_path, 'acme.sh') | path_join }} --cron