Fix pre-commit hooks and move directories

roles/ and inventory/ are now in playbooks/
also fixed issues reported by ansible-lint
This commit is contained in:
Tobias Reisinger 2024-10-14 18:30:24 +02:00
parent dc398ddb6e
commit 4104057771
Signed by: serguzim
GPG key ID: 13AD60C237A28DFE
123 changed files with 91 additions and 39 deletions

View file

@ -0,0 +1,6 @@
#!/usr/bin/env sh
cp -f "$LEGO_CERT_PATH" /certificates
cp -f "$LEGO_CERT_KEY_PATH" /certificates
exit 33 # special exit code to signal that the certificate has been updated

View file

@ -0,0 +1,12 @@
#!/usr/bin/env sh
domain="auth.serguzim.me"
_install() {
install --owner=root --group=root --mode=600 \
"$CERTIFICATES_PATH/$domain.$1" \
"/opt/services/authentik/certs/$domain.$2"
}
_install crt pem
_install key key

View file

@ -0,0 +1,16 @@
#!/usr/bin/env sh
domain="db.serguzim.me"
_install() {
install --owner=postgres --group=postgres --mode=600 \
"$CERTIFICATES_PATH/$domain.$1" \
"/var/lib/postgres/data/server.$1"
}
_install crt
_install key
sudo -u postgres pg_ctl -D /var/lib/postgres/data/ reload
# vim: ft=sh

View file

@ -0,0 +1,26 @@
#!/usr/bin/env sh
set -a
. ./service.env
set +a
domain="$1"
action="run"
exisiting_domains=$(docker compose run --rm app list -n)
if echo "$exisiting_domains" | grep -q "$domain";
then
action="renew"
fi
docker compose run --rm app \
--domains "$domain" \
"$action" \
"--$action-hook" "/config/hook.sh"
if [ "$?" = "33" ] && [ -x "./hooks/$domain" ];
then
echo "Running hook for $domain"
"./hooks/$domain"
fi

View file

@ -0,0 +1,10 @@
[Unit]
Description=Renew certificates
[Timer]
Persistent=true
OnCalendar=*-*-* 01:15:00
RandomizedDelaySec=2h
[Install]
WantedBy=timers.target

View file

@ -0,0 +1,19 @@
---
- name: Set config path
ansible.builtin.set_fact:
config_path: "{{ (service_path, 'config') | path_join }}"
- name: Create config directory
ansible.builtin.file:
path: "{{ config_path }}"
state: directory
mode: "0755"
- name: Copy the acme-dns-accounts
ansible.builtin.template:
src: "json.j2"
dest: "{{ (config_path, 'acme-dns-accounts.json') | path_join }}"
mode: "0644"
- name: Copy the hook script
ansible.builtin.copy:
src: "hook.sh"
dest: "{{ (config_path, 'hook.sh') | path_join }}"
mode: "0755"

View file

@ -0,0 +1,14 @@
---
- name: Set hooks path
ansible.builtin.set_fact:
hooks_path: "{{ (service_path, 'hooks') | path_join }}"
- name: Create hooks directory
ansible.builtin.file:
path: "{{ hooks_path }}"
state: directory
mode: "0755"
- name: Copy the additional hooks
ansible.builtin.copy:
src: hooks/
dest: "{{ hooks_path }}"
mode: "0755"

View file

@ -0,0 +1,43 @@
---
- name: Set common facts
ansible.builtin.import_tasks: tasks/set-default-facts.yml
- name: Deploy {{ role_name }}
vars:
env: "{{ lego_env }}"
json: "{{ vault_acmedns_registered | acmedns_to_lego }}"
compose: "{{ lego_compose }}"
block:
- name: Import prepare tasks for common service
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
- name: Create _certificates directory
ansible.builtin.file:
path: "{{ certificates_path }}"
state: directory
mode: "0755"
- name: Import tasks specific to the config directory
ansible.builtin.import_tasks: config.yml
- name: Import tasks specific to hooks
ansible.builtin.import_tasks: hooks.yml
- name: Import tasks specific to systemd
ansible.builtin.import_tasks: systemd.yml
- name: Copy the run script
ansible.builtin.copy:
src: "lego.sh"
dest: "{{ (service_path, 'lego.sh') | path_join }}"
mode: "0755"
- name: Import tasks create a service.env file
ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
- name: Run certificate-script for domains
ansible.builtin.command:
cmd: "./lego.sh {{ item }}"
chdir: "{{ service_path }}"
become: true
loop: "{{ lego_host_certificates }}"
register: cmd_result
changed_when: cmd_result.stderr | regex_search('Server responded with a certificate.')

View file

@ -0,0 +1,40 @@
---
- name: Copy the system service
ansible.builtin.template:
src: lego@.service.j2
dest: /etc/systemd/system/lego@.service
mode: "0644"
become: true
- name: Copy the system timer
ansible.builtin.copy:
src: lego@.timer
dest: /etc/systemd/system/lego@.timer
mode: "0644"
become: true
- name: Get all lego timers
ansible.builtin.shell:
cmd: "set -o pipefail && systemctl list-timers 'lego@*' --all --output=json | jq -r '.[].unit'"
register: systemd_timers_result
changed_when: false
- name: Generate systemd timer names
ansible.builtin.set_fact:
lego_systemd_timers: "{{ lego_host_certificates | list_prefix_suffix('lego@', '.timer') }}"
- name: Disable unused system timers
ansible.builtin.systemd_service:
name: "{{ item }}"
state: stopped
enabled: false
loop: "{{ systemd_timers_result.stdout_lines | difference(lego_systemd_timers) }}"
become: true
- name: Enable the system timers
ansible.builtin.systemd_service:
name: "{{ item }}"
state: started
enabled: true
daemon_reload: true
loop: "{{ lego_systemd_timers }}"
become: true

View file

@ -0,0 +1,4 @@
[Service]
Type=oneshot
ExecStart={{ service_path }}/lego.sh %i
WorkingDirectory={{ service_path }}

View file

@ -0,0 +1,32 @@
---
lego_host_certificates: "{{ all_services | my_service_attributes(inventory_hostname, 'certificates') }}"
lego_env:
ACME_DNS_API_BASE: https://{{ acme_dns.host }}
ACME_DNS_STORAGE_PATH: /config/acme-dns-accounts.json
LEGO_EMAIL: "{{ admin_email }}"
LEGO_PATH: /data
CERTIFICATES_PATH: "{{ certificates_path }}"
lego_compose:
watchtower: false
network: false
image: goacme/lego
volumes:
- ./config:/config:ro
- "{{ certificates_path }}:/certificates"
- data:/data
file:
services:
app:
restart: never
network_mode: "host"
entrypoint:
- /lego
- --accept-tos
- --email={{ admin_email }}
- --dns=acme-dns
volumes:
data: