Fix pre-commit hooks and move directories
roles/ and inventory/ are now in playbooks/ also fixed issues reported by ansible-lint
This commit is contained in:
parent
dc398ddb6e
commit
4104057771
123 changed files with 91 additions and 39 deletions
playbooks/roles/lego
6
playbooks/roles/lego/files/hook.sh
Normal file
6
playbooks/roles/lego/files/hook.sh
Normal file
|
@ -0,0 +1,6 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
cp -f "$LEGO_CERT_PATH" /certificates
|
||||
cp -f "$LEGO_CERT_KEY_PATH" /certificates
|
||||
|
||||
exit 33 # special exit code to signal that the certificate has been updated
|
12
playbooks/roles/lego/files/hooks/auth.serguzim.me
Executable file
12
playbooks/roles/lego/files/hooks/auth.serguzim.me
Executable file
|
@ -0,0 +1,12 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
domain="auth.serguzim.me"
|
||||
|
||||
_install() {
|
||||
install --owner=root --group=root --mode=600 \
|
||||
"$CERTIFICATES_PATH/$domain.$1" \
|
||||
"/opt/services/authentik/certs/$domain.$2"
|
||||
}
|
||||
|
||||
_install crt pem
|
||||
_install key key
|
16
playbooks/roles/lego/files/hooks/db.serguzim.me
Executable file
16
playbooks/roles/lego/files/hooks/db.serguzim.me
Executable file
|
@ -0,0 +1,16 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
domain="db.serguzim.me"
|
||||
|
||||
_install() {
|
||||
install --owner=postgres --group=postgres --mode=600 \
|
||||
"$CERTIFICATES_PATH/$domain.$1" \
|
||||
"/var/lib/postgres/data/server.$1"
|
||||
}
|
||||
|
||||
_install crt
|
||||
_install key
|
||||
|
||||
sudo -u postgres pg_ctl -D /var/lib/postgres/data/ reload
|
||||
|
||||
# vim: ft=sh
|
26
playbooks/roles/lego/files/lego.sh
Executable file
26
playbooks/roles/lego/files/lego.sh
Executable file
|
@ -0,0 +1,26 @@
|
|||
#!/usr/bin/env sh
|
||||
|
||||
set -a
|
||||
. ./service.env
|
||||
set +a
|
||||
|
||||
domain="$1"
|
||||
action="run"
|
||||
|
||||
exisiting_domains=$(docker compose run --rm app list -n)
|
||||
|
||||
if echo "$exisiting_domains" | grep -q "$domain";
|
||||
then
|
||||
action="renew"
|
||||
fi
|
||||
|
||||
docker compose run --rm app \
|
||||
--domains "$domain" \
|
||||
"$action" \
|
||||
"--$action-hook" "/config/hook.sh"
|
||||
|
||||
if [ "$?" = "33" ] && [ -x "./hooks/$domain" ];
|
||||
then
|
||||
echo "Running hook for $domain"
|
||||
"./hooks/$domain"
|
||||
fi
|
10
playbooks/roles/lego/files/lego@.timer
Normal file
10
playbooks/roles/lego/files/lego@.timer
Normal file
|
@ -0,0 +1,10 @@
|
|||
[Unit]
|
||||
Description=Renew certificates
|
||||
|
||||
[Timer]
|
||||
Persistent=true
|
||||
OnCalendar=*-*-* 01:15:00
|
||||
RandomizedDelaySec=2h
|
||||
|
||||
[Install]
|
||||
WantedBy=timers.target
|
19
playbooks/roles/lego/tasks/config.yml
Normal file
19
playbooks/roles/lego/tasks/config.yml
Normal file
|
@ -0,0 +1,19 @@
|
|||
---
|
||||
- name: Set config path
|
||||
ansible.builtin.set_fact:
|
||||
config_path: "{{ (service_path, 'config') | path_join }}"
|
||||
- name: Create config directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ config_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
- name: Copy the acme-dns-accounts
|
||||
ansible.builtin.template:
|
||||
src: "json.j2"
|
||||
dest: "{{ (config_path, 'acme-dns-accounts.json') | path_join }}"
|
||||
mode: "0644"
|
||||
- name: Copy the hook script
|
||||
ansible.builtin.copy:
|
||||
src: "hook.sh"
|
||||
dest: "{{ (config_path, 'hook.sh') | path_join }}"
|
||||
mode: "0755"
|
14
playbooks/roles/lego/tasks/hooks.yml
Normal file
14
playbooks/roles/lego/tasks/hooks.yml
Normal file
|
@ -0,0 +1,14 @@
|
|||
---
|
||||
- name: Set hooks path
|
||||
ansible.builtin.set_fact:
|
||||
hooks_path: "{{ (service_path, 'hooks') | path_join }}"
|
||||
- name: Create hooks directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ hooks_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
- name: Copy the additional hooks
|
||||
ansible.builtin.copy:
|
||||
src: hooks/
|
||||
dest: "{{ hooks_path }}"
|
||||
mode: "0755"
|
43
playbooks/roles/lego/tasks/main.yml
Normal file
43
playbooks/roles/lego/tasks/main.yml
Normal file
|
@ -0,0 +1,43 @@
|
|||
---
|
||||
- name: Set common facts
|
||||
ansible.builtin.import_tasks: tasks/set-default-facts.yml
|
||||
|
||||
- name: Deploy {{ role_name }}
|
||||
vars:
|
||||
env: "{{ lego_env }}"
|
||||
json: "{{ vault_acmedns_registered | acmedns_to_lego }}"
|
||||
compose: "{{ lego_compose }}"
|
||||
block:
|
||||
- name: Import prepare tasks for common service
|
||||
ansible.builtin.import_tasks: tasks/prepare-common-service.yml
|
||||
|
||||
- name: Create _certificates directory
|
||||
ansible.builtin.file:
|
||||
path: "{{ certificates_path }}"
|
||||
state: directory
|
||||
mode: "0755"
|
||||
|
||||
- name: Import tasks specific to the config directory
|
||||
ansible.builtin.import_tasks: config.yml
|
||||
- name: Import tasks specific to hooks
|
||||
ansible.builtin.import_tasks: hooks.yml
|
||||
- name: Import tasks specific to systemd
|
||||
ansible.builtin.import_tasks: systemd.yml
|
||||
|
||||
- name: Copy the run script
|
||||
ansible.builtin.copy:
|
||||
src: "lego.sh"
|
||||
dest: "{{ (service_path, 'lego.sh') | path_join }}"
|
||||
mode: "0755"
|
||||
|
||||
- name: Import tasks create a service.env file
|
||||
ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
|
||||
|
||||
- name: Run certificate-script for domains
|
||||
ansible.builtin.command:
|
||||
cmd: "./lego.sh {{ item }}"
|
||||
chdir: "{{ service_path }}"
|
||||
become: true
|
||||
loop: "{{ lego_host_certificates }}"
|
||||
register: cmd_result
|
||||
changed_when: cmd_result.stderr | regex_search('Server responded with a certificate.')
|
40
playbooks/roles/lego/tasks/systemd.yml
Normal file
40
playbooks/roles/lego/tasks/systemd.yml
Normal file
|
@ -0,0 +1,40 @@
|
|||
---
|
||||
- name: Copy the system service
|
||||
ansible.builtin.template:
|
||||
src: lego@.service.j2
|
||||
dest: /etc/systemd/system/lego@.service
|
||||
mode: "0644"
|
||||
become: true
|
||||
- name: Copy the system timer
|
||||
ansible.builtin.copy:
|
||||
src: lego@.timer
|
||||
dest: /etc/systemd/system/lego@.timer
|
||||
mode: "0644"
|
||||
become: true
|
||||
|
||||
- name: Get all lego timers
|
||||
ansible.builtin.shell:
|
||||
cmd: "set -o pipefail && systemctl list-timers 'lego@*' --all --output=json | jq -r '.[].unit'"
|
||||
register: systemd_timers_result
|
||||
changed_when: false
|
||||
|
||||
- name: Generate systemd timer names
|
||||
ansible.builtin.set_fact:
|
||||
lego_systemd_timers: "{{ lego_host_certificates | list_prefix_suffix('lego@', '.timer') }}"
|
||||
|
||||
- name: Disable unused system timers
|
||||
ansible.builtin.systemd_service:
|
||||
name: "{{ item }}"
|
||||
state: stopped
|
||||
enabled: false
|
||||
loop: "{{ systemd_timers_result.stdout_lines | difference(lego_systemd_timers) }}"
|
||||
become: true
|
||||
|
||||
- name: Enable the system timers
|
||||
ansible.builtin.systemd_service:
|
||||
name: "{{ item }}"
|
||||
state: started
|
||||
enabled: true
|
||||
daemon_reload: true
|
||||
loop: "{{ lego_systemd_timers }}"
|
||||
become: true
|
4
playbooks/roles/lego/templates/lego@.service.j2
Normal file
4
playbooks/roles/lego/templates/lego@.service.j2
Normal file
|
@ -0,0 +1,4 @@
|
|||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart={{ service_path }}/lego.sh %i
|
||||
WorkingDirectory={{ service_path }}
|
32
playbooks/roles/lego/vars/main.yml
Normal file
32
playbooks/roles/lego/vars/main.yml
Normal file
|
@ -0,0 +1,32 @@
|
|||
---
|
||||
lego_host_certificates: "{{ all_services | my_service_attributes(inventory_hostname, 'certificates') }}"
|
||||
|
||||
lego_env:
|
||||
ACME_DNS_API_BASE: https://{{ acme_dns.host }}
|
||||
ACME_DNS_STORAGE_PATH: /config/acme-dns-accounts.json
|
||||
|
||||
LEGO_EMAIL: "{{ admin_email }}"
|
||||
LEGO_PATH: /data
|
||||
|
||||
CERTIFICATES_PATH: "{{ certificates_path }}"
|
||||
|
||||
lego_compose:
|
||||
watchtower: false
|
||||
network: false
|
||||
image: goacme/lego
|
||||
volumes:
|
||||
- ./config:/config:ro
|
||||
- "{{ certificates_path }}:/certificates"
|
||||
- data:/data
|
||||
file:
|
||||
services:
|
||||
app:
|
||||
restart: never
|
||||
network_mode: "host"
|
||||
entrypoint:
|
||||
- /lego
|
||||
- --accept-tos
|
||||
- --email={{ admin_email }}
|
||||
- --dns=acme-dns
|
||||
volumes:
|
||||
data:
|
Loading…
Add table
Add a link
Reference in a new issue