Improve lego service to be more dynamic

modules/infrastructure/variables.tf

@@ -25,6 +25,7 @@ variable "services" {
       type = string
     })))
     ports = optional(list(string))
+    certificates = optional(list(string))
     auth = bool
     auth_cert = optional(string)
     auth_redirects = optional(list(string))

modules/services/variables.tf

@@ -16,6 +16,7 @@ variable "services" {
       type = string
     })))
     ports = optional(list(string))
+    certificates = optional(list(string))
     auth = bool
     auth_cert = optional(string)
     auth_redirects = optional(list(string))

roles/backup/files/hooks/mailcow

@@ -2,4 +2,4 @@
 
 export MAILCOW_BACKUP_LOCATION="$1"
 
-/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all
+/opt/mailcow-dockerized/helper-scripts/backup_and_restore.sh backup all --delete-days 1

roles/lego/files/lego.sh

@@ -5,15 +5,22 @@ set -a
 set +a
 
 domain="$1"
-action="${2:-renew}"
+action="run"
+
+exisiting_domains=$(docker compose run --rm app list -n)
+
+if echo "$exisiting_domains" | grep -q "$domain";
+then
+	action="renew"
+fi
 
 docker compose run --rm app \
 	--domains "$domain" \
 	"$action" \
 	"--$action-hook" "/config/hook.sh"
 
-if [ "$?" = "33" ] && [ -x "./lego.d/$domain" ];
+if [ "$?" = "33" ] && [ -x "./hooks/$domain" ];
 then
 	echo "Running hook for $domain"
-	"./lego.d/$domain"
+	"./hooks/$domain"
 fi

roles/lego/files/node002/msrg.cc

@@ -1,18 +0,0 @@
-#!/usr/bin/env sh
-
-domain="msrg.cc"
-
-tmpdir=$(mktemp -d)
-trap 'rm -rf $tmpdir' EXIT
-
-cp "$CERTIFICATES_PATH/$domain.crt" "$tmpdir/fullchain.pem"
-cp "$CERTIFICATES_PATH/$domain.key" "$tmpdir/privkey.pem"
-
-curl \
-	-F submit="submit" \
-	-F token="$WIUWIU_TOKEN" \
-	-F "cert=@$tmpdir/fullchain.pem" \
-	-F "key=@$tmpdir/privkey.pem" \
-	https://cert-upload.wiuwiu.de/
-
-# vim: ft=sh

roles/lego/tasks/hooks.yml

@@ -0,0 +1,14 @@
+---
+- name: Set hooks path
+  ansible.builtin.set_fact:
+    hooks_path: "{{ (service_path, 'hooks') | path_join }}"
+- name: Create hooks directory
+  ansible.builtin.file:
+    path: "{{ hooks_path }}"
+    state: directory
+    mode: "0755"
+- name: Copy the additional hooks
+  ansible.builtin.copy:
+    src: hooks/
+    dest: "{{ hooks_path }}"
+    mode: "0755"

roles/lego/tasks/lego.d.yml

@@ -1,16 +0,0 @@
----
-- name: Set lego.d path
-  ansible.builtin.set_fact:
-    lego_d_path: "{{ (service_path, 'lego.d') | path_join }}"
-- name: Create lego.d directory
-  ansible.builtin.file:
-    path: "{{ lego_d_path }}"
-    state: directory
-    mode: "0755"
-- name: Copy the additional lego scripts
-  ansible.builtin.copy:
-    src: "{{ item }}"
-    dest: "{{ lego_d_path }}"
-    mode: "0755"
-  with_fileglob:
-    - "{{ ansible_facts.hostname }}/*"

roles/lego/tasks/main.yml

@@ -20,8 +20,8 @@
 
     - name: Import tasks specific to the config directory
       ansible.builtin.import_tasks: config.yml
-    - name: Import tasks specific to lego.d
+    - name: Import tasks specific to hooks
-      ansible.builtin.import_tasks: lego.d.yml
+      ansible.builtin.import_tasks: hooks.yml
     - name: Import tasks specific to systemd
       ansible.builtin.import_tasks: systemd.yml
 
@@ -33,3 +33,12 @@
 
     - name: Import tasks create a service.env file
       ansible.builtin.import_tasks: tasks/steps/template-service-env.yml
+
+    - name: Run certificate-script for domains
+      ansible.builtin.command:
+        cmd: "./lego.sh {{ item }}"
+        chdir: "{{ service_path }}"
+      become: true
+      loop: "{{ lego_host_certificates }}"
+      register: cmd_result
+      changed_when: cmd_result.stderr | regex_search('Server responded with a certificate.')

roles/lego/tasks/systemd.yml

@@ -11,14 +11,30 @@
     dest: /etc/systemd/system/lego@.timer
     mode: "0644"
   become: true
+
+- name: Get all lego timers
+  ansible.builtin.shell:
+    cmd: "systemctl list-timers 'lego@*' --all --output=json | jq -r '.[].unit'"
+  register: systemd_timers_result
+  changed_when: false
+
+- name: Generate systemd timer names
+  ansible.builtin.set_fact:
+    lego_systemd_timers: "{{ lego_host_certificates | list_prefix_suffix('lego@', '.timer') }}"
+
+- name: Disable unused system timers
+  ansible.builtin.systemd_service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: false
+  loop: "{{ systemd_timers_result.stdout_lines | difference(lego_systemd_timers) }}"
+  become: true
+
 - name: Enable the system timers
   ansible.builtin.systemd_service:
-    name: lego@{{ item }}.timer
+    name: "{{ item }}"
     state: started
     enabled: true
     daemon_reload: true
-  loop:
+  loop: "{{ lego_systemd_timers }}"
-    - msrg.cc
-    - db.serguzim.me
-    - auth.serguzim.me
   become: true

roles/lego/vars/main.yml

@@ -1,4 +1,6 @@
 ---
+lego_host_certificates: "{{ all_services | my_service_attributes(inventory_hostname, 'certificates') }}"
+
 lego_svc:
   name: lego
 
@@ -10,7 +12,6 @@ lego_env:
   LEGO_PATH: /data
 
   CERTIFICATES_PATH: "{{ certificates_path }}"
-  WIUWIU_TOKEN: "{{ vault_wiuwiu_token }}"
 
 lego_compose:
   watchtower: false

services.auto.tfvars

@@ -26,6 +26,7 @@ services = {
       url = "/-/health/live/"
       group = "4-services"
     }
+    certificates = ["auth.serguzim.me"]
     auth = false
     database = true
     s3 = false
@@ -325,6 +326,7 @@ services = {
         "[CONNECTED] == true"
       ]
     }
+    certificates = ["db.serguzim.me"]
     auth = false
     database = false
     s3 = false

variables.tf

@@ -147,6 +147,7 @@ variable "services" {
       conditions = optional(list(string))
     }))
     ports = optional(list(string))
+    certificates = optional(list(string))
     auth = bool
     auth_cert = optional(string)
     auth_redirects = optional(list(string))