Add lego certificate service to ansible

roles/lego/files/hook.sh

@@ -0,0 +1,6 @@
+#!/usr/bin/env sh
+
+cp -f "$LEGO_CERT_PATH" /certificates
+cp -f "$LEGO_CERT_KEY_PATH" /certificates
+
+exit 33 # special exit code to signal that the certificate has been updated

roles/lego/files/lego.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/env sh
+
+domain="$1"
+action="${2:-renew}"
+
+docker compose run --rm app \
+	--domains "$domain" \
+	"$action" \
+	"--$action-hook" "/config/hook.sh"
+
+if [ "$?" = "33" ] && [ -x "./lego.d/$domain" ];
+then
+	echo "Running hook for $domain"
+	"./lego.d/$domain"
+fi

roles/lego/files/lego@.timer

@@ -0,0 +1,10 @@
+[Unit]
+Description=Renew certificates
+
+[Timer]
+Persistent=true
+OnCalendar=*-*-* 01:15:00
+RandomizedDelaySec=2h
+
+[Install]
+WantedBy=timers.target

roles/lego/files/node002/db.serguzim.me

@@ -0,0 +1,16 @@
+#!/usr/bin/env sh
+
+domain="db.serguzim.me"
+
+docker compose run --rm app "$1" "$domain"
+
+_install() {
+  install --owner=postgres --group=postgres --mode=600 \
+	  "/opt/services/_certificates/$domain.$1" \
+	  "/var/lib/postgresql/server.$1"
+}
+
+_install crt
+_install key
+
+sudo -u postgres pg_ctl -D /var/lib/postgres/data/ reload

roles/lego/files/node002/registry.serguzim.me

@@ -0,0 +1,17 @@
+#!/usr/bin/env sh
+
+domain="registry.serguzim.me"
+
+docker compose run --rm app "$1" "$domain"
+
+_install() {
+  install --owner=root --group=root --mode=600 \
+	  "/opt/services/_certificates/$domain.$1" \
+	  "/opt/services/harbor/server.$1"
+}
+
+_install crt
+_install key
+
+export HARBOR_BUNDLE_DIR=/opt/services/harbor
+$HARBOR_BUNDLE_DIR/data/install.sh