aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2019-10-03 18:04:34 +0800
committerAaron LI <aly@aaronly.me>2019-10-03 18:04:34 +0800
commit49069bb0f25594eec7a0d4c1c993afb73d8ce961 (patch)
treee10bd75e6343bf5029c036c6c8ea0cf3c93f773a
parentbeae95aa22d5b81544678d8b3ab0182b0e971087 (diff)
downloadansible-dfly-vps-49069bb0f25594eec7a0d4c1c993afb73d8ce961.tar.bz2
web: Employ monthly periodic task to renew certificates
-rw-r--r--roles/web/files/600.acme-sh27
-rw-r--r--roles/web/tasks/main.yml31
-rw-r--r--roles/web/templates/acme/renew.sh.j217
3 files changed, 59 insertions, 16 deletions
diff --git a/roles/web/files/600.acme-sh b/roles/web/files/600.acme-sh
new file mode 100644
index 0000000..fdf4cc4
--- /dev/null
+++ b/roles/web/files/600.acme-sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+#
+# Monthly task to renew and deploy acme certificates.
+
+if [ -r /etc/defaults/periodic.conf ]; then
+ . /etc/defaults/periodic.conf
+ source_periodic_confs
+fi
+
+export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin
+
+case "$monthly_acme_sh_enable" in
+ [Yy][Ee][Ss])
+ echo
+ echo "Checking Let's Encrypt certificates:"
+ if [ -x "$monthly_acme_sh_renewscript" ]; then
+ echo "Renewing certificates ..."
+ $monthly_acme_sh_renewscript
+ if [ -x "$monthly_acme_sh_deployscript" ]; then
+ echo "Deploying certificates ..."
+ $monthly_acme_sh_deployscript
+ fi
+ fi
+ ;;
+ *)
+ ;;
+esac
diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml
index 905c60e..d354b18 100644
--- a/roles/web/tasks/main.yml
+++ b/roles/web/tasks/main.yml
@@ -147,28 +147,27 @@
tags: acme
- name: acme.sh - generate renew script
- copy:
+ template:
+ src: acme/renew.sh.j2
dest: "{{ web.acme_home }}/renew.sh"
mode: 0755
- content: |
- acme.sh --cron
- sh {{ web.acme_home }}/deploy.sh
tags: acme
-- name: acme.sh - install cron job to renew (1)
- cron:
- user: acme
- name: MAILTO
- env: true
- job: root
+- name: acme.sh - set monthly task for cert renewal (1)
+ copy:
+ src: 600.acme-sh
+ dest: /etc/periodic/monthly/600.acme-sh
+ mode: 0755
tags: acme
-- name: acme.sh - install cron job to renew (2)
- cron:
- user: acme
- name: "acme.sh-renew"
- special_time: monthly
- job: "sh {{ web.acme_home }}/renew.sh"
+- name: acme.sh - set monthly task for cert renewal (2)
+ blockinfile:
+ path: /etc/periodic.conf
+ marker: '# {mark} ANSIBLE MANAGED - acme'
+ block: |
+ monthly_acme_sh_enable="YES"
+ monthly_acme_sh_renewscript="{{ web.acme_home }}/renew.sh"
+ monthly_acme_sh_deployscript="{{ web.acme_home }}/deploy.sh"
tags: acme
- block:
diff --git a/roles/web/templates/acme/renew.sh.j2 b/roles/web/templates/acme/renew.sh.j2
new file mode 100644
index 0000000..33d5879
--- /dev/null
+++ b/roles/web/templates/acme/renew.sh.j2
@@ -0,0 +1,17 @@
+#!/bin/sh
+#
+# Renew 'acme.sh' issued certificates.
+#
+# Aaron LI
+# 2019-10-03
+#
+
+[ $(id -u) -eq 0 ] || {
+ echo "ERROR: must be run by root!"
+ exit 1
+}
+
+su - acme \
+ -c "acme.sh --cron --log /var/log/acme.sh.log \
+ --config-home {{ web.acme_home }}/.acme.sh \
+ --cert-home {{ web.acme_home }}/certs"