diff options
author | Aaron LI <aly@aaronly.me> | 2019-10-03 18:04:34 +0800 |
---|---|---|
committer | Aaron LI <aly@aaronly.me> | 2019-10-03 18:04:34 +0800 |
commit | 49069bb0f25594eec7a0d4c1c993afb73d8ce961 (patch) | |
tree | e10bd75e6343bf5029c036c6c8ea0cf3c93f773a | |
parent | beae95aa22d5b81544678d8b3ab0182b0e971087 (diff) | |
download | ansible-dfly-vps-49069bb0f25594eec7a0d4c1c993afb73d8ce961.tar.bz2 |
web: Employ monthly periodic task to renew certificates
-rw-r--r-- | roles/web/files/600.acme-sh | 27 | ||||
-rw-r--r-- | roles/web/tasks/main.yml | 31 | ||||
-rw-r--r-- | roles/web/templates/acme/renew.sh.j2 | 17 |
3 files changed, 59 insertions, 16 deletions
diff --git a/roles/web/files/600.acme-sh b/roles/web/files/600.acme-sh new file mode 100644 index 0000000..fdf4cc4 --- /dev/null +++ b/roles/web/files/600.acme-sh @@ -0,0 +1,27 @@ +#!/bin/sh +# +# Monthly task to renew and deploy acme certificates. + +if [ -r /etc/defaults/periodic.conf ]; then + . /etc/defaults/periodic.conf + source_periodic_confs +fi + +export PATH=/sbin:/bin:/usr/sbin:/usr/bin:/usr/local/sbin:/usr/local/bin + +case "$monthly_acme_sh_enable" in + [Yy][Ee][Ss]) + echo + echo "Checking Let's Encrypt certificates:" + if [ -x "$monthly_acme_sh_renewscript" ]; then + echo "Renewing certificates ..." + $monthly_acme_sh_renewscript + if [ -x "$monthly_acme_sh_deployscript" ]; then + echo "Deploying certificates ..." + $monthly_acme_sh_deployscript + fi + fi + ;; + *) + ;; +esac diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml index 905c60e..d354b18 100644 --- a/roles/web/tasks/main.yml +++ b/roles/web/tasks/main.yml @@ -147,28 +147,27 @@ tags: acme - name: acme.sh - generate renew script - copy: + template: + src: acme/renew.sh.j2 dest: "{{ web.acme_home }}/renew.sh" mode: 0755 - content: | - acme.sh --cron - sh {{ web.acme_home }}/deploy.sh tags: acme -- name: acme.sh - install cron job to renew (1) - cron: - user: acme - name: MAILTO - env: true - job: root +- name: acme.sh - set monthly task for cert renewal (1) + copy: + src: 600.acme-sh + dest: /etc/periodic/monthly/600.acme-sh + mode: 0755 tags: acme -- name: acme.sh - install cron job to renew (2) - cron: - user: acme - name: "acme.sh-renew" - special_time: monthly - job: "sh {{ web.acme_home }}/renew.sh" +- name: acme.sh - set monthly task for cert renewal (2) + blockinfile: + path: /etc/periodic.conf + marker: '# {mark} ANSIBLE MANAGED - acme' + block: | + monthly_acme_sh_enable="YES" + monthly_acme_sh_renewscript="{{ web.acme_home }}/renew.sh" + monthly_acme_sh_deployscript="{{ web.acme_home }}/deploy.sh" tags: acme - block: diff --git a/roles/web/templates/acme/renew.sh.j2 b/roles/web/templates/acme/renew.sh.j2 new file mode 100644 index 0000000..33d5879 --- /dev/null +++ b/roles/web/templates/acme/renew.sh.j2 @@ -0,0 +1,17 @@ +#!/bin/sh +# +# Renew 'acme.sh' issued certificates. +# +# Aaron LI +# 2019-10-03 +# + +[ $(id -u) -eq 0 ] || { + echo "ERROR: must be run by root!" + exit 1 +} + +su - acme \ + -c "acme.sh --cron --log /var/log/acme.sh.log \ + --config-home {{ web.acme_home }}/.acme.sh \ + --cert-home {{ web.acme_home }}/certs" |