aboutsummaryrefslogtreecommitdiffstats
path: root/roles/web/files/acme
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-03-14 17:16:55 +0800
committerAaron LI <aly@aaronly.me>2018-03-14 17:16:55 +0800
commit4e4575924b61d26c9e3e0d0770fc2908ac192f7f (patch)
tree93c5440d8550dca216398c68f0d437254d6574b5 /roles/web/files/acme
parent126ad0728f1029e49e7eb5071d2a0788b239e64f (diff)
downloadansible-dfly-vps-4e4575924b61d26c9e3e0d0770fc2908ac192f7f.tar.bz2
web/acme: refactor certificates deployment
Diffstat (limited to 'roles/web/files/acme')
-rwxr-xr-xroles/web/files/acme/acme-client.sh12
-rw-r--r--roles/web/files/acme/deploy.d/nginx6
-rwxr-xr-xroles/web/files/acme/deploy.sh45
3 files changed, 49 insertions, 14 deletions
diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh
index 20e1106..d929cbb 100755
--- a/roles/web/files/acme/acme-client.sh
+++ b/roles/web/files/acme/acme-client.sh
@@ -9,12 +9,16 @@
# $ ./acme-client.sh
# which can be called by periodic(8).
#
-# This script will be weekly executed in order to renew the certificate(s).
-# See "/etc/periodic.conf".
+# This script will be weekly executed in order to renew the certificate(s)
+# by adding such configurations to "/etc/periodic.conf":
+# weekly_acme_client_enable="YES"
+# weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh"
+# weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh"
#
# Output files:
-# * .../etc/acme/privkey.pem : account private key
-# * .../etc/ssl/acme/private/<domain>.pem : domain private key
+# * etc/acme/privkey.pem : account private key
+# * etc/ssl/acme/private/<domain>.pem : domain private key
+# * etc/ssl/acme/<domain>/fullchain.pem : domain certificate
#
# XXX/TODO:
# * How to remove/revoke a SAN from the certificate?
diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx
new file mode 100644
index 0000000..17b571d
--- /dev/null
+++ b/roles/web/files/acme/deploy.d/nginx
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload nginx
diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh
index 5e5ad4d..7464d02 100755
--- a/roles/web/files/acme/deploy.sh
+++ b/roles/web/files/acme/deploy.sh
@@ -1,22 +1,47 @@
#!/bin/sh -e
#
-# Restart the services after renewing the certificate(s) to deploy the
-# changed certificate(s).
-#
-# This script will be weekly executed. See "/etc/periodic.conf".
+# Deploy the renewed certificate(s) to services.
#
# Aaron LI
#
-# Services to be restarted after ACME certificate update
-SERVICES="nginx dovecot postfix"
+reload() {
+ local srv="$1"
+ local rv=0
+ if service ${srv} status >/dev/null 2>&1; then
+ echo "Reloading service ${srv} ..."
+ service ${srv} reload
+ echo "ok"
+ else
+ echo "WARNING: service ${srv} is not running" >&2
+ rv=1
+ fi
+ return ${rv}
+}
+
-printf "-------------------------------------------------------------\n"
-for srv in ${SERVICES}; do
+restart() {
+ local srv="$1"
+ local rv=0
if service ${srv} status >/dev/null 2>&1; then
- echo "ACME deploy: restarting ${srv} ..."
+ echo "Restarting service ${srv} ..."
service ${srv} restart
+ echo "ok"
else
- echo "ACME deploy: service ${srv} not running"
+ echo "WARNING: service ${srv} is not running" >&2
+ rv=1
+ fi
+ return ${rv}
+}
+
+
+echo "============================================================="
+dir="${0%/*}"
+rv=0
+for f in ${dir}/deploy.d/*; do
+ if [ -f "${f}" ]; then
+ echo "Deploying [${f##*/}] ..."
+ . "${f}" || rv=$?
fi
done
+exit ${rv}