aboutsummaryrefslogtreecommitdiffstats
path: root/roles
diff options
context:
space:
mode:
authorAaron LI <aly@aaronly.me>2018-03-14 17:16:55 +0800
committerAaron LI <aly@aaronly.me>2018-03-14 17:16:55 +0800
commit4e4575924b61d26c9e3e0d0770fc2908ac192f7f (patch)
tree93c5440d8550dca216398c68f0d437254d6574b5 /roles
parent126ad0728f1029e49e7eb5071d2a0788b239e64f (diff)
downloadansible-dfly-vps-4e4575924b61d26c9e3e0d0770fc2908ac192f7f.tar.bz2
web/acme: refactor certificates deployment
Diffstat (limited to 'roles')
-rw-r--r--roles/mail/files/acme/dovecot6
-rw-r--r--roles/mail/files/acme/postfix6
-rw-r--r--roles/mail/tasks/main.yml8
-rwxr-xr-xroles/web/files/acme/acme-client.sh12
-rw-r--r--roles/web/files/acme/deploy.d/nginx6
-rwxr-xr-xroles/web/files/acme/deploy.sh45
-rw-r--r--roles/web/tasks/main.yml7
7 files changed, 76 insertions, 14 deletions
diff --git a/roles/mail/files/acme/dovecot b/roles/mail/files/acme/dovecot
new file mode 100644
index 0000000..367ec0b
--- /dev/null
+++ b/roles/mail/files/acme/dovecot
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload dovecot
diff --git a/roles/mail/files/acme/postfix b/roles/mail/files/acme/postfix
new file mode 100644
index 0000000..c3cc92d
--- /dev/null
+++ b/roles/mail/files/acme/postfix
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload postfix
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index 968dd2b..c243a36 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -189,3 +189,11 @@
- name: postfix - start service
command: rcstart postfix
+
+- name: acme - copy deployment scripts
+ copy:
+ src: "{{ item }}"
+ dest: /usr/local/etc/acme/deploy.d/{{ item | basename }}
+ with_fileglob:
+ - "acme/*"
+ tags: acme
diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh
index 20e1106..d929cbb 100755
--- a/roles/web/files/acme/acme-client.sh
+++ b/roles/web/files/acme/acme-client.sh
@@ -9,12 +9,16 @@
# $ ./acme-client.sh
# which can be called by periodic(8).
#
-# This script will be weekly executed in order to renew the certificate(s).
-# See "/etc/periodic.conf".
+# This script will be weekly executed in order to renew the certificate(s)
+# by adding such configurations to "/etc/periodic.conf":
+# weekly_acme_client_enable="YES"
+# weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh"
+# weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh"
#
# Output files:
-# * .../etc/acme/privkey.pem : account private key
-# * .../etc/ssl/acme/private/<domain>.pem : domain private key
+# * etc/acme/privkey.pem : account private key
+# * etc/ssl/acme/private/<domain>.pem : domain private key
+# * etc/ssl/acme/<domain>/fullchain.pem : domain certificate
#
# XXX/TODO:
# * How to remove/revoke a SAN from the certificate?
diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx
new file mode 100644
index 0000000..17b571d
--- /dev/null
+++ b/roles/web/files/acme/deploy.d/nginx
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload nginx
diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh
index 5e5ad4d..7464d02 100755
--- a/roles/web/files/acme/deploy.sh
+++ b/roles/web/files/acme/deploy.sh
@@ -1,22 +1,47 @@
#!/bin/sh -e
#
-# Restart the services after renewing the certificate(s) to deploy the
-# changed certificate(s).
-#
-# This script will be weekly executed. See "/etc/periodic.conf".
+# Deploy the renewed certificate(s) to services.
#
# Aaron LI
#
-# Services to be restarted after ACME certificate update
-SERVICES="nginx dovecot postfix"
+reload() {
+ local srv="$1"
+ local rv=0
+ if service ${srv} status >/dev/null 2>&1; then
+ echo "Reloading service ${srv} ..."
+ service ${srv} reload
+ echo "ok"
+ else
+ echo "WARNING: service ${srv} is not running" >&2
+ rv=1
+ fi
+ return ${rv}
+}
+
-printf "-------------------------------------------------------------\n"
-for srv in ${SERVICES}; do
+restart() {
+ local srv="$1"
+ local rv=0
if service ${srv} status >/dev/null 2>&1; then
- echo "ACME deploy: restarting ${srv} ..."
+ echo "Restarting service ${srv} ..."
service ${srv} restart
+ echo "ok"
else
- echo "ACME deploy: service ${srv} not running"
+ echo "WARNING: service ${srv} is not running" >&2
+ rv=1
+ fi
+ return ${rv}
+}
+
+
+echo "============================================================="
+dir="${0%/*}"
+rv=0
+for f in ${dir}/deploy.d/*; do
+ if [ -f "${f}" ]; then
+ echo "Deploying [${f##*/}] ..."
+ . "${f}" || rv=$?
fi
done
+exit ${rv}
diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml
index d554db1..b45e0ec 100644
--- a/roles/web/tasks/main.yml
+++ b/roles/web/tasks/main.yml
@@ -71,6 +71,13 @@
mode: 0755
with_fileglob:
- "acme/*.sh"
+ tags: acme
+
+- name: acme - copy deployment scripts
+ copy:
+ src: acme/deploy.d/ # note the trailing '/'
+ dest: /usr/local/etc/acme/deploy.d/
+ tags: acme
- name: (local) acme - check account private key existence
become: false