diff options
Diffstat (limited to 'roles/web')
-rwxr-xr-x | roles/web/files/acme/acme-client.sh | 118 | ||||
-rw-r--r-- | roles/web/files/acme/deploy.d/nginx | 6 | ||||
-rwxr-xr-x | roles/web/files/acme/deploy.sh | 47 | ||||
-rw-r--r-- | roles/web/handlers/main.yml | 3 | ||||
-rw-r--r-- | roles/web/tasks/acme-domainkey.yml | 21 | ||||
-rw-r--r-- | roles/web/templates/domains.txt.j2 | 4 |
6 files changed, 0 insertions, 199 deletions
diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh deleted file mode 100755 index a8be701..0000000 --- a/roles/web/files/acme/acme-client.sh +++ /dev/null @@ -1,118 +0,0 @@ -#!/bin/sh -# -# This script can be both used to request/obtain new certificate(s) from -# Let's Encrypt through ACME challenges: -# $ ./acme-client.sh -n -N -# to expand the domains listed in the certificate: -# $ ./acme-client.sh -e -# and be used to renew the obtained certificate(s) (default action): -# $ ./acme-client.sh -# which can be called by periodic(8). -# -# This script will be weekly executed in order to renew the certificate(s) -# by adding such configurations to "/etc/periodic.conf": -# weekly_acme_client_enable="YES" -# weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh" -# weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh" -# -# Output files: -# * etc/acme/privkey.pem : account private key -# * etc/ssl/acme/private/<domain>.pem : domain private key -# * etc/ssl/acme/<domain>/fullchain.pem : domain certificate -# -# XXX/TODO: -# * How to remove/revoke a SAN from the certificate? -# -# -# Aaron LI -# 2017-04-19 -# - -umask 027 - -BASEDIR="/usr/local/etc/acme" -SSLDIR="/usr/local/etc/ssl/acme" -DOMAINSFILE="${BASEDIR}/domains.txt" -CHALLENGEDIR="/usr/local/www/acme/.well-known/acme-challenge" -# Default to show verbose information -VERBOSE="true" -# Additional arguments for "acme-client" -ARGS="" - - -usage() { - cat << _EOF_ -usage: -`basename $0` [-h] [-efLnNv] [-d domains.txt] - - -e : allow expanding the domains listed in the certificate - -f : force updating the certificate signature even if its too soon - -n : create a new 4096-bit RSA account key if one does not already exist - -N : create a new 4096-bit RSA domain key if one does not already exist - -q : be quiet (default to show verbose information) - - -d domains.txt : text file with one domain and its sub-domains per line - (default: ${DOMAINSFILE}) -_EOF_ -} - - -while getopts "efhnNqd:" opt; do - case "$opt" in - h) - usage - exit 1 - ;; - e) - ARGS="${ARGS} -e" - ;; - f) - ARGS="${ARGS} -F" - ;; - n) - ARGS="${ARGS} -n" - ;; - N) - ARGS="${ARGS} -N" - ;; - q) - VERBOSE="false" - ;; - d) - DOMAINSFILE="${OPTARG}" - ;; - [?]) - usage - exit 2 - ;; - esac -done - -if [ "${VERBOSE}" = "true" ]; then - ARGS="${ARGS} -v" -fi - -[ ! -d "${CHALLENGEDIR}" ] && mkdir -pv ${CHALLENGEDIR} -[ ! -d "${SSLDIR}/private" ] && mkdir -pvm700 "${SSLDIR}/private" - -printf "\n=== $(date) ===\n=== CMD: $0 $* ===\n" - -grep -v '^\s*#' "${DOMAINSFILE}" | while read domain line; do - printf "-------------------------------------------------------------\n" - printf "[${domain}] ${line}\n" - printf "-------------------------------------------------------------\n" - CERTSDIR="${SSLDIR}/${domain}" - [ ! -d "${CERTSDIR}" ] && mkdir -pm755 "${CERTSDIR}" - set +e # RC=2 when time to expire > 30 days - acme-client -b -C "${CHALLENGEDIR}" \ - -k "${SSLDIR}/private/${domain}.pem" \ - -c "${CERTSDIR}" \ - ${ARGS} \ - ${domain} ${line} - RC=$? - set -e - [ $RC -ne 0 -a $RC -ne 2 ] && exit $RC -done - -printf "-------------------------------------------------------------\n" -exit 0 diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx deleted file mode 100644 index 17b571d..0000000 --- a/roles/web/files/acme/deploy.d/nginx +++ /dev/null @@ -1,6 +0,0 @@ -#!/bin/sh -# -# ACME deployment script -# - -reload nginx diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh deleted file mode 100755 index 7464d02..0000000 --- a/roles/web/files/acme/deploy.sh +++ /dev/null @@ -1,47 +0,0 @@ -#!/bin/sh -e -# -# Deploy the renewed certificate(s) to services. -# -# Aaron LI -# - -reload() { - local srv="$1" - local rv=0 - if service ${srv} status >/dev/null 2>&1; then - echo "Reloading service ${srv} ..." - service ${srv} reload - echo "ok" - else - echo "WARNING: service ${srv} is not running" >&2 - rv=1 - fi - return ${rv} -} - - -restart() { - local srv="$1" - local rv=0 - if service ${srv} status >/dev/null 2>&1; then - echo "Restarting service ${srv} ..." - service ${srv} restart - echo "ok" - else - echo "WARNING: service ${srv} is not running" >&2 - rv=1 - fi - return ${rv} -} - - -echo "=============================================================" -dir="${0%/*}" -rv=0 -for f in ${dir}/deploy.d/*; do - if [ -f "${f}" ]; then - echo "Deploying [${f##*/}] ..." - . "${f}" || rv=$? - fi -done -exit ${rv} diff --git a/roles/web/handlers/main.yml b/roles/web/handlers/main.yml index 7772422..765d2c1 100644 --- a/roles/web/handlers/main.yml +++ b/roles/web/handlers/main.yml @@ -1,6 +1,3 @@ --- - name: reload-nginx command: rcreload nginx - -- name: deploy-acme - command: sh /usr/local/etc/acme/deploy.sh diff --git a/roles/web/tasks/acme-domainkey.yml b/roles/web/tasks/acme-domainkey.yml deleted file mode 100644 index ac409c2..0000000 --- a/roles/web/tasks/acme-domainkey.yml +++ /dev/null @@ -1,21 +0,0 @@ ---- -- name: (local) acme - check domain private key existence - become: false - stat: - path: "{{ playbook_dir }}/private/acme/{{ domain }}.pem" - delegate_to: localhost - register: stat_result - -- name: (local) acme - generate domain private key (4096 bit) - become: false - command: > - openssl genrsa - -out "{{ playbook_dir }}/private/acme/{{ domain }}.pem" 4096 - delegate_to: localhost - when: not stat_result.stat.exists - -- name: acme - copy domain private key - copy: - src: "{{ playbook_dir }}/private/acme/{{ domain }}.pem" - dest: /usr/local/etc/ssl/acme/private/{{ domain }}.pem - mode: 0400 diff --git a/roles/web/templates/domains.txt.j2 b/roles/web/templates/domains.txt.j2 deleted file mode 100644 index dd59388..0000000 --- a/roles/web/templates/domains.txt.j2 +++ /dev/null @@ -1,4 +0,0 @@ -{% for domain in domains %} -{{ domain.name }} {% for sub in domain.sub %} {{ sub }}.{{ domain.name }}{% endfor %} - -{% endfor %} |