From 4e4575924b61d26c9e3e0d0770fc2908ac192f7f Mon Sep 17 00:00:00 2001
From: Aaron LI <aly@aaronly.me>
Date: Wed, 14 Mar 2018 17:16:55 +0800
Subject: web/acme: refactor certificates deployment

---
 roles/mail/files/acme/dovecot       |  6 +++++
 roles/mail/files/acme/postfix       |  6 +++++
 roles/mail/tasks/main.yml           |  8 +++++++
 roles/web/files/acme/acme-client.sh | 12 ++++++----
 roles/web/files/acme/deploy.d/nginx |  6 +++++
 roles/web/files/acme/deploy.sh      | 45 ++++++++++++++++++++++++++++---------
 roles/web/tasks/main.yml            |  7 ++++++
 7 files changed, 76 insertions(+), 14 deletions(-)
 create mode 100644 roles/mail/files/acme/dovecot
 create mode 100644 roles/mail/files/acme/postfix
 create mode 100644 roles/web/files/acme/deploy.d/nginx

(limited to 'roles')

diff --git a/roles/mail/files/acme/dovecot b/roles/mail/files/acme/dovecot
new file mode 100644
index 0000000..367ec0b
--- /dev/null
+++ b/roles/mail/files/acme/dovecot
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload dovecot
diff --git a/roles/mail/files/acme/postfix b/roles/mail/files/acme/postfix
new file mode 100644
index 0000000..c3cc92d
--- /dev/null
+++ b/roles/mail/files/acme/postfix
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload postfix
diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml
index 968dd2b..c243a36 100644
--- a/roles/mail/tasks/main.yml
+++ b/roles/mail/tasks/main.yml
@@ -189,3 +189,11 @@
 
 - name: postfix - start service
   command: rcstart postfix
+
+- name: acme - copy deployment scripts
+  copy:
+    src: "{{ item }}"
+    dest: /usr/local/etc/acme/deploy.d/{{ item | basename }}
+  with_fileglob:
+    - "acme/*"
+  tags: acme
diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh
index 20e1106..d929cbb 100755
--- a/roles/web/files/acme/acme-client.sh
+++ b/roles/web/files/acme/acme-client.sh
@@ -9,12 +9,16 @@
 #     $ ./acme-client.sh
 # which can be called by periodic(8).
 #
-# This script will be weekly executed in order to renew the certificate(s).
-# See "/etc/periodic.conf".
+# This script will be weekly executed in order to renew the certificate(s)
+# by adding such configurations to "/etc/periodic.conf":
+#     weekly_acme_client_enable="YES"
+#     weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh"
+#     weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh"
 #
 # Output files:
-#   * .../etc/acme/privkey.pem : account private key
-#   * .../etc/ssl/acme/private/<domain>.pem : domain private key
+#   * etc/acme/privkey.pem : account private key
+#   * etc/ssl/acme/private/<domain>.pem : domain private key
+#   * etc/ssl/acme/<domain>/fullchain.pem : domain certificate
 #
 # XXX/TODO:
 #   * How to remove/revoke a SAN from the certificate?
diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx
new file mode 100644
index 0000000..17b571d
--- /dev/null
+++ b/roles/web/files/acme/deploy.d/nginx
@@ -0,0 +1,6 @@
+#!/bin/sh
+#
+# ACME deployment script
+#
+
+reload nginx
diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh
index 5e5ad4d..7464d02 100755
--- a/roles/web/files/acme/deploy.sh
+++ b/roles/web/files/acme/deploy.sh
@@ -1,22 +1,47 @@
 #!/bin/sh -e
 #
-# Restart the services after renewing the certificate(s) to deploy the
-# changed certificate(s).
-#
-# This script will be weekly executed.  See "/etc/periodic.conf".
+# Deploy the renewed certificate(s) to services.
 #
 # Aaron LI
 #
 
-# Services to be restarted after ACME certificate update
-SERVICES="nginx dovecot postfix"
+reload() {
+    local srv="$1"
+    local rv=0
+    if service ${srv} status >/dev/null 2>&1; then
+        echo "Reloading service ${srv} ..."
+        service ${srv} reload
+        echo "ok"
+    else
+        echo "WARNING: service ${srv} is not running" >&2
+        rv=1
+    fi
+    return ${rv}
+}
+
 
-printf "-------------------------------------------------------------\n"
-for srv in ${SERVICES}; do
+restart() {
+    local srv="$1"
+    local rv=0
     if service ${srv} status >/dev/null 2>&1; then
-        echo "ACME deploy: restarting ${srv} ..."
+        echo "Restarting service ${srv} ..."
         service ${srv} restart
+        echo "ok"
     else
-        echo "ACME deploy: service ${srv} not running"
+        echo "WARNING: service ${srv} is not running" >&2
+        rv=1
+    fi
+    return ${rv}
+}
+
+
+echo "============================================================="
+dir="${0%/*}"
+rv=0
+for f in ${dir}/deploy.d/*; do
+    if [ -f "${f}" ]; then
+        echo "Deploying [${f##*/}] ..."
+        . "${f}" || rv=$?
     fi
 done
+exit ${rv}
diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml
index d554db1..b45e0ec 100644
--- a/roles/web/tasks/main.yml
+++ b/roles/web/tasks/main.yml
@@ -71,6 +71,13 @@
     mode: 0755
   with_fileglob:
     - "acme/*.sh"
+  tags: acme
+
+- name: acme - copy deployment scripts
+  copy:
+    src: acme/deploy.d/  # note the trailing '/'
+    dest: /usr/local/etc/acme/deploy.d/
+  tags: acme
 
 - name: (local) acme - check account private key existence
   become: false
-- 
cgit v1.2.2