From 4e4575924b61d26c9e3e0d0770fc2908ac192f7f Mon Sep 17 00:00:00 2001 From: Aaron LI Date: Wed, 14 Mar 2018 17:16:55 +0800 Subject: web/acme: refactor certificates deployment --- roles/mail/files/acme/dovecot | 6 +++++ roles/mail/files/acme/postfix | 6 +++++ roles/mail/tasks/main.yml | 8 +++++++ roles/web/files/acme/acme-client.sh | 12 ++++++---- roles/web/files/acme/deploy.d/nginx | 6 +++++ roles/web/files/acme/deploy.sh | 45 ++++++++++++++++++++++++++++--------- roles/web/tasks/main.yml | 7 ++++++ 7 files changed, 76 insertions(+), 14 deletions(-) create mode 100644 roles/mail/files/acme/dovecot create mode 100644 roles/mail/files/acme/postfix create mode 100644 roles/web/files/acme/deploy.d/nginx (limited to 'roles') diff --git a/roles/mail/files/acme/dovecot b/roles/mail/files/acme/dovecot new file mode 100644 index 0000000..367ec0b --- /dev/null +++ b/roles/mail/files/acme/dovecot @@ -0,0 +1,6 @@ +#!/bin/sh +# +# ACME deployment script +# + +reload dovecot diff --git a/roles/mail/files/acme/postfix b/roles/mail/files/acme/postfix new file mode 100644 index 0000000..c3cc92d --- /dev/null +++ b/roles/mail/files/acme/postfix @@ -0,0 +1,6 @@ +#!/bin/sh +# +# ACME deployment script +# + +reload postfix diff --git a/roles/mail/tasks/main.yml b/roles/mail/tasks/main.yml index 968dd2b..c243a36 100644 --- a/roles/mail/tasks/main.yml +++ b/roles/mail/tasks/main.yml @@ -189,3 +189,11 @@ - name: postfix - start service command: rcstart postfix + +- name: acme - copy deployment scripts + copy: + src: "{{ item }}" + dest: /usr/local/etc/acme/deploy.d/{{ item | basename }} + with_fileglob: + - "acme/*" + tags: acme diff --git a/roles/web/files/acme/acme-client.sh b/roles/web/files/acme/acme-client.sh index 20e1106..d929cbb 100755 --- a/roles/web/files/acme/acme-client.sh +++ b/roles/web/files/acme/acme-client.sh @@ -9,12 +9,16 @@ # $ ./acme-client.sh # which can be called by periodic(8). # -# This script will be weekly executed in order to renew the certificate(s). -# See "/etc/periodic.conf". +# This script will be weekly executed in order to renew the certificate(s) +# by adding such configurations to "/etc/periodic.conf": +# weekly_acme_client_enable="YES" +# weekly_acme_client_renewscript="/usr/local/etc/acme/acme-client.sh" +# weekly_acme_client_deployscript="/usr/local/etc/acme/deploy.sh" # # Output files: -# * .../etc/acme/privkey.pem : account private key -# * .../etc/ssl/acme/private/.pem : domain private key +# * etc/acme/privkey.pem : account private key +# * etc/ssl/acme/private/.pem : domain private key +# * etc/ssl/acme//fullchain.pem : domain certificate # # XXX/TODO: # * How to remove/revoke a SAN from the certificate? diff --git a/roles/web/files/acme/deploy.d/nginx b/roles/web/files/acme/deploy.d/nginx new file mode 100644 index 0000000..17b571d --- /dev/null +++ b/roles/web/files/acme/deploy.d/nginx @@ -0,0 +1,6 @@ +#!/bin/sh +# +# ACME deployment script +# + +reload nginx diff --git a/roles/web/files/acme/deploy.sh b/roles/web/files/acme/deploy.sh index 5e5ad4d..7464d02 100755 --- a/roles/web/files/acme/deploy.sh +++ b/roles/web/files/acme/deploy.sh @@ -1,22 +1,47 @@ #!/bin/sh -e # -# Restart the services after renewing the certificate(s) to deploy the -# changed certificate(s). -# -# This script will be weekly executed. See "/etc/periodic.conf". +# Deploy the renewed certificate(s) to services. # # Aaron LI # -# Services to be restarted after ACME certificate update -SERVICES="nginx dovecot postfix" +reload() { + local srv="$1" + local rv=0 + if service ${srv} status >/dev/null 2>&1; then + echo "Reloading service ${srv} ..." + service ${srv} reload + echo "ok" + else + echo "WARNING: service ${srv} is not running" >&2 + rv=1 + fi + return ${rv} +} + -printf "-------------------------------------------------------------\n" -for srv in ${SERVICES}; do +restart() { + local srv="$1" + local rv=0 if service ${srv} status >/dev/null 2>&1; then - echo "ACME deploy: restarting ${srv} ..." + echo "Restarting service ${srv} ..." service ${srv} restart + echo "ok" else - echo "ACME deploy: service ${srv} not running" + echo "WARNING: service ${srv} is not running" >&2 + rv=1 + fi + return ${rv} +} + + +echo "=============================================================" +dir="${0%/*}" +rv=0 +for f in ${dir}/deploy.d/*; do + if [ -f "${f}" ]; then + echo "Deploying [${f##*/}] ..." + . "${f}" || rv=$? fi done +exit ${rv} diff --git a/roles/web/tasks/main.yml b/roles/web/tasks/main.yml index d554db1..b45e0ec 100644 --- a/roles/web/tasks/main.yml +++ b/roles/web/tasks/main.yml @@ -71,6 +71,13 @@ mode: 0755 with_fileglob: - "acme/*.sh" + tags: acme + +- name: acme - copy deployment scripts + copy: + src: acme/deploy.d/ # note the trailing '/' + dest: /usr/local/etc/acme/deploy.d/ + tags: acme - name: (local) acme - check account private key existence become: false -- cgit v1.2.2