diff options
| author | Mitch Riedstra <mitch@riedstra.us> | 2020-10-04 23:21:41 -0400 |
|---|---|---|
| committer | Mitch Riedstra <mitch@riedstra.us> | 2020-10-04 23:21:41 -0400 |
| commit | 2f77c2f0d1faec9b4af9e5b8445b5a287d966aeb (patch) | |
| tree | 57074ea6b0f726fdb541f9c7d7e2d6f169b5564e | |
| download | acme.sh-2f77c2f0d1faec9b4af9e5b8445b5a287d966aeb.tar.gz acme.sh-2f77c2f0d1faec9b4af9e5b8445b5a287d966aeb.tar.xz | |
Initial work in progress
| -rw-r--r-- | defaults/main.yml | 32 | ||||
| -rw-r--r-- | tasks/main.yml | 80 |
2 files changed, 112 insertions, 0 deletions
diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..3b276af --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,32 @@ +--- + +# acmesh_email: bob@exmaple.com + +# Delegate DNS to this domain for example.com by setting +# _acme-challenge IN CNAME letsencrypt-delegate.example.com. +# or so. It does not even have to be at the same domain. +# acmesh_delegation_domain: letsencrypt-delegate.example.com + +# acmesh_domains: +# - example.com + +# You'll want to put this into vault +acmesh_env: | + export AWS_DEFAULT_REGION=us-east-2 + export AWS_SECRET_ACCESS_KEY=<changeme> + export AWS_ACCESS_KEY_ID=<changeme> + +# Set to an empty string to request from the production server, otherwise +# your certificates will be technically correct but invalid +acmesh_flags: --staging + +acmesh_user: + name: acme + home: /var/acme + shell: /sbin/nologin + system: 'yes' + +acmesh_dest: '{{acmesh_user.home}}/install' +acmesh_commit: f2d350002e7c387fad9777a42cf9befe34996c35 +acmesh_url: https://github.com/acmesh-official/acme.sh/archive/{{acmesh_commit}}.tar.gz +acmesh_checksum: sha256:a4e0cb73748eedf5029dd082a61eb7e35767f36356f2dfb18233ee4eb4f757cf diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..b3c0570 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,80 @@ +--- +- name: Create acme user + user: + name: '{{acmesh_user.name}}' + state: present + home: '{{acmesh_user.home}}' + shell: '{{acmesh_user.shell}}' + system: '{{acmesh_user.system}}' +- name: Set homedir permissions + file: + path: '{{acmesh_user.home}}' + state: directory + mode: '0710' + owner: '{{acmesh_user.name}}' +- name: Create install directory + file: + state: directory + owner: '{{acmesh_user.name}}' + path: '{{acmesh_user.home}}/install' +- name: Get acme.sh tarball + get_url: + url: '{{acmesh_url}}' + dest: '{{acmesh_user.home}}/install/acme.sh-{{acmesh_commit}}.tar.gz' + mode: '0755' + checksum: '{{acmesh_checksum}}' + owner: '{{acmesh_user.name}}' + register: tarball +- name: Write install script + copy: + content: | + #!/bin/sh + set -e + set -x + cd '{{acmesh_user.home}}/install' + if ! [ -d 'acme.sh-{{acmesh_commit}}' ] ; then + tar -xzf 'acme.sh-{{acmesh_commit}}.tar.gz' + fi + cd 'acme.sh-{{acmesh_commit}}' + sh ./acme.sh --install \ + --home $HOME/install \ + --config-home $HOME/conf \ + --cert-home $HOME/certs \ + --accountemail "{{acmesh_email}}" \ + --accountkey $HOME/account.key \ + --accountconf $HOME/account.conf + dest: /tmp/acme_install.sh + mode: 0755 +- name: Run acme.sh install script + shell: | + #!/bin/sh + echo '/tmp/acme_install.sh' | su -s /bin/sh '{{acmesh_user.name}}' + when: tarball.changed +- name: Set cert directory permissions + file: + path: '{{acmesh_user.home}}/certs' + state: directory + mode: 'u=rwX,g=rX,o-rwx' + owner: '{{acmesh_user.name}}' + recurse: true +- name: Write issue script + copy: + content: | + #!/bin/sh + set -e + set -x + {{acmesh_env}} + + . $HOME/install/acme.sh.env + + {% for item in acmesh_domains %} + acme.sh {{acmesh_flags | replace('\n', ' ')}} \ + --issue \ + --dns dns_aws \ + --challenge-alias "{{acmesh_delegation_domain}}" \ + -d "{{item}}" -d "*.{{item}}" + {% endfor %} + + dest: '{{acmesh_user.home}}/issue.sh' + +# - name: Issue certificates |