WIP: new certbot role

This commit is contained in:
Jérémy Lecour 2019-09-27 00:13:30 +02:00
parent e3e908dd4c
commit 394e28b815
13 changed files with 297 additions and 0 deletions

View File

@ -11,6 +11,7 @@ The **patch** part changes incrementally at each release.
## [Unreleased]
### Added
* certbot : new role to install and configure certbot
* evocheck: explicit PATH
* evolinux-base: On debian 10 and later, add noexec on /dev/shm
* evolinux-base: default value for "evolinux_ssh_group"

View File

@ -0,0 +1,3 @@
---
certbot_work_dir: /var/lib/letsencrypt

View File

@ -0,0 +1,30 @@
#!/bin/sh
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
if [ -n "$(pidof apache2)" ]; then
apache2ctl_bin=$(command -v apache2ctl)
if ${apache2ctl_bin} configtest > /dev/null; then
if grep --dereference-recursive -E "^\s*SSLCertificate" /etc/apache2/sites-enabled | grep -q "letsencrypt"; then
debug "Apache detected... reloading"
systemctl reload apache2
else
debug "Apache doesn't use Let's Encrypt certificate. Skip."
fi
else
error "Apache config is broken, you must fix it !"
fi
else
debug "Apache is not running. Skip."
fi

View File

@ -0,0 +1,32 @@
#!/bin/sh
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
git_bin=$(command -v git)
letsencrypt_dir=/etc/letsencrypt
export GIT_DIR="/etc/.git"
export GIT_WORK_TREE="/etc"
if test -x "${git_bin}" && test -d "${GIT_DIR}" && test -d "${GIT_WORK_TREE}"; then
changed_lines=$(${git_bin} status --porcelain -- ${letsencrypt_dir} | wc -l | tr -d ' ')
if [ "${changed_lines}" != "0" ]; then
debug "Committing for ${RENEWED_DOMAINS}"
${git_bin} add --all ${letsencrypt_dir}
message="[letsencrypt] certificates renewal (${RENEWED_DOMAINS})"
${git_bin} commit --message "${message}" --quiet
else
error "Weird, nothing has changed but the hook has been executed for '${RENEWED_DOMAINS}'"
fi
fi

View File

@ -0,0 +1,30 @@
#!/bin/sh
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
if [ -n "$(pidof dovecot)" ]; then
doveconf_bin=$(command -v doveconf)
if ${doveconf_bin} > /dev/null; then
if ${doveconf_bin} | grep -E "^ssl_cert[^_]" | grep -q "letsencrypt"; then
debug "Dovecot detected... reloading"
systemctl reload dovecot
else
debug "Dovecot doesn't use Let's Encrypt certificate. Skip."
fi
else
error "Dovecot config is broken, you must fix it !"
fi
else
debug "Dovecot is not running. Skip."
fi

View File

@ -0,0 +1,41 @@
#!/bin/sh
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
if [ -z "${RENEWED_LINEAGE}" ]; then
error "This script must be called only by certbot!"
fi
if [ -n "$(pidof haproxy)" ]; then
haproxy_bin=$(command -v haproxy)
if ${haproxy_bin} -c -f /etc/haproxy/haproxy.cfg > /dev/null; then
if [ -f "${RENEWED_LINEAGE}/fullchain.pem" ] && [ -f "${RENEWED_LINEAGE}/privkey.pem" ]; then
haproxy_cert_file="/etc/ssl/haproxy/$(basename "${RENEWED_LINEAGE}").pem"
debug "Concatenating certificate files to ${haproxy_cert_file}"
cat "${RENEWED_LINEAGE}/fullchain.pem" "${RENEWED_LINEAGE}/privkey.pem" > "${haproxy_cert_file}"
chmod 600 "${haproxy_cert_file}"
chown root: "${haproxy_cert_file}"
debug "HAProxy detected... reloading"
systemctl reload apache2
else
error "Couldn't find ${RENEWED_LINEAGE}/fullchain.pem or ${RENEWED_LINEAGE}/privkey.pem"
fi
else
error "HAProxy config is broken, you must fix it !"
fi
else
debug "HAProxy is not running. Skip."
fi

View File

@ -0,0 +1,30 @@
#!/bin/sh
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
if [ -n "$(pidof nginx)" ]; then
nginx_bin=$(command -v nginx)
if ${nginx_bin} -t > /dev/null; then
if grep --dereference-recursive -E "^\s*ssl_certificate" /etc/nginx/sites-enabled | grep -q "letsencrypt"; then
debug "Nginx detected... reloading"
systemctl reload nginx
else
debug "Nginx doesn't use Let's Encrypt certificate. Skip."
fi
else
error "Nginx config is broken, you must fix it !"
fi
else
debug "Nginx is not running. Skip."
fi

View File

@ -0,0 +1,30 @@
#!/bin/sh
readonly VERBOSE=${VERBOSE:-"0"}
readonly QUIET=${QUIET:-"0"}
error() {
>&2 echo "${PROGNAME}: $1"
exit 1
}
debug() {
if [ "${VERBOSE}" = "1" ] && [ "${QUIET}" != "1" ]; then
>&2 echo "${PROGNAME}: $1"
fi
}
if [ -n "$(pidof master)" ]; then
postconf_bin=$(command -v postconf)
if ${postconf_bin} > /dev/null; then
if ${postconf_bin} | grep -E "^smtpd_tls_cert_file" | grep -q "letsencrypt"; then
debug "Postfix detected... reloading"
systemctl reload postfix
else
debug "Postfix doesn't use Let's Encrypt certificate. Skip."
fi
else
error "Postfix config is broken, you must fix it !"
fi
else
debug "Postfix is not running. Skip."
fi

16
certbot/handlers/main.yml Normal file
View File

@ -0,0 +1,16 @@
---
- name: reload nginx
service:
name: nginx
state: reloaded
- name: reload apache
service:
name: apache2
state: reloaded
- name: reload haproxy
service:
name: haproxy
state: reloaded

View File

@ -0,0 +1,50 @@
---
- name: Certbot work directory is present
file:
dest: "{{ certbot_work_dir }}"
state: directory
mode: "0755"
- name: Check if Nginx is installed
stat:
path: /etc/nginx
register: is_nginx
- name: ACME challenge for Nginx is installed
template:
src: acme-challenge/nginx.conf.j2
dest: /etc/nginx/snippets/letsencrypt.conf
force: yes
notify: reload nginx
when: is_nginx.stat.exists
- name: Check if Apache is installed
stat:
path: /etc/apache2
register: is_apache
- block:
- name: ACME challenge for Apache is installed
template:
src: acme-challenge/apache.conf.j2
dest: /etc/apache2/conf-available/letsencrypt.conf
force: yes
notify: reload apache
- name: ACME challenge for Apache is enabled
command: "a2enconf letsencrypt"
register: command_result
changed_when: "'Enabling' in command_result.stderr"
notify: reload apache
when: is_apache.stat.exists
- name: Check if HAProxy is installed
stat:
path: /etc/haproxy
register: is_haproxy
- name: ACME challenge for HAProxy is installed
debug:
msg: "ACME challenge configuration for HAProxy should be configured manually"
when: is_haproxy.stat.exists

23
certbot/tasks/main.yml Normal file
View File

@ -0,0 +1,23 @@
---
- name: "System compatibility checks"
assert:
that:
- ansible_distribution == "Debian"
- ansible_distribution_major_version | version_compare('9', '>=')
msg: only compatible with Debian 9+
- name: certbot package is installed
apt:
name: certbot
state: latest
- include: acme-challenge.yml
- name: Deploy hooks are present
copy:
src: hooks/
dest: /etc/letsencrypt/renewal-hooks/deploy/
mode: "0700"
owner: root
group: root

View File

@ -0,0 +1,6 @@
Alias /.well-known/acme-challenge {{ certbot_work_dir }}/.well-known/acme-challenge
<Directory "{{ certbot_work_dir }}/.well-known/acme-challenge">
Options -Indexes
Allow from all
Require all granted
</Directory>

View File

@ -0,0 +1,5 @@
location ~ /.well-known/acme-challenge {
alias {{ certbot_work_dir }}/;
try_files $uri =404;
allow all;
}