evoacme: update for new certbot role

* certbot is installed by the certbot role * Apache/Nginx configuration is delegated to the certbot role * No more "acme" user, everything is done with "root".
2020-08-21 13:36:24 +02:00 · 2020-08-21 13:36:24 +02:00 · 8ea1bac000
parent a8095b1c36
commit 8ea1bac000
8 changed files with 44 additions and 169 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -39,6 +39,7 @@ The **patch** part changes incrementally at each release.
 * elasticsearch: configure cluster with seed hosts and initial masters
 * evoacme: upstream release 20.06.1
 * evoacme: read values from environment before defaults file
+* evoacme: update for new certbot role
 * haproxy: deport SSL tuning to Mozilla SSL generator
 * haproxy: chroot and socket path are configurable
 * haproxy: adapt backports installed package list to distibution
--- a/evoacme/tasks/acme.yml
+++ b/evoacme/tasks/acme.yml
@ -1,61 +0,0 @@
---
- name: Create acme group
-  group:
-    name: acme
-    state: present
-
- name: Create acme user
-  user:
-    name: acme
-    group: acme
-    state: present
-    createhome: no
-    home: "{{ evoacme_acme_dir }}"
-    shell: /bin/false
-    system: yes
-
- name: Fix crt dir's right
-  file:
-    path: "{{ evoacme_crt_dir }}"
-    mode: "0755"
-    owner: acme
-    group: acme
-    state: directory
-
- name: "Fix hooks directory permissions"
-  file:
-    path: "{{ evoacme_hooks_dir }}"
-    mode: "0700"
-    owner: acme
-    group: acme
-    state: directory
-
- name: Fix log dir's right
-  file:
-    path: "{{ evoacme_log_dir }}"
-    mode: "0755"
-    owner: acme
-    group: acme
-    state: directory
-
- name: Fix challenge dir's right
-  file:
-    path: "{{ evoacme_acme_dir }}"
-    mode: "0755"
-    owner: acme
-    group: acme
-    state: directory
-
- name: Is /etc/aliases present?
-  stat:
-    path: /etc/aliases
-  register: etc_aliases
-
- name: Set acme aliases
-  lineinfile:
-    state: present
-    dest: /etc/aliases
-    line: 'acme: root'
-    regexp: 'acme:'
-  when: etc_aliases.stat.exists
-  notify: "newaliases"
--- a/evoacme/tasks/apache.yml
+++ b/evoacme/tasks/apache.yml
@ -1,25 +0,0 @@
- name: Create conf dirs
-  file:
-    path: "/etc/apache2/{{ item }}"
-    state: directory
-  with_items:
-    - 'conf-available'
-    - 'conf-enabled'
-
- name: Copy acme challenge conf
-  template:
-    src: templates/apache.conf.j2
-    dest: /etc/apache2/conf-available/letsencrypt.conf
-    owner: root
-    group: root
-    mode: "0644"
-  notify: reload apache2
-
- name: Enable acme challenge conf
-  file:
-    src: /etc/apache2/conf-available/letsencrypt.conf
-    dest: /etc/apache2/conf-enabled/letsencrypt.conf
-    state: link
-    owner: root
-    group: root
-  notify: reload apache2
--- a/evoacme/tasks/certbot.yml
+++ b/evoacme/tasks/certbot.yml
@ -1,45 +1,20 @@
 ---
-
- name: Use backports for jessie
-  block:
-    - name: install jessie-backports
-      include_role:
-        name: evolix/apt
-        tasks_from: backports.yml
-
-    - name: Add exceptions for certbot dependencies
-      copy:
-        src: backports-certbot
-        dest: /etc/apt/preferences.d/z-backports-certbot
-      notify: apt update
-
-    - meta: flush_handlers
-  when: ansible_distribution_release == "jessie"
-
- name: Install certbot with apt
-  apt:
-    name: certbot
-    state: latest
+- include_role:
+    name: evolix/certbot

 - include_role:
    name: evolix/remount-usr

- name: Remove certbot symlink for apt install
-  file:
-    path: /usr/local/bin/certbot
-    state: absent

 - name: Disable /etc/cron.d/certbot
-  command: mv /etc/cron.d/certbot /etc/cron.d/certbot.disabled
+  command: mv -f /etc/cron.d/certbot /etc/cron.d/certbot.disabled
  args:
    removes: /etc/cron.d/certbot
-    creates: /etc/cron.d/certbot.disabled

 - name: Disable /etc/cron.daily/certbot
-  command: mv /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
+  command: mv -f /etc/cron.daily/certbot /etc/cron.daily/certbot.disabled
  args:
    removes: /etc/cron.daily/certbot
-    creates: /etc/cron.daily/certbot.disabled

 - name: Install evoacme custom cron
  copy:
--- a/evoacme/tasks/evoacme_hook.yml
+++ b/evoacme/tasks/evoacme_hook.yml
@ -1,5 +1,10 @@
 ---

+- name: "Create {{ hook_name }} hook directory"
+  file:
+    dest: "{{ evoacme_hooks_dir }}"
+    state: directory
+
 - name: "Search for {{ hook_name }} hook"
  command: "find {{ evoacme_hooks_dir }} -type f \\( -name '{{ hook_name }}' -o -name '{{ hook_name }}.*' \\)"
  check_mode: no
--- a/evoacme/tasks/main.yml
+++ b/evoacme/tasks/main.yml
@ -7,7 +7,7 @@

 - include: certbot.yml

- include: acme.yml
+- include: permissions.yml

 - include: evoacme_hook.yml
  vars:
@ -22,21 +22,3 @@
 - include: conf.yml

 - include: scripts.yml
-
- name: Determine Apache presence
-  stat:
-    path: /etc/apache2/apache2.conf
-  check_mode: no
-  register: sta
-
- name: Determine Nginx presence
-  stat:
-    path: /etc/nginx/nginx.conf
-  check_mode: no
-  register: stn
-
- include: apache.yml
-  when: sta.stat.isreg is defined and sta.stat.isreg
-
- include: nginx.yml
-  when: stn.stat.isreg is defined and stn.stat.isreg
--- a/evoacme/tasks/nginx.yml
+++ b/evoacme/tasks/nginx.yml
@ -1,35 +0,0 @@
---
-
- name: move acme challenge conf if missplaced
-  command: mv /etc/nginx/letsencrypt.conf /etc/nginx/snippets/letsencrypt.conf
-  args:
-    removes: /etc/nginx/letsencrypt.conf
-    creates: /etc/nginx/snippets/letsencrypt.conf
-
- name: Copy acme challenge conf
-  template:
-    src: templates/nginx.conf.j2
-    dest: /etc/nginx/snippets/letsencrypt.conf
-    owner: root
-    group: root
-    mode: "0644"
-
- name: look for old path
-  command: grep -r /etc/nginx/letsencrypt.conf /etc/nginx
-  changed_when: False
-  failed_when: False
-  check_mode: no
-  register: grep_letsencrypt_old_path
-
- name: Keep a symlink for vhosts with old path
-  file:
-    src: /etc/nginx/snippets/letsencrypt.conf
-    dest: /etc/nginx/letsencrypt.conf
-    state: link
-  when: grep_letsencrypt_old_path.rc == 0
-
- name: Remove symlink if no vhost with old path
-  file:
-    dest: /etc/nginx/letsencrypt.conf
-    state: absent
-  when: grep_letsencrypt_old_path.rc == 1
--- a/evoacme/tasks/permissions.yml
+++ b/evoacme/tasks/permissions.yml
@ -0,0 +1,33 @@
+---
+
+- name: Fix crt directory permissions
+  file:
+    path: "{{ evoacme_crt_dir }}"
+    mode: "0755"
+    owner: root
+    group: root
+    state: directory
+
+- name: "Fix hooks directory permissions"
+  file:
+    path: "{{ evoacme_hooks_dir }}"
+    mode: "0700"
+    owner: root
+    group: root
+    state: directory
+
+- name: Fix log directory permissions
+  file:
+    path: "{{ evoacme_log_dir }}"
+    mode: "0755"
+    owner: root
+    group: root
+    state: directory
+
+- name: Fix challenge directory permissions
+  file:
+    path: "{{ evoacme_acme_dir }}"
+    mode: "0755"
+    owner: root
+    group: root
+    state: directory