fedora-infra / ansible

Clone
Source Code
GIT

#1236 Add Buypass
Closed a year ago by kevin. Opened a year ago by fhiss.
https://notabug.org/fhiss/ansible.git main  into  main

Update 'roles/copr/certbot/tasks/buypass.yml'
fhiss • a year ago  
15697c3
Add Buypass
fhiss • a year ago  
2ed6484
roles/copr/certbot/tasks/buypass.yml
file added
+150 
@@ -0,0 +1,150 @@
 

+ ---
 

+ - set_fact:
 

+     bp_source_path: /etc/letsencrypt
 

+     # https://pagure.io/copr/copr/issue/2250
 

+     bp_backup_path: /srv/certbot-certs
 

+   tags:
 

+     - certbot
 

+ 

+ - name: install certbot package
 

+   package: name=certbot state=present
 

+   tags:
 

+     - certbot
 

+ 

+ - name: install certbot config
 

+   template: src=certbot.j2 dest=/etc/sysconfig/certbot
 

+             mode=0644
 

+   tags:
 

+     - certbot
 

+ 

+ - name: install certbot deploy script
 

+   template: src={{ buypass.predefined_deploy_script }}
 

+             dest=/usr/libexec/auto-certbot-deploy
 

+             mode=0755
 

+   when: buypass.predefined_deploy_script is defined
 

+   tags:
 

+     - certbot
 

+ 

+ - name: check whether we need to initialize buypass first
 

+   stat: path="/etc/letsencrypt/live/{{ item.key }}"
 

+   register: bp_stat_checks
 

+   with_dict: "{{ buypass.certificates }}"
 

+   tags:
 

+     - certbot
 

+ 

+ - name: check if we already have the backup
 

+   delegate_to: localhost
 

+   stat:
 

+     path: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}"
 

+   register: bp_stat_backup_dir
 

+   tags:
 

+     - certbot
 

+ 

+ - name: restore the certificates from backup (backed up on batcave)
 

+   synchronize:
 

+     src: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}/"
 

+     dest: "{{ bp_source_path }}"
 

+     mode: push
 

+   tags:
 

+     - certbot
 

+   when:
 

+     - not bp_stat_checks.results[0].stat.exists
 

+     - bp_stat_backup_dir.stat.exists
 

+   register: some_cert_restored
 

+ 

+ - name: initialize certbot configuration
 

+   shell: |
 

+       certbot certonly --standalone \
 

+             -w {{ item.item.value.challenge_dir }} \
 

+             -d {{ item.item.value.domains | join(' -d ') }} \
 

+             --cert-name {{ item.item.key }} \
 

+             -m {{ item.item.value.mail }} \
 

+             --agree-tos \
 

+             -n >> /tmp/call
 

+   when:
 

+     - not item.stat.exists
 

+     - not some_cert_restored.changed
 

+   with_items: "{{ bp_stat_checks.results }}"
 

+   tags:
 

+     - certbot
 

+ 

+ - name: configure certbot to use webroot next time
 

+   ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
 

+             section=renewalparams
 

+             option=authenticator
 

+             value=webroot
 

+   with_items: "{{ bp_stat_checks.results }}"
 

+   tags:
 

+     - certbot
 

+ 

+ - name: configure certbot to use webroot next time
 

+   ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
 

+             section=renewalparams
 

+             option=webroot_path
 

+             value="{{ item.item.value.challenge_dir }}"
 

+   with_items: "{{ bp_stat_checks.results }}"
 

+   tags:
 

+     - certbot
 

+ 

+ - name: post init script
 

+   shell: |
 

+       /usr/libexec/auto-certbot-deploy \
 

+             --init {{ item.item.key }}
 

+   when:
 

+     - buypass.predefined_deploy_script is defined
 

+     - not item.stat.exists
 

+   with_items: "{{ bp_stat_checks.results }}"
 

+   tags:
 

+     - certbot
 

+ 

+ - name: Automatize cert renewal
 

+   service:
 

+     name: certbot-renew.timer
 

+     state: started
 

+     enabled: yes
 

+   tags:
 

+     - certbot
 

+ 

+ # When we do 'systemctl restart', lighttpd is initially started as "root"
 

+ # process (when the config is loaded) and later it does setuid(lighttpd).
 

+ # So "restart" is just fine.   Though we also do 'killall -HUP lighttpd' in
 

+ # several occasions and then 'lighttpd' user needs to have the access.  See the
 

+ # following issues:
 

+ #   https://pagure.io/copr/copr/issue/2001 Resolves:
 

+ #   https://pagure.io/fedora-infrastructure/issue/10391
 

+ - name: allow lighttpd to step into certbots directories
 

+   acl:
 

+     path: "{{ item }}"
 

+     entity: lighttpd
 

+     etype: user
 

+     permissions: --x
 

+     state: present
 

+   with_items:
 

+     - /etc/letsencrypt/archive
 

+     - /etc/letsencrypt/live
 

+   when:
 

+     - buypass.predefined_deploy_script is defined
 

+     - buypass.predefined_deploy_script == 'lighttpd'
 

+   tags:
 

+     - certbot
 

+ 

+ - name: prepare the certbot backup directory on batcave
 

+   delegate_to: localhost
 

+   file:
 

+     path: "{{ bp_backup_path }}"
 

+     # nobody, except for root, can step into this directory (on batcave)
 

+     mode: 0700
 

+     owner: root
 

+     group: root
 

+     state: directory
 

+   tags:
 

+     certbot
 

+ 

+ - name: backup the buypass certs to batcave directory
 

+   synchronize:
 

+     src: "{{ bp_source_path }}/"
 

+     dest: "{{ bp_backup_path }}/{{ item.key }}"
 

+     mode: pull
 

+   with_dict: "{{ buypass.certificates }}"
 

+   tags:
 

+     - certbot

no initial comment

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • Update 'roles/copr/certbot/tasks/buypass.yml'
a year ago

Build succeeded.

Pull-Request has been closed by kevin
a year ago
Metadata
None
No Tags
Changes Summary 1
+150
file added
roles/copr/certbot/tasks/buypass.yml
Powered by Pagure 5.13.3
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.