#1236 Add Buypass
Closed 23 days ago by kevin. Opened 4 months ago by fhiss.
https://notabug.org/fhiss/ansible.git main  into  main

Update 'roles/copr/certbot/tasks/buypass.yml'
fhiss • 4 months ago  
Add Buypass
fhiss • 4 months ago  
roles/copr/certbot/tasks/buypass.yml
file added
+150
@@ -0,0 +1,150 @@

+ ---

+ - set_fact:

+     bp_source_path: /etc/letsencrypt

+     # https://pagure.io/copr/copr/issue/2250

+     bp_backup_path: /srv/certbot-certs

+   tags:

+     - certbot

+ 

+ - name: install certbot package

+   package: name=certbot state=present

+   tags:

+     - certbot

+ 

+ - name: install certbot config

+   template: src=certbot.j2 dest=/etc/sysconfig/certbot

+             mode=0644

+   tags:

+     - certbot

+ 

+ - name: install certbot deploy script

+   template: src={{ buypass.predefined_deploy_script }}

+             dest=/usr/libexec/auto-certbot-deploy

+             mode=0755

+   when: buypass.predefined_deploy_script is defined

+   tags:

+     - certbot

+ 

+ - name: check whether we need to initialize buypass first

+   stat: path="/etc/letsencrypt/live/{{ item.key }}"

+   register: bp_stat_checks

+   with_dict: "{{ buypass.certificates }}"

+   tags:

+     - certbot

+ 

+ - name: check if we already have the backup

+   delegate_to: localhost

+   stat:

+     path: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}"

+   register: bp_stat_backup_dir

+   tags:

+     - certbot

+ 

+ - name: restore the certificates from backup (backed up on batcave)

+   synchronize:

+     src: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}/"

+     dest: "{{ bp_source_path }}"

+     mode: push

+   tags:

+     - certbot

+   when:

+     - not bp_stat_checks.results[0].stat.exists

+     - bp_stat_backup_dir.stat.exists

+   register: some_cert_restored

+ 

+ - name: initialize certbot configuration

+   shell: |

+       certbot certonly --standalone \

+             -w {{ item.item.value.challenge_dir }} \

+             -d {{ item.item.value.domains | join(' -d ') }} \

+             --cert-name {{ item.item.key }} \

+             -m {{ item.item.value.mail }} \

+             --agree-tos \

+             -n >> /tmp/call

+   when:

+     - not item.stat.exists

+     - not some_cert_restored.changed

+   with_items: "{{ bp_stat_checks.results }}"

+   tags:

+     - certbot

+ 

+ - name: configure certbot to use webroot next time

+   ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"

+             section=renewalparams

+             option=authenticator

+             value=webroot

+   with_items: "{{ bp_stat_checks.results }}"

+   tags:

+     - certbot

+ 

+ - name: configure certbot to use webroot next time

+   ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"

+             section=renewalparams

+             option=webroot_path

+             value="{{ item.item.value.challenge_dir }}"

+   with_items: "{{ bp_stat_checks.results }}"

+   tags:

+     - certbot

+ 

+ - name: post init script

+   shell: |

+       /usr/libexec/auto-certbot-deploy \

+             --init {{ item.item.key }}

+   when:

+     - buypass.predefined_deploy_script is defined

+     - not item.stat.exists

+   with_items: "{{ bp_stat_checks.results }}"

+   tags:

+     - certbot

+ 

+ - name: Automatize cert renewal

+   service:

+     name: certbot-renew.timer

+     state: started

+     enabled: yes

+   tags:

+     - certbot

+ 

+ # When we do 'systemctl restart', lighttpd is initially started as "root"

+ # process (when the config is loaded) and later it does setuid(lighttpd).

+ # So "restart" is just fine.   Though we also do 'killall -HUP lighttpd' in

+ # several occasions and then 'lighttpd' user needs to have the access.  See the

+ # following issues:

+ #   https://pagure.io/copr/copr/issue/2001 Resolves:

+ #   https://pagure.io/fedora-infrastructure/issue/10391

+ - name: allow lighttpd to step into certbots directories

+   acl:

+     path: "{{ item }}"

+     entity: lighttpd

+     etype: user

+     permissions: --x

+     state: present

+   with_items:

+     - /etc/letsencrypt/archive

+     - /etc/letsencrypt/live

+   when:

+     - buypass.predefined_deploy_script is defined

+     - buypass.predefined_deploy_script == 'lighttpd'

+   tags:

+     - certbot

+ 

+ - name: prepare the certbot backup directory on batcave

+   delegate_to: localhost

+   file:

+     path: "{{ bp_backup_path }}"

+     # nobody, except for root, can step into this directory (on batcave)

+     mode: 0700

+     owner: root

+     group: root

+     state: directory

+   tags:

+     certbot

+ 

+ - name: backup the buypass certs to batcave directory

+   synchronize:

+     src: "{{ bp_source_path }}/"

+     dest: "{{ bp_backup_path }}/{{ item.key }}"

+     mode: pull

+   with_dict: "{{ buypass.certificates }}"

+   tags:

+     - certbot

no initial comment

Build failed. More information on how to proceed and troubleshoot errors available at https://fedoraproject.org/wiki/Zuul-based-ci

1 new commit added

  • Update 'roles/copr/certbot/tasks/buypass.yml'
4 months ago

Build succeeded.

Pull-Request has been closed by kevin

23 days ago
Metadata