Extract playbook actions to roles

2026-01-07 11:35:10 +00:00 · 2024-05-31 01:17:29 +03:00
parent 311d6ce925
commit 5ee8b48ff7
38 changed files with 414 additions and 463 deletions
--- a/ansible/roles/ssl/defaults/main.yml
+++ b/ansible/roles/ssl/defaults/main.yml
@@ -0,0 +1,2 @@
+domains:
+  - mx1.example.com
--- a/ansible/roles/ssl/handlers/main.yml
+++ b/ansible/roles/ssl/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: reload httpd
+  ansible.builtin.service:
+    name: httpd
+    state: reloaded
--- a/ansible/roles/ssl/tasks/main.yml
+++ b/ansible/roles/ssl/tasks/main.yml
@@ -0,0 +1,39 @@
+---
+- name: Create vhost directories
+  file:
+    path: "/var/www/vhosts/{{ item }}"
+    state: directory
+    owner: www
+  with_items: "{{ domains }}"
+
+- name: Install httpd.conf
+  template:
+    src: "templates/httpd.conf"
+    dest: "/etc/httpd.conf"
+
+- name: Enable and start httpd
+  service:
+    name: httpd
+    enabled: yes
+    state: started
+
+- name: Install acme-client.conf
+  template:
+    src: "templates/acme-client.conf"
+    dest: "/etc/acme-client.conf"
+
+- name: Initial acme-client run
+  command: "/usr/sbin/acme-client {{ item }}"
+  args:
+    creates: "/etc/ssl/{{ item }}.fullchain.pem"
+  with_items: "{{ domains }}"
+  notify:
+    - reload httpd
+
+- name: Renew certificates via root crontab
+  cron:
+    name: "acme-client renew {{ item }}"
+    minute: "0"
+    job: "sleep $((RANDOM \\% 2048)) && acme-client {{ item }} && rcctl reload httpd"
+    user: root
+  with_items: "{{ domains }}"
--- a/ansible/roles/ssl/templates/acme-client.conf
+++ b/ansible/roles/ssl/templates/acme-client.conf
@@ -0,0 +1,13 @@
+# {{ ansible_managed }}
+authority letsencrypt {
+    api url "https://acme-v02.api.letsencrypt.org/directory"
+    account key "/etc/acme/letsencrypt-privkey.pem"
+}
+
+{% for domain in domains %}
+domain "{{ domain }}" {
+    domain key "/etc/ssl/private/{{ domain }}.key"
+    domain full chain certificate "/etc/ssl/{{ domain }}.fullchain.pem"
+    sign with letsencrypt
+}
+{% endfor %}
--- a/ansible/roles/ssl/templates/httpd.conf
+++ b/ansible/roles/ssl/templates/httpd.conf
@@ -0,0 +1,28 @@
+# {{ ansible_managed }}
+server "{{ inventory_hostname }}" {
+    listen on * port 80
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+    location * {
+        block return 302 "https://$HTTP_HOST$REQUEST_URI"
+    }
+}
+
+{% for vhost in domains %}
+server "{{ vhost }}" {
+    listen on * tls port 443
+    tls {
+        certificate "/etc/ssl/{{ vhost }}.fullchain.pem"
+        key "/etc/ssl/private/{{ vhost }}.key"
+    }
+    location "/.well-known/acme-challenge/*" {
+        root "/acme"
+        request strip 2
+    }
+    location * {
+        root "/vhosts/{{ vhost }}"
+    }
+}
+{% endfor %}