Automatically renew cert with certbot

ed-asriyan · Apr 20, 2024 · 73eee3a · 73eee3a
1 parent 963860a
commit 73eee3a
Show file tree

Hide file tree

Showing 28 changed files with 106 additions and 676 deletions.
diff --git a/frontman.yml b/frontman.yml
@@ -1,4 +1,4 @@
 - hosts:
     - frontman
   roles:
-    - config-delivery
+    - frontman
diff --git a/inventory/group_vars/frontman/vars.yml b/inventory/group_vars/frontman/vars.yml
@@ -24,3 +24,6 @@ frontman_domain: !vault |
   37663634363736383462323762626538393539313239306332393038633135336630633934383037
   3032343339653732630a383663663663616434666436393466376235663333383439623161636234
   3537
+
+ssl_cert_path: "/etc/letsencrypt/live/{{ frontman_domain }}/fullchain.pem"
+ssl_key_path: "/etc/letsencrypt/live/{{ frontman_domain }}/privkey.pem"
diff --git a/inventory/group_vars/s1/vars.yml b/inventory/group_vars/s1/vars.yml
@@ -17,4 +17,7 @@ ansible_user: !vault |
   3637343263623330360a303939393130343039383963336431616663353037316261333330396630
   3131
 
-server_name: s1
+server: "{{ servers.s1 }}"
+
+ssl_cert_path: "/etc/letsencrypt/live/{{ server.domain }}/fullchain.pem"
+ssl_key_path: "/etc/letsencrypt/live/{{ server.domain }}/privkey.pem"
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
@@ -0,0 +1,36 @@
+- name: Install snap
+  package:
+    name: snapd
+    state: present
+
+- name: Install certbot
+  snap:
+    name: certbot
+    state: present
+
+- name: Render systemd service config
+  template:
+    src: certbot.service.j2
+    dest: /etc/systemd/system/{{ certbot_service_name }}.service
+  register: systemd_service
+
+- name: Render systemd timer config
+  template:
+    src: certbot.timer.j2
+    dest: /etc/systemd/system/{{ certbot_service_name }}.timer
+  register: systemd_timer
+
+- name: Reload daemon
+  systemd:
+    daemon_reload: yes
+  when: systemd_service.changed or systemd_timer.changed
+
+- name: Enable systemd timer service
+  systemd:
+    name: "{{ certbot_service_name }}.timer"
+    enabled: yes
+
+- name: Run certbot one time
+  systemd:
+    name: "{{ certbot_service_name }}.service"
+    state: restarted
diff --git a/roles/certbot/templates/certbot.service.j2 b/roles/certbot/templates/certbot.service.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=frontman-certbot
+After=network.service
+
+[Service]
+User=root
+ExecStart=/snap/bin/certbot certonly --standalone --non-interactive --agree-tos -d {{ certbot_domain }} --post-hook "{{ certbot_post_hook }}"
+
+[Install]
+WantedBy=multi-user.target
diff --git a/roles/certbot/templates/certbot.timer.j2 b/roles/certbot/templates/certbot.timer.j2
@@ -0,0 +1,9 @@
+[Unit]
+Description="Timer for the {{ certbot_service_name }}.service"
+
+[Timer]
+Unit={{ certbot_service_name }}.service
+OnUnitActiveSec={{ certbot_repeat_interval }}
+
+[Install]
+WantedBy=timers.target
diff --git a/roles/certbot/vars/main.yml b/roles/certbot/vars/main.yml
@@ -0,0 +1,11 @@
+# how ofter to check the ssl cert/key
+certbot_repeat_interval: 720min
+
+# domain for issuing a cert
+certbot_domain:
+
+# how to name systemctl service for aute renewing
+certbot_service_name:
+
+# what command to run after successful renewal/issueing
+certbot_post_hook:
diff --git a/roles/config-delivery/files/certificate.pem b/roles/config-delivery/files/certificate.pem
diff --git a/roles/config-delivery/files/private.pem b/roles/config-delivery/files/private.pem
diff --git a/roles/dynamic-dns/tasks/main.yml b/roles/dynamic-dns/tasks/main.yml
@@ -21,8 +21,8 @@
     src: dynamic-dns.service.j2
     dest: /etc/systemd/system/dynamic-dns.service
   vars:
-    record: "{{ servers[server_name].domain.rsplit('.', 2)[0] }}"
-    domain: "{{ servers[server_name].domain.rsplit('.', 2)[1:] | join('.') }}"
+    record: "{{ server.domain.rsplit('.', 2)[0] }}"
+    domain: "{{ server.domain.rsplit('.', 2)[1:] | join('.') }}"
   register: systemd_service
 
 - name: Render systemd timer config

diff --git a/roles/dynamic-dns/templates/dynamic-dns.service.j2 b/roles/dynamic-dns/templates/dynamic-dns.service.j2
@@ -6,7 +6,7 @@ Requires=dynamic-dns.timer
 [Service]
 Type=simple
 User={{ user }}
-ExecStart=/home/{{ user }}/{{ executable_name }} "{{ frontman_domain }}" "{{ record }}" "{{ godaddy_api_key }}"
+ExecStart=/home/{{ user }}/{{ executable_name }} "{{ domain }}" "{{ record }}" "{{ godaddy_api_key }}"
 
 [Install]
 WantedBy=multi-user.target
diff --git a/roles/config-delivery/files/guide.html → roles/frontman/files/guide.html b/roles/config-delivery/files/guide.html → roles/frontman/files/guide.html
diff --git a/roles/config-delivery/files/robots.txt → roles/frontman/files/robots.txt b/roles/config-delivery/files/robots.txt → roles/frontman/files/robots.txt
diff --git a/roles/frontman/meta/main.yml b/roles/frontman/meta/main.yml
@@ -0,0 +1,6 @@
+dependencies:
+  - role: certbot
+    vars:
+      certbot_domain: "{{ frontman_domain }}"
+      certbot_service_name: "frontman-certbot"
+      certbot_post_hook: "systemctl restart frontman"
diff --git a/roles/config-delivery/tasks/main.yml → roles/frontman/tasks/main.yml b/roles/config-delivery/tasks/main.yml → roles/frontman/tasks/main.yml
@@ -112,33 +112,13 @@
     owner: "{{ user }}"
     mode: "700"
 
-- name: Copy private.key
-  copy:
-    src: private.pem
-    dest: "/home/{{ user }}/{{ ssl_key_path }}"
-    group: "{{ user }}"
-    owner: "{{ user }}"
-    mode: "600"
-  register: ssl_private
-
-- name: Copy certificate.crt
-  copy:
-    src: certificate.pem
-    dest: "/home/{{ user }}/{{ ssl_cert_path }}"
-    group: "{{ user }}"
-    owner: "{{ user }}"
-    mode: "600"
-  register: ssl_cert
-
 - name: Remove unexpected files in home
   include_tasks: tasks/remove-unexpected-files.yml
   vars:
     directory: "/home/{{ user }}"
     files:
       - "{{ static_folder }}"
       - "{{ executable_name }}"
-      - "{{ ssl_cert_path }}"
-      - "{{ ssl_key_path }}"
 
 - name: Remove local source repository
   delegate_to: localhost
@@ -149,8 +129,8 @@
 
 - name: Render systemd service config
   template:
-    src: config-delivery.service.j2
-    dest: /etc/systemd/system/config-delivery.service
+    src: frontman.service.j2
+    dest: /etc/systemd/system/frontman.service
   register: systemd
 
 - name: Reload daemon
@@ -160,7 +140,7 @@
 
 - name: Restart systemd app service
   systemd:
-    name: config-delivery.service
+    name: frontman.service
     state: restarted
     enabled: yes
-  when: systemd.changed or download.changed or ssl_private.changed or ssl_cert.changed
+  when: systemd.changed or download.changed
diff --git a/roles/config-delivery/templates/URIs.txt.j2 → roles/frontman/templates/URIs.txt.j2 b/roles/config-delivery/templates/URIs.txt.j2 → roles/frontman/templates/URIs.txt.j2
diff --git a/.../config-delivery/templates/config.json.j2 → roles/frontman/templates/config.json.j2 b/.../config-delivery/templates/config.json.j2 → roles/frontman/templates/config.json.j2
diff --git a/...very/templates/config-delivery.service.j2 → roles/frontman/templates/frontman.service.j2 b/...very/templates/config-delivery.service.j2 → roles/frontman/templates/frontman.service.j2
@@ -1,10 +1,10 @@
 [Unit]
-Description=config-delivery
+Description=frontman
 After=network.service
 
 [Service]
-User={{ user }}
-ExecStart=/home/{{ user }}/{{ executable_name }} --dir /home/{{ user }}/{{ static_folder }} --host 0.0.0.0 --port {{ frontman_port }} --ssl --cert /home/{{ user }}/{{ ssl_cert_path }} --key /home/{{ user }}/{{ ssl_key_path }}
+User=root
+ExecStart=/home/{{ user }}/{{ executable_name }} --dir /home/{{ user }}/{{ static_folder }} --host 0.0.0.0 --port {{ frontman_port }} --ssl --cert {{ ssl_cert_path }} --key {{ ssl_key_path }}
 Restart=always
 
 [Install]

diff --git a/...s/config-delivery/templates/index.html.j2 → roles/frontman/templates/index.html.j2 b/...s/config-delivery/templates/index.html.j2 → roles/frontman/templates/index.html.j2
diff --git a/roles/config-delivery/vars/main.yml → roles/frontman/vars/main.yml b/roles/config-delivery/vars/main.yml → roles/frontman/vars/main.yml
@@ -1,5 +1,5 @@
-# linus user to run outline as
-user: config-delivery
+# linus user to run frontman as
+user: frontman
 # URL to download outline from
 downloads:
   x86_64:
@@ -17,10 +17,6 @@ executable_name: serve
 frontman_port: 1399
 # relative path of directory where static content should be stored
 static_folder: static
-# SSL cert relative path
-ssl_cert_path: cert.pem
-# SSL cert relative path
-ssl_key_path: key.pem
 # where redirect to if user opened index page without paramneters
 default_redirect: !vault |
   $ANSIBLE_VAULT;1.1;AES256

diff --git a/roles/outline/templates/config.yml.j2 b/roles/outline/templates/config.yml.j2
@@ -1,9 +1,9 @@
 keys:
 {% for ss_username in users.keys() %}
 {% for ss_client in users[ss_username] %}
-  - cipher: {{ servers[server_name].ss_cipher }}
+  - cipher: {{ server.ss_cipher }}
     id: '{{ ss_username }}-{{ loop.index }}'
-    port: {{ servers[server_name].ss_port }}
+    port: {{ server.ss_port }}
     secret: {{ ss_client.secret }}
 {% endfor %}
 {% endfor %}