commit 2ba4c58126e6483f230ba5372c96aab7976f0635
parent 7451b34e68b5164cec6f29b6660881e1afef6ab8
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sun, 21 Feb 2021 17:04:38 +0100
parent 7451b34e68b5164cec6f29b6660881e1afef6ab8
Author: Leah (ctucx) <leah@ctu.cx>
Date: Sun, 21 Feb 2021 17:04:38 +0100
roles/acme-redirect: split tasks to multiple files
6 files changed, 199 insertions(+), 229 deletions(-)
M
|
240
++++---------------------------------------------------------------------------
diff --git a/roles/acme-redirect/tasks/configure.yml b/roles/acme-redirect/tasks/configure.yml @@ -0,0 +1,46 @@ +--- + +- name: "[Alpine] create sudoers file for acme-redirect" + copy: + content: "acme-redirect ALL=NOPASSWD:/sbin/rc-service\n" + dest: /etc/sudoers.d/acme-redirect + when: + - ansible_distribution == "Alpine" + +- name: "[Archlinux] create sudoers file for acme-redirect" + copy: + content: "acme-redirect ALL=NOPASSWD:/usr/bin/systemctl\n" + dest: /etc/sudoers.d/acme-redirect + when: + - ansible_distribution == "Archlinux" + +- name: Create acme-redirect.conf + template: + src: acme-redirect-general.conf.j2 + dest: /etc/acme-redirect.conf + owner: acme-redirect + group: acme-redirect + +- name: clean cert-config directory + file: + state: "{{ item }}" + path: /etc/acme-redirect.d + owner: acme-redirect + group: acme-redirect + mode: 0755 + with_items: + - absent + - directory + when: + - services.acme_redirect.certs is defined + +- name: Generate acme-redirect cert configs + template: + src: acme-redirect.conf.j2 + dest: /etc/acme-redirect.d/{{item.key}}.conf + owner: acme-redirect + group: acme-redirect + mode: 0644 + loop: "{{ lookup('dict', services.acme_redirect.certs, wantlist=True) }}" + when: + - services.acme_redirect.certs is defined
diff --git a/roles/acme-redirect/tasks/firewall.yml b/roles/acme-redirect/tasks/firewall.yml @@ -0,0 +1,24 @@ +--- + +- name: "[nftables] Create rule for: acme-redirect" + copy: + src: nftables-rule.nft + dest: /etc/nftables.d/acme-redirect.nft + when: + - network.nftables.enable is true + +- name: "[OpenRC] Restart service: nftables" + service: + name: nftables + state: restarted + when: + - ansible_service_mgr == "openrc" + - network.nftables.enable is true + +- name: "[systemd] Restart service: nftables" + systemd: + name: nftables + state: restarted + when: + - ansible_service_mgr == "systemd" + - network.nftables.enable is true+ \ No newline at end of file
diff --git a/roles/acme-redirect/tasks/install.yml b/roles/acme-redirect/tasks/install.yml @@ -0,0 +1,17 @@ +--- + +- name: "[Alpine] Install package: acme-redirect" + apk: + name: acme-redirect + state: present + update_cache: yes + when: + - ansible_distribution == "Alpine" + +- name: "[Archlinux] Install package: acme-redirect" + pacman: + name: acme-redirect + state: present + update_cache: yes + when: + - ansible_distribution == "Archlinux"+ \ No newline at end of file
diff --git a/roles/acme-redirect/tasks/main.yml b/roles/acme-redirect/tasks/main.yml @@ -1,245 +1,27 @@ --- -# install it - -- name: "[Alpine] Install package: acme-redirect" - apk: - name: acme-redirect - state: present - update_cache: yes - when: - - ansible_distribution == "Alpine" - - services.acme_redirect.enable is true - -- name: "[Archlinux] Install package: acme-redirect" - pacman: - name: acme-redirect - state: present - update_cache: yes - when: - - ansible_distribution == "Archlinux" - - services.acme_redirect.enable is true - - -# configure it - -- name: "[Alpine] create sudoers file for acme-redirect" - copy: - content: "acme-redirect ALL=NOPASSWD:/sbin/rc-service\n" - dest: /etc/sudoers.d/acme-redirect - when: - - ansible_distribution == "Alpine" - - services.acme_redirect.enable is true - -- name: "[Archlinux] create sudoers file for acme-redirect" - copy: - content: "acme-redirect ALL=NOPASSWD:/usr/bin/systemctl\n" - dest: /etc/sudoers.d/acme-redirect - when: - - ansible_distribution == "Archlinux" - - services.acme_redirect.enable is true - -- name: Create acme-redirect.conf - template: - src: acme-redirect-general.conf.j2 - dest: /etc/acme-redirect.conf - owner: acme-redirect - group: acme-redirect - when: - - services.acme_redirect.enable is true - -- name: clean cert-config directory - file: - state: "{{ item }}" - path: /etc/acme-redirect.d - owner: acme-redirect - group: acme-redirect - mode: 0755 - with_items: - - absent - - directory - when: - - services.acme_redirect.enable is true - - services.acme_redirect.certs is defined - -- name: Generate acme-redirect cert configs - template: - src: acme-redirect.conf.j2 - dest: /etc/acme-redirect.d/{{item.key}}.conf - owner: acme-redirect - group: acme-redirect - mode: 0644 - loop: "{{ lookup('dict', services.acme_redirect.certs, wantlist=True) }}" - when: - - services.acme_redirect.enable is true - - services.acme_redirect.certs is defined - - -# firewall it - -- name: "[nftables] Create rule for: acme-redirect" - copy: - src: nftables-rule.nft - dest: /etc/nftables.d/acme-redirect.nft +- include: install.yml when: - - network.nftables.enable is true + - services.acme_redirect.enable is defined - services.acme_redirect.enable is true -- name: "[OpenRC] Restart service: nftables" - service: - name: nftables - state: restarted +- include: configure.yml when: - - ansible_service_mgr == "openrc" - - network.nftables.enable is true + - services.acme_redirect.enable is defined - services.acme_redirect.enable is true -- name: "[systemd] Restart service: nftables" - systemd: - name: nftables - state: restarted +- include: start.yml when: - - ansible_service_mgr == "systemd" - - network.nftables.enable is true - - services.acme_redirect.enable is true - -# restart and enable it - -- name: "[OpenRC] Enable and restart service: acme-redirect" - service: - name: acme-redirect - enabled: yes - state: restarted - when: - - ansible_service_mgr == "openrc" - - services.acme_redirect.enable is true - -- name: "[systemd] Enable and restart service: acme-redirect" - systemd: - name: acme-redirect - enabled: yes - state: restarted - when: - - ansible_service_mgr == "systemd" - - services.acme_redirect.enable is true - -- command: - cmd: acme-redirect check -q - register: acme_check - become: yes - become_user: acme-redirect - when: - - services.acme_redirect.enable is true - -- fail: - msg: "Check of Certs failed: {{acme_check.stdout}}" - when: - - services.acme_redirect.enable is true - - acme_check.stdout | length > 0 - -- command: - cmd: acme-redirect renew -q - register: acme_renew - become: yes - become_user: acme-redirect - when: - - services.acme_redirect.enable is true - -- fail: - msg: "Renew of certs failed: {{acme_renew.stdout}}" - when: + - services.acme_redirect.enable is defined - services.acme_redirect.enable is true - - acme_renew.stdout | length > 0 - - -# stop it - -- name: "[OpenRC] Disable and stop service: acme-redirect" - service: - name: acme-redirect - enabled: no - state: stopped - when: - - ansible_service_mgr == "openrc" - - services.acme_redirect.enable is false - -- name: "[systemd] Disable and stop service: acme-redirect" - systemd: - name: acme-redirect - enabled: no - state: stopped - when: - - ansible_service_mgr == "systemd" - - services.acme_redirect.enable is false - - -#defirewall it - -- name: "[nftables] Delete rule for: acme-redirect" - file: - path: /etc/nftables.d/acme-redirect.nft - state: absent - when: - - network.nftables.enable is true - - services.acme_redirect.enable is false -- name: "[OpenRC] Restart service: nftables" - service: - name: nftables - state: restarted +- include: firewall.yml when: - - ansible_service_mgr == "openrc" + - services.acme_redirect.enable is defined + - services.acme_redirect.enable is true - network.nftables.enable is true - - services.acme_redirect.enable is false -- name: "[systemd] Restart service: nftables" - systemd: - name: nftables - state: restarted +- include: remove.yml when: - - ansible_service_mgr == "systemd" - - network.nftables.enable is true - - services.acme_redirect.enable is false - -# remove it - -- name: "[Alpine] Remove package: acme-redirect" - apk: - name: acme-redirect - state: absent - when: - - ansible_distribution == "Alpine" - - services.acme_redirect.enable is false - -- name: "[Archlinux] Remove package: acme-redirect" - pacman: - name: acme-redirect - state: absent - when: - - ansible_distribution == "Archlinux" - - services.acme_redirect.enable is false - - -# remove leftover files - -- name: "Remove directory: /etc/acme-redirect.d" - file: - path: /etc/acme-redirect.d - state: absent - when: - - services.acme_redirect.enable is false - -- name: "Remove directory: /var/lib/acme-redirect" - file: - path: /var/lib/acme-redirect - state: absent - when: - - services.acme_redirect.enable is false - -- name: "Remove file: /etc/acme-redirect.conf" - file: - path: /etc/acme-redirect.conf - state: absent - when: + - services.acme_redirect.enable is defined - services.acme_redirect.enable is false -
diff --git a/roles/acme-redirect/tasks/remove.yml b/roles/acme-redirect/tasks/remove.yml @@ -0,0 +1,58 @@ +--- + +- name: "[OpenRC] Disable and stop service: acme-redirect" + service: + name: acme-redirect + enabled: no + state: stopped + when: + - ansible_service_mgr == "openrc" + +- name: "[systemd] Disable and stop service: acme-redirect" + systemd: + name: acme-redirect + enabled: no + state: stopped + when: + - ansible_service_mgr == "systemd" + +- name: "[Alpine] Remove package: acme-redirect" + apk: + name: acme-redirect + state: absent + when: + - ansible_distribution == "Alpine" + +- name: "[Archlinux] Remove package: acme-redirect" + pacman: + name: acme-redirect + state: absent + when: + - ansible_distribution == "Archlinux" + + +- name: "Delete leftovers" + file: + path: "{{item}}" + state: absent + with_items: + - /etc/acme-redirect.d + - /var/lib/acme-redirect + - /etc/acme-redirect.conf + - /etc/nftables.d/acme-redirect.nft + +- name: "[OpenRC] Restart service: nftables" + service: + name: nftables + state: restarted + when: + - ansible_service_mgr == "openrc" + - network.nftables.enable is true + +- name: "[systemd] Restart service: nftables" + systemd: + name: nftables + state: restarted + when: + - ansible_service_mgr == "systemd" + - network.nftables.enable is true
diff --git a/roles/acme-redirect/tasks/start.yml b/roles/acme-redirect/tasks/start.yml @@ -0,0 +1,41 @@ +--- + +- name: "[OpenRC] Enable and restart service: acme-redirect" + service: + name: acme-redirect + enabled: yes + state: restarted + when: + - ansible_service_mgr == "openrc" + +- name: "[systemd] Enable and restart service: acme-redirect" + systemd: + name: acme-redirect + enabled: yes + state: restarted + when: + - ansible_service_mgr == "systemd" + +- command: + cmd: acme-redirect check -q + register: acme_check + become: yes + become_user: acme-redirect + when: + - services.acme_redirect.enable is true + +- fail: + msg: "Check of Certs failed: {{acme_check.stdout}}" + when: + - acme_check.stdout | length > 0 + +- command: + cmd: acme-redirect renew -q + register: acme_renew + become: yes + become_user: acme-redirect + +- fail: + msg: "Renew of certs failed: {{acme_renew.stdout}}" + when: + - acme_renew.stdout | length > 0