Mirrors/ansible-collection-famedly-base
2
0
Fork 0
mirror of https://github.com/famedly/ansible-collection-base synced 2024-11-10 06:24:17 +00:00
Code Issues Projects Releases Packages Wiki Activity

chore(lego): fix lints in role

Browse source
This commit is contained in:
Jan Christian Grünhage 2023-02-21 15:26:27 +01:00
parent 4791ebd72f
commit 0962644632
No known key found for this signature in database
GPG key ID: EEC1170CE56FA2ED
4 changed files with 155 additions and 135 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

41
roles/lego/defaults/main.yml
View file

@ -1,26 +1,45 @@
---
lego_base_path: /opt/lego
lego_base_path: "/opt/lego"
lego_certificate_store: "{{ lego_base_path }}/certificates"
lego_certificate_store_user: "{{ lego_user_res.uid | default(lego_user) }}"
lego_certificate_store_group: "{{ lego_user_res.group | default(lego_user) }}"
lego_certificate_store_mode: "0750"
lego_systemd_path: /etc/systemd/system
lego_version: 4.5.2
lego_systemd_path: "/etc/systemd/system"
lego_version: "4.5.2"
lego_system_type: "linux"
lego_system_arch: "amd64"
lego_executable: "{{ lego_base_path }}/lego"
lego_account_base_path: "{{ lego_base_path }}/accounts"
lego_cap_net_bind_service: yes
lego_cap_net_bind_service: true
lego_source_server_domain: github.com
lego_source_url: "https://{{ lego_source_server_domain }}/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_{{ lego_system_type }}_{{ lego_system_arch }}.tar.gz"
lego_source_checksum_url: "sha256:https://{{ lego_source_server_domain }}/go-acme/lego/releases/download/v{{ lego_version }}/lego_{{ lego_version }}_checksums.txt"
lego_source_server_domain: "github.com"
lego_source_url: >-2
https://{{
lego_source_server_domain
}}/go-acme/lego/releases/download/v{{
lego_version
}}/lego_v{{
lego_version
}}_{{
lego_system_type
}}_{{
lego_system_arch
}}.tar.gz
lego_source_checksum_url: >-2
sha256:https://{{
lego_source_server_domain
}}/go-acme/lego/releases/download/v{{
lego_version
}}/lego_{{
lego_version
}}_checksums.txt
lego_source_url_http_username: ~
lego_source_url_http_password: ~
lego_check_version_cmd: "test -e {{ lego_executable }} && {{ lego_executable }} --version"
lego_check_version_cmd: >-2
test -e {{ lego_executable }} && {{ lego_executable }} --version
lego_user: lego
lego_user: "lego"
lego_timer_on_boot: ~
lego_timer_on_calendar: "*-*-* 00,12:00:00"
lego_timer_interval: ~
@ -29,10 +48,10 @@ lego_timer_random_delay: 43200
lego_timer_persistent: true
lego_certificate: ~
lego_letsencrypt_environment: staging
lego_letsencrypt_environment: "staging"
lego_challenge:
type: http
type: "http"
lego_letsencrypt_servers:
prod: "https://acme-v02.api.letsencrypt.org/directory"

10
roles/lego/handlers/main.yml
View file

@ -1,13 +1,13 @@
---
- name: Run lego
become: yes
- name: "Run lego"
become: true
become_user: "{{ lego_user_res.name }}"
environment: "{{ lego_configuration_merged.environment }}"
command: "{{ lego_command_playbook }}"
async: 900
poll: 0
register: lego_run
register: "lego_run"
- name: Reload systemd
- name: "Reload systemd"
systemd:
daemon_reload: yes
daemon_reload: true

199
roles/lego/tasks/main.yml
View file

@ -1,42 +1,42 @@
---
- name: Ensure lego user is created
- name: "Ensure lego user is created"
user:
name: "{{ lego_user }}"
state: present
system: yes
register: lego_user_res
tags: [prepare, prepare-lego]
state: "present"
system: true
register: "lego_user_res"
tags: ["prepare", "prepare-lego"]
- name: Ensure base directory for lego is created
- name: "Ensure base directory for lego is created"
file:
path: "{{ lego_base_path }}"
state: directory
state: "directory"
owner: "{{ lego_certificate_store_user }}"
group: "{{ lego_certificate_store_group }}"
mode: "0755"
tags: [prepare, prepare-lego]
tags: ["prepare", "prepare-lego"]
- name: Ensure certificate directory exists and has the configured permissions
- name: "Ensure certificate directory exists and has the configured permissions"
file:
path: "{{ lego_certificate_store }}"
state: directory
state: "directory"
owner: "{{ lego_certificate_store_user }}"
group: "{{ lego_certificate_store_group }}"
mode: "{{ lego_certificate_store_mode }}"
tags: [prepare, prepare-lego]
tags: ["prepare", "prepare-lego"]
- name: Ensure lego binary exists and has the correct version
shell: "{{ lego_check_version_cmd }}"
- name: "Ensure lego binary exists and has the correct version"
shell: "{{ lego_check_version_cmd }}" # noqa: command-instead-of-shell
check_mode: false
changed_when: false
ignore_errors: yes
register: lego_version_res
tags: [prepare, prepare-lego]
ignore_errors: true
register: "lego_version_res"
tags: ["prepare", "prepare-lego"]
- name: Install lego from github releases
- name: "Install lego from github releases"
when: "lego_version_res.failed or not lego_version in lego_version_res.stdout"
block:
- name: Download source file
- name: "Download source file"
get_url:
url: "{{ lego_source_url }}"
dest: "{{ lego_base_path }}/source.tar"
@ -44,110 +44,105 @@
url_username: "{{ lego_source_url_http_username | default(omit, true) }}"
url_password: "{{ lego_source_url_http_password | default(omit, true) }}"
force_basic_auth: "{{ lego_source_url_http_username | default(false, true) | bool }}"
tags: [prepare, prepare-lego]
mode: "0644"
tags: ["prepare", "prepare-lego"]
- name: Unpack source files
- name: "Unpack source files"
unarchive:
src: "{{ lego_base_path }}/source.tar"
dest: "{{ lego_base_path }}"
owner: "{{ lego_user_res.uid }}"
group: "{{ lego_user_res.group }}"
remote_src: True
tags: [prepare, prepare-lego]
remote_src: true
tags: ["prepare", "prepare-lego"]
- name: Allow lego to bind to ports below 1024
capabilities:
- name: "Allow lego to bind to ports below 1024"
community.general.capabilities:
path: "{{ lego_executable }}"
capability: cap_net_bind_service=+ep
state: present
when: lego_cap_net_bind_service
tags: [prepare, prepare-lego]
capability: "cap_net_bind_service=+ep"
state: "present"
when: "lego_cap_net_bind_service"
tags: ["prepare", "prepare-lego"]
- name: Delete source files
- name: "Delete source files"
file:
path: "{{ lego_base_path }}/source.tar"
state: absent
tags: [prepare, prepare-lego]
when: 'lego_version_res.failed or not lego_version in lego_version_res.stdout'
state: "absent"
tags: ["prepare", "prepare-lego"]
- name: Create acme account
- name: "Create acme account"
when: "lego_acme_account is defined and lego_acme_privkey is defined"
block:
- name: Create account directory
- name: "Create account directory"
file:
path: "{{ lego_acme_account_base_path }}"
state: directory
mode: "0700"
state: "directory"
mode: "0755"
owner: "{{ lego_user_res.uid }}"
group: "{{ lego_user_res.group }}"
tags: [prepare, prepare-lego]
tags: ["prepare", "prepare-lego"]
- name: Create key directory
- name: "Create key directory"
file:
path: "{{ lego_acme_key_base_path }}"
state: directory
mode: "0700"
state: "directory"
mode: "0755"
owner: "{{ lego_user_res.uid }}"
group: "{{ lego_user_res.group }}"
tags: [prepare, prepare-lego]
tags: ["prepare", "prepare-lego"]
- name: Save acme account
- name: "Save acme account"
copy:
dest: "{{ lego_acme_account_path }}"
content: "{{ lego_acme_account_merged | to_json }}"
notify:
- Run lego
tags: [deploy, deploy-lego]
mode: "0600"
tags: ["deploy", "deploy-lego"]
- name: Save acme private key
- name: "Save acme private key"
copy:
dest: "{{ lego_acme_key_path }}"
content: "{{ lego_acme_privkey }}"
notify:
- Run lego
tags: [deploy, deploy-lego]
mode: "0600"
tags: ["deploy", "deploy-lego"]
when: lego_acme_account is defined and lego_acme_privkey is defined
- name: Check if certificate is nonexistent or differs from wanted state
- name: "Check if certificate is nonexistent or differs from wanted state"
block:
- name: Check if certificate file exists
- name: "Check if certificate file exists"
ansible.builtin.stat:
path: "{{ lego_certificate_store }}/{{ lego_certificate.domains[0] }}.crt"
register: lego_certificate_stat
changed_when: not lego_certificate_stat.stat.exists
notify:
- Run lego
tags: [deploy, deploy-lego]
register: "lego_certificate_stat"
changed_when: "not lego_certificate_stat.stat.exists"
notify: ["Run lego"]
tags: ["deploy", "deploy-lego"]
- name: Fetch certificate info
- name: "Fetch certificate info"
community.crypto.x509_certificate_info:
path: "{{ lego_certificate_store }}/{{ lego_certificate.domains[0] }}.crt"
when: lego_certificate_stat.stat.exists
register: lego_certificate_info
tags: [deploy, deploy-lego]
when: "lego_certificate_stat.stat.exists"
register: "lego_certificate_info"
tags: ["deploy", "deploy-lego"]
# you have to seperatly loop because map with regex_replace does not like getting AnsibleUnsafeText objects
- name: remove DNS at the start of the SAN
- name: "Remove DNS at the start of the SAN"
ansible.builtin.set_fact:
lego_certificate_sans: "{{ lego_certificate_sans | default([]) + [ item | regex_replace('^DNS:', '') ] }}"
lego_certificate_sans: "{{ lego_certificate_sans | default([]) + [item | regex_replace('^DNS:', '')] }}"
loop: "{{ lego_certificate_info.subject_alt_name }}"
when: lego_certificate_stat.stat.exists
tags: [deploy, deploy-lego]
when: "lego_certificate_stat.stat.exists"
tags: ["deploy", "deploy-lego"]
- name: Compare SANs, notify handler if they differ
- name: "Compare SANs, notify handler if they differ"
ansible.builtin.set_fact:
lego_certificate_sans_equal: >-2
{{
lego_certificate.domains is superset(lego_certificate_sans)
and lego_certificate.domains is subset(lego_certificate_sans)
}}
when: lego_certificate_stat.stat.exists
changed_when: not lego_certificate_sans_equal
notify:
- Run lego
tags: [deploy, deploy-lego]
when: "lego_certificate_stat.stat.exists"
changed_when: "not lego_certificate_sans_equal"
notify: ["Run lego"]
tags: ["deploy", "deploy-lego"]
- name: Compare pubkey type, notify handler if it differs
- name: "Compare pubkey type, notify handler if it differs"
ansible.builtin.set_fact:
lego_certificate_pubkey_type_differs: "{{ lego_certificate_info.public_key_type != lego_certificate_wanted_keytype }}"
vars:
@ -156,53 +151,43 @@
"ECC" if "ec" in lego_configuration.command_parameters.global["key-type"]
else "RSA" if "rsa" in lego_configuration.command_parameters.global["key-type"]
}}
when: lego_certificate_stat.stat.exists
changed_when: lego_certificate_pubkey_type_differs
notify:
- Run lego
tags: [deploy, deploy-lego]
when: "lego_certificate_stat.stat.exists"
changed_when: "lego_certificate_pubkey_type_differs"
notify: ["Run lego"]
tags: ["deploy", "deploy-lego"]
- name: Ensure systemd unit file for lego is templated
- name: "Ensure systemd unit file for lego is templated"
template:
src: lego.service.j2
src: "lego.service.j2"
dest: "{{ lego_systemd_path }}/lego.service"
owner: "root"
group: "root"
mode: '0755'
notify:
- Reload systemd
tags: [deploy, deploy-lego]
mode: "0755"
notify: ["Reload systemd"]
tags: ["deploy", "deploy-lego"]
- name: Ensure systemd timer for lego is templated
- name: "Ensure systemd timer for lego is templated"
template:
src: lego.timer.j2
src: "lego.timer.j2"
dest: "{{ lego_systemd_path }}/lego.timer"
owner: "root"
group: "root"
mode: '0755'
notify:
- Reload systemd
tags: [deploy, deploy-lego]
mode: "0755"
notify: ["Reload systemd"]
tags: ["deploy", "deploy-lego"]
- name: Flush handlers to ensure systemd has loaded the unit files
meta: flush_handlers
- name: "Flush handlers to ensure systemd has loaded the unit files"
meta: "flush_handlers"
- name: Enable lego.service
- name: "Enable lego.service"
systemd:
name: "lego.service"
enabled: yes
tags: [deploy, deploy-lego]
enabled: true
tags: ["deploy", "deploy-lego"]
- name: Enable lego.timer
- name: "Enable lego.timer"
systemd:
name: "lego.timer"
enabled: yes
register: res_lego_timer
tags: [deploy, deploy-lego]
- name: Start lego.timer
systemd:
name: "lego.timer"
state: started
when: res_lego_timer.changed
tags: [deploy, deploy-lego]
state: "started"
enabled: true
tags: ["deploy", "deploy-lego"]

40
roles/lego/vars/main.yml
View file

@ -2,51 +2,67 @@
lego_challenge_mergeable:
command_parameters:
global: "{'{{ lego_challenge.type }}': '{{ lego_challenge.provider | default('') }}'}"
lego_configuration_merged: >-
{{ lego_configuration_defaults | combine(lego_challenge_mergeable, recursive=True)
| combine(lego_configuration | default({}), recursive=True) }}
# Build global command
lego_command_domains: >-2
{% for domain in lego_certificate.domains %}
--domains={{ domain }}
{%- endfor -%}
{% for domain in lego_certificate.domains %} --domains={{ domain }}{%- endfor -%}
lego_command_parameters_global: >-2
{% for parameter in lego_configuration_merged.command_parameters.global %}
--{{ parameter }}
{%- if not (lego_configuration_merged.command_parameters.global[parameter] == None or lego_configuration_merged.command_parameters.global[parameter] == '') -%}
{%- if not (
lego_configuration_merged.command_parameters.global[parameter] == None
or
lego_configuration_merged.command_parameters.global[parameter] == ''
) -%}
={{ lego_configuration_merged.command_parameters.global[parameter] }}
{%- endif -%}
{%- endfor -%}
lego_command_global_merged: "{{ lego_executable }}{{ lego_command_domains }}{{ lego_command_parameters_global }} "
lego_command_global_merged: >-2
{{ lego_executable }}{{ lego_command_domains }}{{ lego_command_parameters_global }}
# Build action commands
lego_command_playbook_parameters: >-2
{% for parameter in lego_configuration_merged.command_parameters[lego_tasks.playbook] %}
--{{ parameter }}
{%- if not (lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == None or lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == '') -%}
{%- if not (
lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == None
or
lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == ''
) -%}
={{ lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] }}
{%- endif -%}
{%- endfor -%}
lego_command_playbook: "{{ lego_command_global_merged }}{{ lego_tasks.playbook }}{{ lego_command_playbook_parameters }}"
lego_command_playbook: >-2
{{ lego_command_global_merged }}{{ lego_tasks.playbook }}{{ lego_command_playbook_parameters }}
lego_command_systemd_parameters: >-2
{% for parameter in lego_configuration_merged.command_parameters[lego_tasks.systemd] %}
--{{ parameter }}
{%- if not (lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == None or lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == '') -%}
{%- if not (
lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == None
or
lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == ''
) -%}
={{ lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] }}
{%- endif -%}
{%- endfor -%}
lego_command_systemd: "{{ lego_command_global_merged }}{{ lego_tasks.systemd }}{{ lego_command_systemd_parameters }}"
lego_command_systemd: >-2
{{ lego_command_global_merged }} {{ lego_tasks.systemd }}{{ lego_command_systemd_parameters }}
# ACME account
lego_acme_account_merged: "{{ lego_acme_account_defaults | combine(lego_acme_account | default({}), recursive=True) }}"
lego_acme_account_base_path: "{{ lego_account_base_path }}/{{ lego_configuration_merged.command_parameters.global.server | urlsplit('hostname') }}/{{ lego_configuration_merged.command_parameters.global.email }}"
lego_acme_account_base_path: >-2
{{ lego_account_base_path }}/{{
lego_configuration_merged.command_parameters.global.server | urlsplit('hostname')
}}/{{ lego_configuration_merged.command_parameters.global.email }}
lego_acme_key_base_path: "{{ lego_acme_account_base_path }}/keys"
lego_acme_account_path: "{{ lego_acme_account_base_path }}/account.json"
lego_acme_key_path: "{{ lego_acme_key_base_path }}/{{ lego_configuration_merged.command_parameters.global.email }}.key"
lego_acme_key_path: >-2
{{ lego_acme_key_base_path }}/{{ lego_configuration_merged.command_parameters.global.email }}.key