feat(lego): Add support for using existing acme accounts

roles/lego/README.md

@@ -96,3 +96,21 @@ This role differentiates between 2 tasks:
 
 ### Hooks
 You can request lego to run hooks after certain events. You can add those using `lego_configuration`. More info on hooks can be found here: [https://go-acme.github.io/lego/usage/cli/examples/#to-renew-the-certificate-and-hook](https://go-acme.github.io/lego/usage/cli/examples/) 
+
+### Use an existing acme account
+To use an existing acme account you have to pass its account uri and the private key like this:
+
+**You MUST use a PEM-encoded private key:**
+It must be wrapped with `-----BEGIN RSA PRIVATE KEY-----` and `-----END RSA PRIVATE KEY-----`.
+```yml
+lego_acme_privkey: |
+  -----BEGIN RSA PRIVATE KEY-----
+  MYSUPERSECRETPRIVATEKEY
+  MYSUPERSECRETPRIVATEKEY
+  MYSUPERSECRETPRIVATEKEY
+  -----END RSA PRIVATE KEY-----
+
+lego_acme_account:
+  registration:
+    uri: "https://acme-v02.api.letsencrypt.org/acme/acct/my-account-id"
+```

roles/lego/defaults/main.yml

@@ -5,6 +5,7 @@ lego_version: 4.5.2
 lego_system_type: "linux"
 lego_system_arch: "amd64"
 lego_executable: "{{ lego_base_path }}/lego"
+lego_account_base_path: "{{ lego_base_path }}/accounts"
 lego_cap_net_bind_service: yes
 
 lego_source_url: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_{{ lego_system_type }}_{{ lego_system_arch }}.tar.gz"
@@ -30,6 +31,16 @@ lego_tasks:
   playbook: "run"
   systemd: "renew"
 
+lego_acme_account_defaults:
+  email: "{{ lego_certificate.email }}"
+  registration:
+    body:
+      status: "valid"
+      contact:
+        - "mailto:{{ lego_certificate.email }}"
+
+lego_certificate_renewal_days: 30
+
 lego_configuration_defaults:
   command_parameters:
     global:
@@ -39,5 +50,5 @@ lego_configuration_defaults:
       path: "{{ lego_base_path }}"
     run: {}
     renew:
-      days: 30
+      days: "{{ lego_certificate_renewal_days }}"
   environment: {}

roles/lego/tasks/main.yml

@@ -1,4 +1,8 @@
 ---
+- name: debug
+  debug:
+    msg: "{{ lego_command_playbook_parameters }}"
+
 - name: create lego user
   user:
     name: "{{ lego_user }}"
@@ -48,6 +52,41 @@
         state: absent
   when: 'lego_version_res.failed or not lego_version in lego_version_res.stdout'
 
+- name: Create acme account
+  block:
+    - name: Create account directory
+      file:
+        path: "{{ lego_acme_account_base_path }}"
+        state: directory
+        mode: "0700"
+        owner: "{{ lego_user_res.uid }}"
+        group: "{{ lego_user_res.group }}"
+
+    - name: Create key directory
+      file:
+        path: "{{ lego_acme_key_base_path }}"
+        state: directory
+        mode: "0700"
+        owner: "{{ lego_user_res.uid }}"
+        group: "{{ lego_user_res.group }}"
+
+    - name: Save acme account
+      copy:
+        dest: "{{ lego_acme_account_path }}"
+        content: "{{ lego_acme_account_merged | to_json }}"
+      notify:
+        - Run lego
+
+    - name: Save acme private key
+      copy:
+        dest: "{{ lego_acme_key_path }}"
+        content: "{{ lego_acme_privkey }}"
+      notify:
+        - Run lego
+
+  when: lego_acme_account is defined and lego_acme_privkey is defined
+
+
 - name: template systemd service
   template:
     src: lego.service.j2
@@ -69,7 +108,7 @@
   notify:
     - Reload systemd
 
-- name: Flush handlers for systemd
+- name: Flush handlers
   meta: flush_handlers
 
 - name: Enable lego.service
@@ -77,8 +116,14 @@
     name: "lego.service"
     enabled: yes
 
-- name: Start and enable lego.timer
+- name: Enable lego.timer
+  systemd:
+    name: "lego.timer"
+    enabled: yes
+  register: res_lego_timer
+
+- name: Start lego.timer
   systemd:
     name: "lego.timer"
     state: started
-    enabled: yes
+  when: res_lego_timer.changed

roles/lego/vars/main.yml

@@ -9,35 +9,44 @@ lego_configuration_merged: >-
 
 # Build global command
 lego_command_domains: >-2
-  {% for domain in lego_certificate.domains
-  %}--domains={{ domain }}
-  {% endfor %}
+  {% for domain in lego_certificate.domains %}
+  --domains={{ domain }}
+  {%- endfor -%}
 
 lego_command_parameters_global: >-2
-  {% for parameter in lego_configuration_merged.command_parameters.global
-  %}--{{ parameter }}{%
-  if not (lego_configuration_merged.command_parameters.global[parameter] == None or lego_configuration_merged.command_parameters.global[parameter] == '')
-  %}={{ lego_configuration_merged.command_parameters.global[parameter] }}{%
-  endif %}
-  {% endfor %}
+  {% for parameter in lego_configuration_merged.command_parameters.global %}
+  --{{ parameter }}
+    {%- if not (lego_configuration_merged.command_parameters.global[parameter] == None or lego_configuration_merged.command_parameters.global[parameter] == '') -%}
+      ={{ lego_configuration_merged.command_parameters.global[parameter] }}
+    {%- endif -%}
+  {%- endfor -%}
 
-lego_command_global_merged: "{{ lego_executable }} {{ lego_command_domains }}{{ lego_command_parameters_global }}"
+lego_command_global_merged: "{{ lego_executable }}{{ lego_command_domains }}{{ lego_command_parameters_global }} "
 
 # Build action commands
 lego_command_playbook_parameters: >-2
-  {% for parameter in lego_configuration_merged.command_parameters[lego_tasks.playbook]
-  %}--{{ parameter }}{%
-  if not (lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == None or lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == '')
-  %}={{ lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] }}{%
-  endif %}
-  {% endfor %}
-lego_command_playbook: "{{ lego_command_global_merged }}{{ lego_tasks.playbook }} {{ lego_command_playbook_parameters }}"
+  {% for parameter in lego_configuration_merged.command_parameters[lego_tasks.playbook] %}
+  --{{ parameter }}
+    {%-  if not (lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == None or lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] == '') -%}
+      ={{ lego_configuration_merged.command_parameters[lego_tasks.playbook][parameter] }}
+    {%- endif -%}
+  {%- endfor -%}
+
+lego_command_playbook: "{{ lego_command_global_merged }}{{ lego_tasks.playbook }}{{ lego_command_playbook_parameters }}"
 
 lego_command_systemd_parameters: >-2
-  {% for parameter in lego_configuration_merged.command_parameters[lego_tasks.systemd]
-  %}--{{ parameter }}{%
-  if not (lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == None or lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == '')
-  %}={{ lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] }}{%
-  endif %}
-  {% endfor %}
-lego_command_systemd: "{{ lego_command_global_merged }}{{ lego_tasks.systemd }} {{ lego_command_systemd_parameters }}"
+  {% for parameter in lego_configuration_merged.command_parameters[lego_tasks.systemd] %}
+  --{{ parameter }}
+    {%- if not (lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == None or lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] == '') -%}
+      ={{ lego_configuration_merged.command_parameters[lego_tasks.systemd][parameter] }}
+    {%- endif -%}
+  {%- endfor -%}
+
+lego_command_systemd: "{{ lego_command_global_merged }}{{ lego_tasks.systemd }}{{ lego_command_systemd_parameters }}"
+
+# ACME account
+lego_acme_account_merged: "{{ lego_acme_account_defaults | combine(lego_acme_account | default({}), recursive=True) }}"
+lego_acme_account_base_path: "{{ lego_account_base_path }}/{{ lego_configuration_merged.command_parameters.global.server | urlsplit('hostname') }}/{{ lego_configuration_merged.command_parameters.global.email }}"
+lego_acme_key_base_path: "{{ lego_acme_account_base_path }}/keys"
+lego_acme_account_path: "{{ lego_acme_account_base_path }}/account.json"
+lego_acme_key_path: "{{ lego_acme_key_base_path }}/{{ lego_configuration_merged.command_parameters.global.email }}.key"