Have the https role do all the config changing

Hopefully this should cut down on erroneous changes
This commit is contained in:
Salt 2020-02-20 04:19:03 -06:00
parent d41b4ebbdf
commit e44a6126c8
2 changed files with 63 additions and 29 deletions

View File

@ -43,21 +43,29 @@
dest: "/etc/pki/cert/crt/{{ website_url }}.crt" dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
register: com_challenge register: com_challenge
- name: Fulfill challenge - name: Create or renew certificate
block: block:
- name: Back up website config
command: "/usr/bin/mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-disabled/{{ website_url }}.conf"
args:
creates: "/etc/apache2/sites-disabled/{{ website_url }}.conf"
- name: Create temporary config
template:
src: apache2-vhost.conf
dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
- name: Reload Apache - name: Reload Apache
service: service:
name: apache2 name: apache2
state: reloaded state: reloaded
- name: Create well-known directory - name: Create well-known directory
file: file:
path: "{{ website_webroot }}/.well-known/acme-challenge" path: "{{ acme_webroot }}/.well-known/acme-challenge"
mode: "0755" mode: "0755"
recurse: yes recurse: yes
state: directory state: directory
- name: Copy challenge files - name: Copy challenge files
copy: copy:
dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}" dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}" content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
- name: Create certificate - name: Create certificate
acme_certificate: acme_certificate:
@ -69,9 +77,21 @@
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
data: "{{ com_challenge }}" data: "{{ com_challenge }}"
- name: Clean up - name: Remove webroot
file: file:
path: "{{ website_webroot }}/.well-known" path: "{{ acme_webroot }}/.well-known"
state: absent state: absent
- name: Remove temporary config
file:
path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
state: absent
- name: Restore original config
command: "/usr/bin/mv /etc/apache2/sites-disabled/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf"
args:
creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
when: com_challenge is changed when: com_challenge is changed
become: yes become: yes

View File

@ -0,0 +1,14 @@
# TEMPORARY configuration for {{ website_url }}
# If this file doesn't disappear quickly, there's a HUGE PROBLEM
# vim:ft=apache:
# Website configuration
<VirtualHost *:80>
ServerName {{ website_url }}
DocumentRoot {{ acme_webroot }}
<Directory "{{ acme_webroot }}">
Require all granted
AllowOverride All
Options MultiViews FollowSymlinks
</Directory>
</VirtualHost>