salt/ansible
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Have the https role do all the config changing

Browse Source 
Hopefully this should cut down on erroneous changes
This commit is contained in:
Salt 2020-02-20 04:19:03 -06:00
parent d41b4ebbdf
commit e44a6126c8
2 changed files with 63 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

78
roles/https/tasks/main.yml
View File

@ -43,35 +43,55 @@
dest: "/etc/pki/cert/crt/{{ website_url }}.crt" dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
register: com_challenge register: com_challenge
- name: Fulfill challenge - name: Create or renew certificate
block: block:
- name: Reload Apache - name: Back up website config
service: command: "/usr/bin/mv /etc/apache2/sites-enabled/{{ website_url }}.conf /etc/apache2/sites-disabled/{{ website_url }}.conf"
name: apache2 args:
state: reloaded creates: "/etc/apache2/sites-disabled/{{ website_url }}.conf"
- name: Create well-known directory - name: Create temporary config
file: template:
path: "{{ website_webroot }}/.well-known/acme-challenge" src: apache2-vhost.conf
mode: "0755" dest: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
recurse: yes - name: Reload Apache
state: directory service:
- name: Copy challenge files name: apache2
copy: state: reloaded
dest: "{{ website_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}" - name: Create well-known directory
content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}" file:
- name: Create certificate path: "{{ acme_webroot }}/.well-known/acme-challenge"
acme_certificate: mode: "0755"
acme_directory: "{{ acme_directory }}" recurse: yes
acme_version: 2 state: directory
account_key: /etc/pki/cert/private/account.key - name: Copy challenge files
csr: "/etc/pki/cert/csr/{{ website_url }}.csr" copy:
dest: "/etc/pki/cert/crt/{{ website_url }}.crt" dest: "{{ acme_webroot }}/{{ com_challenge['challenge_data'][website_url]['http-01']['resource'] }}"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt" content: "{{ com_challenge['challenge_data'][website_url]['http-01']['resource_value'] }}"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt" - name: Create certificate
data: "{{ com_challenge }}" acme_certificate:
- name: Clean up acme_directory: "{{ acme_directory }}"
file: acme_version: 2
path: "{{ website_webroot }}/.well-known" account_key: /etc/pki/cert/private/account.key
state: absent csr: "/etc/pki/cert/csr/{{ website_url }}.csr"
dest: "/etc/pki/cert/crt/{{ website_url }}.crt"
fullchain_dest: "/etc/pki/cert/crt/{{ website_url }}-fullchain.crt"
chain_dest: "/etc/pki/cert/crt/{{ website_url }}-intermediate.crt"
data: "{{ com_challenge }}"
- name: Remove webroot
file:
path: "{{ acme_webroot }}/.well-known"
state: absent
- name: Remove temporary config
file:
path: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
state: absent
- name: Restore original config
command: "/usr/bin/mv /etc/apache2/sites-disabled/{{ website_url }}.conf /etc/apache2/sites-enabled/{{ website_url }}.conf"
args:
creates: "/etc/apache2/sites-enabled/{{ website_url }}.conf"
- name: Reload Apache
service:
name: apache2
state: reloaded
when: com_challenge is changed when: com_challenge is changed
become: yes become: yes

14
roles/https/templates/apache2-vhost.conf Normal file
View File

@ -0,0 +1,14 @@
# TEMPORARY configuration for {{ website_url }}
# If this file doesn't disappear quickly, there's a HUGE PROBLEM
# vim:ft=apache:
# Website configuration
<VirtualHost *:80>
ServerName {{ website_url }}
DocumentRoot {{ acme_webroot }}
<Directory "{{ acme_webroot }}">
Require all granted
AllowOverride All
Options MultiViews FollowSymlinks
</Directory>
</VirtualHost>