mirror of
https://github.com/kevinveenbirkenbach/computer-playbook.git
synced 2025-08-30 15:28:12 +02:00
Refactor role naming for TLS and proxy stack
- Renamed role `srv-tls-core` → `sys-svc-certs` - Renamed role `srv-https-stack` → `sys-stk-front-pure` - Renamed role `sys-stk-front` → `sys-stk-front-proxy` - Updated all includes, READMEs, meta, and dependent roles accordingly This improves clarity and consistency of naming conventions for certificate management and proxy orchestration. See: https://chatgpt.com/share/68b19f2c-22b0-800f-ba9b-3f2c8fd427b0
This commit is contained in:
38
roles/sys-svc-certs/tasks/flavors/_san.yml
Normal file
38
roles/sys-svc-certs/tasks/flavors/_san.yml
Normal file
@@ -0,0 +1,38 @@
|
||||
# Necessary to have this seperat file to pass performance tests
|
||||
- name: Install certbundle
|
||||
include_role:
|
||||
name: pkgmgr-install
|
||||
vars:
|
||||
package_name: certbundle
|
||||
|
||||
- name: Generate SAN certificate with certbundle
|
||||
command: >-
|
||||
certbundle
|
||||
--domains "{{ current_play_domains_all | join(',') }}"
|
||||
--certbot-email "{{ users.administrator.email }}"
|
||||
--certbot-acme-challenge-method "{{ CERTBOT_ACME_CHALLENGE_METHOD }}"
|
||||
--chunk-size 100
|
||||
{% if CERTBOT_ACME_CHALLENGE_METHOD != 'webroot' %}
|
||||
--certbot-credentials-file "{{ CERTBOT_CREDENTIALS_FILE }}"
|
||||
--certbot-dns-propagation-seconds "{{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}"
|
||||
{% else %}
|
||||
--letsencrypt-webroot-path "{{ LETSENCRYPT_WEBROOT_PATH }}"
|
||||
{% endif %}
|
||||
{{ '--mode-test' if MODE_TEST | bool else '' }}
|
||||
register: certbundle_result
|
||||
changed_when: "'Certificate not yet due for renewal' not in certbundle_result.stdout"
|
||||
failed_when: >
|
||||
certbundle_result.rc != 0
|
||||
and 'too many certificates' not in (certbundle_result.stderr | lower | default(''))
|
||||
and 'the service is down for maintenance or had an internal error' not in (certbundle_result.stderr | lower | default(''))
|
||||
|
||||
- name: Warn if LetsEncrypt was down
|
||||
when: "'the service is down for maintenance or had an internal error' in (certbundle_result.stderr | lower | default(''))"
|
||||
debug:
|
||||
msg: >
|
||||
WARNING: Let's Encrypt responded with "service down for maintenance / internal error".
|
||||
Certificate request skipped; please retry later.
|
||||
|
||||
- name: run the san tasks once
|
||||
set_fact:
|
||||
run_once_san_certs: true
|
||||
30
roles/sys-svc-certs/tasks/flavors/dedicated.yml
Normal file
30
roles/sys-svc-certs/tasks/flavors/dedicated.yml
Normal file
@@ -0,0 +1,30 @@
|
||||
- name: "Check if certificate already exists for '{{ domain }}'"
|
||||
cert_check_exists:
|
||||
domain: "{{ domain }}"
|
||||
cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
|
||||
register: cert_check
|
||||
|
||||
- name: "receive certificate for '{{ domain }}'"
|
||||
command: >-
|
||||
certbot certonly
|
||||
--agree-tos
|
||||
--email {{ users.administrator.email }}
|
||||
--non-interactive
|
||||
{% if CERTBOT_ACME_CHALLENGE_METHOD != "webroot" %}
|
||||
--dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}
|
||||
--dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-credentials {{ CERTBOT_CREDENTIALS_FILE }}
|
||||
--dns-{{ CERTBOT_ACME_CHALLENGE_METHOD }}-propagation-seconds {{ CERTBOT_DNS_PROPAGATION_WAIT_SECONDS }}
|
||||
{% else %}
|
||||
--webroot
|
||||
-w {{ LETSENCRYPT_WEBROOT_PATH }}
|
||||
{% endif %}
|
||||
{% if wildcard_domain is defined and ( wildcard_domain | bool ) %}
|
||||
-d {{ PRIMARY_DOMAIN }}
|
||||
-d *.{{ PRIMARY_DOMAIN }}
|
||||
{% else %}
|
||||
-d {{ domain }}
|
||||
{% endif %}
|
||||
{{ '--test-cert' if MODE_TEST | bool else '' }}
|
||||
register: certbot_result
|
||||
changed_when: "'Certificate not yet due for renewal' not in certbot_result.stdout"
|
||||
when: not cert_check.exists
|
||||
3
roles/sys-svc-certs/tasks/flavors/san.yml
Normal file
3
roles/sys-svc-certs/tasks/flavors/san.yml
Normal file
@@ -0,0 +1,3 @@
|
||||
# Neccessary encapsulation to pass performance tests
|
||||
- include_tasks: "_san.yml"
|
||||
when: run_once_san_certs is not defined
|
||||
19
roles/sys-svc-certs/tasks/flavors/wildcard.yml
Normal file
19
roles/sys-svc-certs/tasks/flavors/wildcard.yml
Normal file
@@ -0,0 +1,19 @@
|
||||
- name: "Load wildcard certificate for domain"
|
||||
include_tasks: "dedicated.yml"
|
||||
vars:
|
||||
wildcard_domain: true
|
||||
when:
|
||||
- domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
|
||||
- run_once_receive_certificate is not defined
|
||||
|
||||
- name: "Load dedicated certificate for domain"
|
||||
include_tasks: "dedicated.yml"
|
||||
vars:
|
||||
wildcard_domain: false
|
||||
when:
|
||||
- not (domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN))
|
||||
|
||||
- name: run the receive_certificate tasks once
|
||||
set_fact:
|
||||
run_once_receive_certificate: true
|
||||
when: run_once_receive_certificate is not defined
|
||||
45
roles/sys-svc-certs/tasks/main.yml
Normal file
45
roles/sys-svc-certs/tasks/main.yml
Normal file
@@ -0,0 +1,45 @@
|
||||
- block:
|
||||
- name: Include dependency 'sys-stk-front-pure'
|
||||
include_role:
|
||||
name: sys-stk-front-pure
|
||||
when: run_once_sys_stk_front_pure is not defined
|
||||
- include_tasks: utils/run_once.yml
|
||||
when: run_once_sys_svc_certs is not defined
|
||||
|
||||
- name: "Include flavor '{{ CERTBOT_FLAVOR }}' for '{{ domain }}'"
|
||||
include_tasks: "{{ [role_path, 'tasks/flavors', CERTBOT_FLAVOR ~'.yml'] | path_join }}"
|
||||
|
||||
#- name: "Cleanup dedicated cert for '{{ domain }}'"
|
||||
# command: >-
|
||||
# certbot delete --cert-name {{ domain }} --non-interactive
|
||||
# when:
|
||||
# - MODE_CLEANUP | bool
|
||||
# # Cleanup mode is enabled
|
||||
# - CERTBOT_FLAVOR != 'dedicated'
|
||||
# # Wildcard certificate is enabled
|
||||
# - domain.split('.') | length == (PRIMARY_DOMAIN.split('.') | length + 1) and domain.endswith(PRIMARY_DOMAIN)
|
||||
# # AND: The domain is a direct first-level subdomain of the primary domain
|
||||
# - domain != PRIMARY_DOMAIN
|
||||
# # The domain is not the primary domain
|
||||
# register: certbot_result
|
||||
# failed_when: certbot_result.rc != 0 and ("No certificate found with name" not in certbot_result.stderr)
|
||||
# changed_when: certbot_result.rc == 0 and ("No certificate found with name" not in certbot_result.stderr)
|
||||
|
||||
- name: "Find SSL cert folder for '{{ domain }}'"
|
||||
cert_folder_find:
|
||||
domain: "{{ domain }}"
|
||||
cert_base_path: "{{ LETSENCRYPT_LIVE_PATH }}"
|
||||
debug: "{{ MODE_DEBUG | bool }}"
|
||||
register: cert_folder_result
|
||||
delegate_to: "{{ inventory_hostname }}"
|
||||
changed_when: false
|
||||
|
||||
- name: "Set ssl_cert_folder fact to '{{ cert_folder_result.folder }}'"
|
||||
set_fact:
|
||||
ssl_cert_folder: "{{ cert_folder_result.folder }}"
|
||||
changed_when: false
|
||||
|
||||
- name: "Ensure ssl_cert_folder is set for domain {{ domain }}"
|
||||
fail:
|
||||
msg: "No certificate folder found for domain {{ domain }}"
|
||||
when: ssl_cert_folder is undefined or ssl_cert_folder is none
|
||||
Reference in New Issue
Block a user