Add role "add_cert" to be used instead of add_cert_{dns_01,http_01}

2024-04-09 21:17:25 +02:00 · 2024-04-09 21:17:25 +02:00 · dac63af2ec
commit dac63af2ec
parent b388fa002e
9 changed files with 63 additions and 82 deletions
--- a/inventory/group_vars/mailservers
+++ b/inventory/group_vars/mailservers
@ -1,6 +1,6 @@
 ---

 virtual_domain: tunuifranken.info
-letsencrypt_email: "dns@{{ virtual_domain }}"
-letsencrypt_domain: "{{ ansible_hostname }}.{{ virtual_domain }}"
-letsencrypt_post_hook: systemctl restart postfix dovecot
+add_cert_email: "dns@{{ virtual_domain }}"
+add_cert_domain: "{{ ansible_hostname }}.{{ virtual_domain }}"
+add_cert_post_hook: systemctl restart postfix dovecot
--- a/playbook_mailserver.yml
+++ b/playbook_mailserver.yml
@ -5,25 +5,10 @@
 - name: Install mail server
  gather_facts: true
  hosts: mailserver,mailserver-test
-  pre_tasks:
-    - name: Get local public IP
-      tags: cert
-      ansible.builtin.uri:
-        url: https://ipinfo.io/ip
-        return_content: true
-      register: local_public_ip
-    - name: Get public IP of "{{ letsencrypt_domain }}"
-      tags: cert
-      ansible.builtin.set_fact:
-        target_public_ip: "{{ lookup('community.general.dig', letsencrypt_domain, '@1.1.1.1') }}"
  roles:
    - role: common_handlers
      tags: always
-    - role: add_cert_http_01
-      when: local_public_ip == target_public_ip
-      tags: cert
-    - role: add_cert_dns_01
-      when: local_public_ip != target_public_ip
+    - role: add_cert
      tags: cert
    - role: mailserver_database
      tags: database
--- a/roles/add_cert/README.md
+++ b/roles/add_cert/README.md
@ -0,0 +1,6 @@
+# Add certificate
+
+Deploys a Let's Encrypt certificate with `certbot`, using a DNS-01 or a HTTP-01 challenge.
+
+To choose between the two, this role checks the current public IP address of the host, and compares it to the IP address that the host publicly resolves to.
+It then calls sub-roles `add_cert_dns_01` or `add_cert_http_01` accordingly.
--- a/roles/add_cert/tasks/main.yml
+++ b/roles/add_cert/tasks/main.yml
@ -0,0 +1,30 @@
+---
+
+- name: Make sure needed vars are defined
+  ansible.builtin.fail:
+    msg: "{{ item }} is undefined"
+  loop:
+    - "{{ add_cert_domain }}"
+    - "{{ add_cert_email }}"
+    - "{{ add_cert_post_hook }}"
+  when: item is undefined
+
+- name: Get local public IP
+  ansible.builtin.uri:
+    url: https://ipinfo.io/ip
+    return_content: true
+  register: local_public_ip
+
+- name: Get public IP of "{{ add_cert_domain }}"
+  ansible.builtin.set_fact:
+    target_public_ip: "{{ lookup('community.general.dig', add_cert_domain, '@1.1.1.1') }}"
+
+- name: Deploy letsencrypt certificate (HTTP-01)
+  when: local_public_ip == target_public_ip
+  ansible.builtin.include_role:
+    name: add_cert_http_01
+
+- name: Deploy letsencrypt certificate (DNS-01)
+  when: local_public_ip != target_public_ip
+  ansible.builtin.include_role:
+    name: add_cert_dns_01
--- a/roles/add_cert_dns_01/tasks/main.yml
+++ b/roles/add_cert_dns_01/tasks/main.yml
@ -37,12 +37,12 @@
      - --rsa-key-size
      - 4096
      - -d
-      - "{{ letsencrypt_domain }}"
+      - "{{ add_cert_domain }}"
      - -m
-      - "{{ letsencrypt_email }}"
+      - "{{ add_cert_email }}"
      - --agree-tos
      - --post-hook
-      - "{{ letsencrypt_post_hook }}"
+      - "{{ add_cert_post_hook }}"

 - name: Set letsencrypt dns-01 challenge argv (staging)
  when: ansible_hostname.endswith('-test')
@ -53,7 +53,7 @@
  become: true
  ansible.builtin.command:
    argv: "{{ letsencrypt_dns_01_challenge_argv }}"
-    creates: "/etc/letsencrypt/live/{{ letsencrypt_domain }}"
+    creates: "/etc/letsencrypt/live/{{ add_cert_domain }}"

 - name: Create directory for certbot.service override
  become: true
--- a/roles/add_cert_http_01/tasks/main.yml
+++ b/roles/add_cert_http_01/tasks/main.yml
@ -65,12 +65,12 @@
      - --webroot-path
      - /var/www/acme
      - -d
-      - "{{ letsencrypt_domain }}"
+      - "{{ add_cert_domain }}"
      - -m
-      - "{{ letsencrypt_email }}"
+      - "{{ add_cert_email }}"
      - --agree-tos
      - --post-hook
-      - "{{ letsencrypt_post_hook }}"
+      - "{{ add_cert_post_hook }}"

 - name: Set letsencrypt http-01 challenge argv (staging)
  when: ansible_hostname.endswith('-test')
@ -81,4 +81,4 @@
  become: true
  ansible.builtin.command:
    argv: "{{ letsencrypt_http_01_challenge_argv }}"
-    creates: "/etc/letsencrypt/live/{{ letsencrypt_domain }}"
+    creates: "/etc/letsencrypt/live/{{ add_cert_domain }}"
--- a/roles/forgejo/tasks/main.yml
+++ b/roles/forgejo/tasks/main.yml
@ -1,32 +1,12 @@
 ---

- name: Get local public IP
-  ansible.builtin.uri:
-    url: https://ipinfo.io/ip
-    return_content: true
-  register: local_public_ip
-
- name: Get public IP of "{{ forgejo_domain }}"
-  ansible.builtin.set_fact:
-    target_public_ip: "{{ lookup('community.general.dig', forgejo_domain, '@1.1.1.1') }}"
-
- name: Deploy letsencrypt certificate (HTTP-01)
-  when: local_public_ip == target_public_ip
+- name: Deploy letsencrypt certificate
  ansible.builtin.include_role:
-    name: add_cert_http_01
+    name: add_cert
  vars:
-    letsencrypt_domain: "{{ forgejo_domain }}"
-    letsencrypt_email: "{{ forgejo_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
-
- name: Deploy letsencrypt certificate (DNS-01)
-  when: local_public_ip != target_public_ip
-  ansible.builtin.include_role:
-    name: add_cert_dns_01
-  vars:
-    letsencrypt_domain: "{{ forgejo_domain }}"
-    letsencrypt_email: "{{ forgejo_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
+    add_cert_domain: "{{ forgejo_domain }}"
+    add_cert_email: "{{ forgejo_server_admin }}"
+    add_cert_post_hook: systemctl restart apache2

 - name: Include apache2 tasks
  ansible.builtin.include_tasks: apache2.yml
--- a/roles/mailserver_postfix/templates/main.cf.j2
+++ b/roles/mailserver_postfix/templates/main.cf.j2
@ -32,8 +32,8 @@ smtpd_sasl_type = dovecot
 smtpd_sasl_path = private/auth
 smtpd_sasl_auth_enable = yes

-smtpd_tls_cert_file = /etc/letsencrypt/live/{{ letsencrypt_domain }}/fullchain.pem
-smtpd_tls_key_file = /etc/letsencrypt/live/{{ letsencrypt_domain }}/privkey.pem
+smtpd_tls_cert_file = /etc/letsencrypt/live/{{ add_cert_domain }}/fullchain.pem
+smtpd_tls_key_file = /etc/letsencrypt/live/{{ add_cert_domain }}/privkey.pem
 smtpd_tls_security_level = may
 smtpd_tls_auth_only = yes

--- a/roles/tunuifranken/tasks/main.yml
+++ b/roles/tunuifranken/tasks/main.yml
@ -1,5 +1,13 @@
 ---

+- name: Deploy letsencrypt certificate
+  ansible.builtin.include_role:
+    name: add_cert
+  vars:
+    add_cert_domain: "{{ tunuifranken_domain }}"
+    add_cert_email: "{{ tunuifranken_server_admin }}"
+    add_cert_post_hook: systemctl restart apache2
+
 - name: Install needed packages
  become: true
  ansible.builtin.apt:
@ -8,34 +16,6 @@
      - acl  # for become_user: forgejo
    state: present

- name: Get local public IP
-  ansible.builtin.uri:
-    url: https://ipinfo.io/ip
-    return_content: true
-  register: local_public_ip
-
- name: Get public IP of "{{ tunuifranken_domain }}"
-  ansible.builtin.set_fact:
-    target_public_ip: "{{ lookup('community.general.dig', tunuifranken_domain, '@1.1.1.1') }}"
-
- name: Deploy letsencrypt certificate (HTTP-01)
-  when: local_public_ip == target_public_ip
-  ansible.builtin.include_role:
-    name: add_cert_http_01
-  vars:
-    letsencrypt_domain: "{{ tunuifranken_domain }}"
-    letsencrypt_email: "{{ tunuifranken_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
-
- name: Deploy letsencrypt certificate (DNS-01)
-  when: local_public_ip != target_public_ip
-  ansible.builtin.include_role:
-    name: add_cert_dns_01
-  vars:
-    letsencrypt_domain: "{{ tunuifranken_domain }}"
-    letsencrypt_email: "{{ tunuifranken_server_admin }}"
-    letsencrypt_post_hook: systemctl restart apache2
-
 - name: Create tunuifranken group
  become: true
  ansible.builtin.group: