From e960091c93bdf91af2a96bb039046b0ab73bc80a Mon Sep 17 00:00:00 2001
From: Martin Heil <martin@steinheilig.de>
Date: Fri, 15 May 2020 19:39:21 +0200
Subject: [PATCH] initial commit

---
 defaults/main.yml        | 57 ++++++++++++++++++++++++++++++++++++++++
 handlers/main.yml        | 31 ++++++++++++++++++++++
 meta/main.yml            |  8 ++++++
 tasks/compile_acme.yml   | 16 +++++++++++
 tasks/main.yml           | 53 +++++++++++++++++++++++++++++++++++++
 templates/acme.j2        | 32 ++++++++++++++++++++++
 templates/renew_certs.j2 | 27 +++++++++++++++++++
 7 files changed, 224 insertions(+)
 create mode 100644 defaults/main.yml
 create mode 100644 handlers/main.yml
 create mode 100644 meta/main.yml
 create mode 100644 tasks/compile_acme.yml
 create mode 100644 tasks/main.yml
 create mode 100644 templates/acme.j2
 create mode 100644 templates/renew_certs.j2

diff --git a/defaults/main.yml b/defaults/main.yml
new file mode 100644
index 0000000..4e8920d
--- /dev/null
+++ b/defaults/main.yml
@@ -0,0 +1,57 @@
+# compile acme-client when source repo changed
+acme_compile: true
+
+# add renew_script with reload commands
+acme_renew_script: true
+
+# set true to only run acme-client for all configured domains
+acme_justrun: false
+
+# add cronjob for renew_script or every configured domain if
+# acme_renew_script is set to false
+acme_add_cronjob: true
+
+src_dir: /usr/local/src
+acme_renew_script_path: /usr/local/sbin
+
+acme_build_dependencies_apt:
+  - git
+  - automake
+  - autotools-dev
+  - libbsd-dev
+  - bison
+  - libssl-dev
+
+acme_build_dependencies_zypper:
+  - git
+  - autoconf
+  - automake
+  - make
+  - gcc
+  - openssl-devel
+  - bison
+
+acme_authorities:
+  - name: letsencrypt
+    key: "/etc/ssl/private/acme_authority.key"
+    api_url: "https://acme-v02.api.letsencrypt.org/directory"
+
+# For testing prupose its recommended to use the staging url
+# https://acme-staging-v02.api.letsencrypt.org/directory
+
+acme_hosts: []
+#  - domain: www.exmaple.com
+#    alt_names:
+#      - example.com
+#      - git.exmaple.com
+#    key: "/etc/ssl/private/example.com.key"
+#    cert: "path_cert"
+#    chain_cert: "chain_cert"
+#    full_chain_cert: "full_cert"
+#    challengedir: /var/www/acme/example.com
+#    authority: letsencrypt
+#    reload_command: "systemctl reload nginx"
+#  - domain: www.doamin2.com
+#    key: "/etc/ssl/private/domain2.com.key"
+#    cert: "path_cert"
+#    full_chain_cert: "full_cert"
diff --git a/handlers/main.yml b/handlers/main.yml
new file mode 100644
index 0000000..e4682fe
--- /dev/null
+++ b/handlers/main.yml
@@ -0,0 +1,31 @@
+- name: acme_autoreconf
+  shell: "autoreconf -i"
+  args:
+    chdir: "{{src_dir}}/acme-client-portable"
+  notify: acme_configure
+
+- name: acme_configure
+  shell: "./configure"
+  args:
+    chdir: "{{src_dir}}/acme-client-portable"
+  notify: acme_build
+
+- name: acme_build
+  make:
+    chdir: "{{src_dir}}/acme-client-portable"
+    target: "{{item}}"
+  loop:
+    - clean
+    - all-am
+    - install
+
+- name: run renew script
+  shell: "{{acme_renew_script_path}}/renew_certs"
+  when: acme_renew_script
+  listen: "renew certs"
+
+- name: run acme-client
+  shell: "acme-client {{item.domain}}"
+  when: not acme_renew_script
+  listen: "renew certs"
+  loop: "{{acme_hosts}}"
diff --git a/meta/main.yml b/meta/main.yml
new file mode 100644
index 0000000..bef00d1
--- /dev/null
+++ b/meta/main.yml
@@ -0,0 +1,8 @@
+galaxy_info:
+  role_name: acme-client
+  author: Martin
+  description: openbsd acme-client portable
+  license: license (MIT)
+  min_ansible_version: 1.2
+  galaxy_tags: [acme]
+dependencies: []
diff --git a/tasks/compile_acme.yml b/tasks/compile_acme.yml
new file mode 100644
index 0000000..0f0504a
--- /dev/null
+++ b/tasks/compile_acme.yml
@@ -0,0 +1,16 @@
+- name: download acme-portable
+  git:
+    repo: https://github.com/graywolf/acme-client-portable
+    dest: "{{src_dir}}/acme-client-portable"
+    version: HEAD # user newest master
+  notify: acme_autoreconf
+
+- name: install build dependencies (debian)
+  apt:
+    name: "{{acme_build_dependencies_apt}}"
+  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'
+
+- name: install build dependencies (openSUSE)
+  apt:
+    name: "{{acme_build_dependencies_zypper}}"
+  when: ansible_distribution == 'openSUSE Leap'
diff --git a/tasks/main.yml b/tasks/main.yml
new file mode 100644
index 0000000..a1498e8
--- /dev/null
+++ b/tasks/main.yml
@@ -0,0 +1,53 @@
+- name: get openssl version
+  command: "openssl version"
+  register: openssl_version
+  changed_when: false
+
+- fail:
+    msg: "OpenSSL too old!"
+  when: openssl_version.stdout.split()[1] is version('1.1.1', '<')
+
+- name: compile acme-client
+  include_tasks: compile_acme.yml
+  when: acme_compile and not acme_justrun
+
+- name: add config
+  template:
+    src: acme.j2
+    dest: /etc/acme-client.conf
+  notify: "renew certs"
+
+- name: add renew script
+  template:
+    src: renew_certs.j2
+    dest: "{{acme_renew_script_path}}/renew_certs"
+    owner: root
+    group: root
+    mode: 0755
+  when: acme_renew_script
+
+- name: add daily cronjob (renew_script)
+  cron:
+    name: renew certs
+    minute: "0"
+    hour: "4"
+    job: "{{acme_renew_script_path}}/renew_certs"
+  when: acme_renew_script and acme_add_cronjob
+
+- name: add daily cronjobs
+  cron:
+    name: "renew certs for domain {{item.domain}}"
+    minute: "0"
+    hour: "4"
+    job: "/usr/local/bin/acme-client {{item.domain}}"
+  loop: "{{acme_hosts}}"
+  loop_control:
+    label: "{{item.domain}}"
+  when: not acme_renew_script and acme_add_cronjob
+
+- name: run acme-client
+  shell: "/usr/local/bin/acme-client {{item.domain}}"
+  when: acme_justrun
+  loop: "{{acme_hosts}}"
+  loop_control:
+    label: "{{item.domain}}"
diff --git a/templates/acme.j2 b/templates/acme.j2
new file mode 100644
index 0000000..0ccd6fe
--- /dev/null
+++ b/templates/acme.j2
@@ -0,0 +1,32 @@
+# {{ ansible_managed }}
+
+{% for authority in acme_authorities %}
+authority {{authority.name}} {
+  api url "{{authority.api_url}}"
+  account key "{{authority.key}}"
+}
+{% endfor %}
+{% for domain in acme_hosts %}
+
+domain {{domain.domain}} {
+{% if domain.alt_names is defined %}
+  alternative names { {{domain.alt_names | join(' ')}} }
+{% endif %}
+  domain key "{{domain.key}}"
+{% if domain.cert is defined %}
+  domain certificate "{{domain.cert}}"
+{% endif %}
+{% if domain.chain_cert is defined %}
+  domain chain certificate "{{domain.chain_cert}}"
+{% endif %}
+{% if domain.full_chain_cert is defined %}
+  domain full chain certificate "{{domain.full_chain_cert}}"
+{% endif %}
+{% if domain.authority is defined %}
+  sign with {{domain.authority}}
+{% endif %}
+{% if domain.challengedir is defined%}
+  challengedir "{{domain.challengedir}}"
+{% endif %}
+}
+{% endfor %}
diff --git a/templates/renew_certs.j2 b/templates/renew_certs.j2
new file mode 100644
index 0000000..2924fb9
--- /dev/null
+++ b/templates/renew_certs.j2
@@ -0,0 +1,27 @@
+#!/bin/bash
+
+# {{ ansible_managed }}
+
+{% for domain in acme_hosts %}
+
+# domain {{domain.domain}}
+/usr/local/bin/acme-client {{domain.domain}}
+RETURN=$?
+if [ $RETURN -eq 0 ]
+then
+{% if domain.reload_command is defined %}
+	# reload command
+	{{domain.reload_command}}
+{% else %}
+	# no reload command defined
+	:
+{% endif %}
+elif [ $RETURN -eq 2 ]
+then
+	# clean
+	:
+else
+	# error
+	:
+fi
+{% endfor %}