Merge pull request #2 from ebbba-org/develop

Fix #1 and improve overall flexibility
ebbba-org · Dec 22, 2023 · 044311d · 044311d
2 parents 0ed425a + 6e12963
commit 044311d
Show file tree

Hide file tree

Showing 3 changed files with 62 additions and 36 deletions.
diff --git a/README.md b/README.md
@@ -12,16 +12,21 @@
 
 | **Variable**                       | **Default**                                          | **Description**                                                                                                             |
 | ---------------------------------- | ---------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-| `acme_letsencrypt_email`           | `acme@domain.tld`                                    | The mail to receive mails to                                                                                                |
+| `acme_email`                       | `acme@domain.tld`                                    | The mail to receive mails to                                                                                                |
 | `acme_hostname`                    | `{{ inventory_hostname }}`                           | The default host name to acquire a cert for                                                                                 |
-| `acme_letsencrypt_api`             | `https://acme-v02.api.letsencrypt.org/directory`     | By default production, you might want to use `https://acme-staging-v02.api.letsencrypt.org/directory` for staging dev certs |
-| `acme_letsencrypt_repo`            | `https://github.com/acmesh-official/acme.sh.git`     | The repository where to acquire acme.sh from, in case you run a mirror / fork                                               |
-| `acme_letsencrypt_dir`             | `/opt/acme`                                          | Where acme.sh should be installed to                                                                                        |
-| `acme_letsencrypt_version`         | `master`                                             | Which git version / branch to checkout                                                                                      |
-| `acme_letsencrypt_keep_updated`    | `true`                                               | Update the git repository when re-running this role?                                                                        |
-| `acme_letsencrypt_install_command` | [defaults/default.yaml#13](./defaults/main.yaml#L13) | The acme.sh install command for the local configuration for cert creating                                                   |
-| `acme_letsencrypt_create_command`  | [defaults/default.yaml#21](./defaults/main.yaml#L13) | The acme.sh create cert command, here you can add the `--force` option to force a renewal                                   |
-| `DO_API_KEY` | `NONE` | A DigitalOcean API key which is by default empty |
+| `acme_api_url`                     | `https://acme-v02.api.letsencrypt.org/directory`     | By default production, you might want to use `https://acme-staging-v02.api.letsencrypt.org/directory` for staging dev certs |
+| `acme_git_repo`                    | `https://github.com/acmesh-official/acme.sh.git`     | The repository where to acquire acme.sh from, in case you run a mirror / fork                                               |
+| `acme_install_dir`                 | `/opt/acme`                                          | Where acme.sh should be installed to                                                                                        |
+| `acme_install_version`             | `master`                                             | Which git version / branch to checkout                                                                                      |
+| `acme_install_keep_updated`        | `true`                                               | Update the git repository when re-running this role?                                                                        |
+| `acme_home_path`                   | `/root/.acme.sh`                                     | The location where acme home is                                                                                             |
+| `acme_config_home_path`            | `/root/.acme.sh`                                     | The location where acme has its configuration                                                                               |
+| `acme_certhome_path`               | `/root/.acme.sh`                                     | The location where certificates get installed to                                                                            |
+| `acme_accountkey_path`             | `/root/.acme.sh/account.key`                         | The location where the acme account key is stored                                                                           |
+| `acme_renew_days`                  | `30`                                                 | The amount of days when certificates should be renewed                                                                      |
+| `acme_letsencrypt_install_command` | [defaults/default.yaml#30](./defaults/main.yaml#L30) | The acme.sh install command for the local configuration for cert creating                                                   |
+| `acme_letsencrypt_create_command`  | [defaults/default.yaml#39](./defaults/main.yaml#L39) | The acme.sh create cert command, here you can add the `--force` option to force a renewal                                   |
+| `acme_environment_varaibles`       | [defaults/default.yaml#49](./defaults/main.yaml#L49) | An object of names variables which get passed to the install command for environment variables                              |
 
 ## Example Usage of this role
 
@@ -32,7 +37,7 @@
 - name: Run ACME.SH - We need more SSL/TLS!
   hosts: all
   roles:
-    - role: acme.sh
+    - role: ansible-role-acme
 ```
 
 ### Variables for apache2 with just one domain
@@ -46,7 +51,7 @@ acme_letsencrypt_create_command: >-
   --keylength ec-256
   --pre-hook "systemctl stop apache2.service"
   --post-hook "systemctl start apache2.service"
-  --server {{ acme_letsencrypt_api }}
+  --server {{ acme_api_url }}
 ```
 
 ### Variables for apache2 with multiple domains
@@ -62,7 +67,7 @@ acme_letsencrypt_create_command: >-
   --keylength ec-256
   --pre-hook "systemctl stop apache2.service"
   --post-hook "systemctl start apache2.service"
-  --server {{ acme_letsencrypt_api }}
+  --server {{ acme_api_url }}
 ```
 
 ### Variables to use DigitalOcean dnsapi certificate generation
@@ -80,6 +85,6 @@ acme_letsencrypt_create_command: >-
   --server letsencrypt
   --keylength ec-256
   --post-hook "systemctl reload nginx.service"
-  --server {{ acme_letsencrypt_api }}
+  --server {{ acme_api_url }}
   --force
 ```
diff --git a/defaults/main.yaml b/defaults/main.yaml
@@ -1,29 +1,51 @@
 ---
-acme_letsencrypt_email: "acme@domain.tld"
+# The acme.sh mail address where mails will be send to
+acme_email: "acme@domain.tld"
+
 # The hostname - default to "{{ inventory_hostname }}" you may want to use ansible_fqdn instead
 acme_hostname: "{{ inventory_hostname }}"
+
 # The API URL of the authority
 # Want to use staging certs: https://acme-staging-v02.api.letsencrypt.org/directory
-acme_letsencrypt_api: https://acme-v02.api.letsencrypt.org/directory
-acme_letsencrypt_repo: https://github.com/acmesh-official/acme.sh.git
+acme_api_url: https://acme-v02.api.letsencrypt.org/directory
+# acme_api_url: https://acme-staging-v02.api.letsencrypt.org/directory
+
+# The acme.sh repo, in case you run a mirror or fork
+acme_git_repo: https://github.com/acmesh-official/acme.sh.git
+
 # Where the certs will be installed to
-acme_letsencrypt_dir: /opt/acme
-acme_letsencrypt_version: master
-acme_letsencrypt_keep_updated: true
+acme_install_dir: /opt/acme
+acme_install_version: master
+acme_install_keep_updated: true
+
+# The acme.sh folder locations
+acme_home_path: "/root/.acme.sh"
+acme_config_home_path: "/root/.acme.sh"
+acme_certhome_path: "/root/.acme.sh"
+acme_accountkey_path: "/root/.acme.sh/account.key"
+acme_renew_days: "30"
+
 # https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
+# The acme.sh instlal command
 acme_letsencrypt_install_command: >-
   {{ acme_letsencrypt_script }} --install
-  --home /root/.acme.sh
-  --config-home /root/.acme.sh
-  --certhome /root/.acme.sh
-  --days 30
-  --accountemail {{ acme_letsencrypt_email }}
-  --accountkey /root/.acme.sh/account.key
+  --home {{ acme_home_path }}
+  --config-home {{ acme_config_home_path }}
+  --certhome {{ acme_certhome_path }}
+  --accountemail {{ acme_email }}
+  --accountkey {{ acme_accountkey_path }}
+
+# The acme.sh create command
 acme_letsencrypt_create_command: >-
-  {{ acme_letsencrypt_script }} --issue --domain {{ acme_hostname }}
+  {{ acme_letsencrypt_script }} --issue --days {{ acme_renew_days }} --domain {{ acme_hostname }}
   --standalone
   --server letsencrypt
   --keylength ec-256
   --pre-hook "systemctl stop nginx.service"
   --post-hook "systemctl start nginx.service"
-  --server {{ acme_letsencrypt_api }}
+  --server {{ acme_api_url }}
+
+# these variables are used in the acme_letsencrypt_create_command task
+acme_environment_varaibles:
+  email: "{{ acme_email }}"
+  DO_API_KEY: "{{ DO_API_KEY | default('') }}"
diff --git a/tasks/main.yaml b/tasks/main.yaml
@@ -3,18 +3,19 @@
   ansible.builtin.apt:
     name: socat
     state: present
+    update_cache: true
 
 - name: Clone acme into configured directory.
   ansible.builtin.git:
-    repo: "{{ acme_letsencrypt_repo }}"
-    dest: "{{ acme_letsencrypt_dir }}"
-    version: "{{ acme_letsencrypt_version }}"
-    update: "{{ acme_letsencrypt_keep_updated }}"
+    repo: "{{ acme_git_repo }}"
+    dest: "{{ acme_install_dir }}"
+    version: "{{ acme_install_version }}"
+    update: "{{ acme_install_keep_updated }}"
     force: true
 
 - name: Set acme.sh script variable.
   ansible.builtin.set_fact:
-    acme_letsencrypt_script: "{{ acme_letsencrypt_dir }}/acme.sh"
+    acme_letsencrypt_script: "{{ acme_install_dir }}/acme.sh"
 
 - name: Ensure acme.sh is executable.
   ansible.builtin.file:
@@ -25,16 +26,14 @@
   become: true
   ansible.builtin.command: "{{ acme_letsencrypt_install_command }}"
   args:
-    chdir: "{{ acme_letsencrypt_dir }}"
+    chdir: "{{ acme_install_dir }}"
   register: acme_install_result
   changed_when: "'ok' in acme_install_result.stdout"
 
 - name: Generate or renew certificate with acme.sh
   become: true
   ansible.builtin.command: "{{ acme_letsencrypt_create_command }}"
-  environment:
-    email: "{{ acme_letsencrypt_email }}"
-    DO_API_KEY: "{{ DO_API_KEY | default('') }}"
+  environment: "{{ acme_environment_varaibles }}"
   register: result
   changed_when: "'new certificate deployed' in result.stdout"
   failed_when: "result.rc not in [ 0, 2 ]"