add pre/post hook

2021-07-17 09:16:32 +02:00 · 2021-07-17 09:16:32 +02:00 · 75af40d3cb
commit 75af40d3cb
parent b131d264fd
7 changed files with 81 additions and 46 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -21,7 +21,8 @@ certbot_certs: []
 #     - example3.com
 certbot_create_command: >-
  {{ certbot_script }} certonly --standalone --noninteractive --agree-tos
-  {% if certbot_cert_name %} --cert-name {{certbot_cert_name}} {%endif%} --email {{ cert_item.email | default(certbot_admin_email) }}
+  {% if certbot_cert_name %} --cert-name {{certbot_cert_name}} {%endif%}
+  --email {{ cert_item.email | default(certbot_admin_email) }}
  -d {{ cert_item.domains | join(',') }}

 certbot_create_standalone_stop_services:
--- a/meta/.galaxy_install_info
+++ b/meta/.galaxy_install_info
@ -0,0 +1,2 @@
+install_date: Mon Apr 19 11:35:02 2021
+version: ''
--- a/meta/main.yml
+++ b/meta/main.yml
@ -2,32 +2,9 @@
 dependencies: []

 galaxy_info:
-  author: geerlingguy
+  role_name: certbot
+  author: vincentdcmps
  description: "Installs and configures Certbot (for Let's Encrypt)."
  company: "Midwestern Mac, LLC"
  license: "license (BSD, MIT)"
  min_ansible_version: 2.4
-  platforms:
-    - name: EL
-      versions:
-        - 6
-        - 7
-    - name: Fedora
-      versions:
-        - all
-    - name: Ubuntu
-      versions:
-        - all
-    - name: Debian
-      versions:
-        - all
-  galaxy_tags:
-    - networking
-    - system
-    - web
-    - certbot
-    - letsencrypt
-    - encryption
-    - certificates
-    - ssl
-    - https
--- a/tasks/create-cert-standalone.yml
+++ b/tasks/create-cert-standalone.yml
@ -1,17 +1,44 @@
 ---
 - name: Check if certificate already exists.
  stat:
-    path: /etc/letsencrypt/live/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}/cert.pem
+    path: >-
+      /etc/letsencrypt/live/{% if certbot_cert_name %}{{ certbot_cert_name }}
+      {% else %}{{ cert_item.domains | first | replace('*.', '') }}
+      {% endif %}/cert.pem
  register: letsencrypt_cert

+- name: Ensure pre and post hook folders exist.
+  file:
+    path: /etc/letsencrypt/renewal-hooks/{{ item }}
+    state: directory
+    mode: 0755
+    owner: root
+    group: root
+  with_items:
+    - pre
+    - post

- name: Stop services to allow certbot to generate a cert.
-  service:
-    name: "{{ item }}"
-    state: stopped
-  when:  not letsencrypt_cert.stat.exists or  (certbot_force)
-  ignore_errors: yes
-  with_items: "{{ certbot_create_standalone_stop_services }}" 
+- name: Create pre hook to stop services.
+  template:
+    src: stop_services.j2
+    dest: /etc/letsencrypt/renewal-hooks/pre/stop_services
+    owner: root
+    group: root
+    mode: 0750
+  when:
+    - certbot_create_standalone_stop_services is defined
+    - certbot_create_standalone_stop_services
+
+- name: Create post hook to start services.
+  template:
+    src: start_services.j2
+    dest: /etc/letsencrypt/renewal-hooks/post/start_services
+    owner: root
+    group: root
+    mode: 0750
+  when:
+    - certbot_create_standalone_stop_services is defined
+    - certbot_create_standalone_stop_services

 - name: Generate new certificate if one doesn't exist.
  command: "{{ certbot_create_command }}"
@ -24,18 +51,17 @@

 - name: ensure conf.d exist
  file:
+    mode: 0750
    path: "{{ certbot_nginx_conf_path }}"
    state: directory
-    
+
 - name: create nginx config ssl file
  template:
-      dest: "{{ certbot_nginx_conf_path }}/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}.ssl" # required. Location to render the template to on the remote machine.
-      src: nginx_ssl_config.j2 # required. Path of a Jinja2 formatted template on the Ansible controller. This can be a relative or absolute path.
-
- name: Start services after cert has been generated.
-  service:
-    name: "{{ item }}"
-    state: started
-  when: not letsencrypt_cert.stat.exists or  (certbot_force) 
-  ignore_errors: yes
-  with_items: "{{ certbot_create_standalone_stop_services }}"
+    mode: 0750
+    dest: >-
+      {{ certbot_nginx_conf_path }}/
+      {% if certbot_cert_name %}{{ certbot_cert_name }}
+      {% else %}
+      {{ cert_item.domains | first | replace('*.', '') }}
+      {% endif %}.ssl"
+    src: nginx_ssl_config.j2
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -17,4 +17,3 @@

 - import_tasks: renew-cron.yml
  when: certbot_auto_renew
-
--- a/templates/start_services.j2
+++ b/templates/start_services.j2
@ -0,0 +1,15 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+{% for item in certbot_create_standalone_stop_services %}
+echo "starting service {{ item }}"
+{% if ansible_service_mgr == 'systemd' %}
+systemctl start {{ item }}
+{% elif ansible_service_mgr == 'upstart' %}
+initctl start {{ item }}
+{% elif ansible_service_mgr == 'openrc' %}
+rc-service {{ item }} start
+{% else %}
+service {{ item }} start
+{% endif %}
+{% endfor %}
--- a/templates/stop_services.j2
+++ b/templates/stop_services.j2
@ -0,0 +1,15 @@
+#!/bin/bash
+# {{ ansible_managed }}
+
+{% for item in certbot_create_standalone_stop_services %}
+echo "stopping service {{ item }}"
+{% if ansible_service_mgr == 'systemd' %}
+systemctl stop {{ item }}
+{% elif ansible_service_mgr == 'upstart' %}
+initctl stop {{ item }}
+{% elif ansible_service_mgr == 'openrc' %}
+rc-service {{ item }} stop
+{% else %}
+service {{ item }} stop
+{% endif %}
+{% endfor %}