rewrite lego role

2025-06-05 22:53:10 +00:00
parent 62fabb2277
commit 230feb9b0c
12 changed files with 247 additions and 71 deletions
--- a/roles/lego/templates/lego.service.j2
+++ b/roles/lego/templates/lego.service.j2
@@ -1,19 +1,31 @@
 ## Managed by Ansible ##

 [Unit]
-Description=Run lego renew
+Description=Renew Lets Encrypt certificate for {{ item.0.cn }}
 After=network-online.target

 [Service]
 Type=oneshot
+{% if lego_provider == "ionos" %}
 Environment={{ lego_provider|upper }}_API_KEY={{ vault_ionos_token_dns }}
+{% endif %}
 ExecStart={{ lego_install_dir }}/lego \
-    {% for dns in certificate_domains %}
-    --domains="{{ dns }}" \
-    {%   endfor %}
-    {{ lego_cli_params|join(' ') }} \
-    renew 
+    --domains="{{ item.0.cn }}" \
+{% if item.0.sans is defined and item.0.sans %}
+{% for san in item.0.sans %}
+    --domains="{{ san }}" \
+{% endfor %}
+{% endif %}
+    {{ lego_cli_params | join(' ') }} \
+    renew \
+    --renew-hook="{{ lego_config_dir }}/renew-hook.sh {{ item.0.cn }}"
 User=root

+# Restart if renewal fails, but not too quickly
+RestartSec=12h
+Restart=on-failure
+StartLimitInterval=72h
+StartLimitBurst=3
+
 [Install]
 WantedBy=multi-user.target
--- a/roles/lego/templates/lego.timer.j2
+++ b/roles/lego/templates/lego.timer.j2
@@ -1,11 +1,11 @@
 ## Managed by Ansible ##

 [Unit]
-Description=Start lego renew
+Description=Timer for Lets Encrypt certificate renewal of {{ item.0.cn  }}

 [Timer]
 Persistent=true
-OnCalendar=Mon 04:00:00
+OnCalendar=Mon 03:00:00
 RandomizedDelaySec=1h

 [Install]
--- a/roles/lego/templates/renew-hook.sh.j2
+++ b/roles/lego/templates/renew-hook.sh.j2
@@ -0,0 +1,134 @@
+#!/usr/bin/bash
+
+## Managed by Ansible ##
+
+# Variables set by Ansible
+cert_src_path="{{ lego_cert_dir }}"
+
+# Certificate destination variables (if defined)
+cert_dest_path="{{ lego_certificate_destination.path | default('') }}"
+cert_owner="{{ lego_certificate_destination.owner | default('') }}"
+cert_group="{{ lego_certificate_destination.group | default('') }}"
+
+# Service reload variables (if defined)
+service_name="{{ lego_services_reload.name | default('') }}"
+service_command="{{ lego_services_reload.command | default('') }}"
+
+copy_certificate_files() {
+  local domain="$1"
+  local success=true
+  
+  # Check if destination is defined
+  if [ -z "$cert_dest_path" ]; then
+    echo "No certificate destination defined, skipping copy"
+    return 0
+  fi
+  
+  echo "Copying certificate files for $domain..."
+  echo "Copying to $cert_dest_path..."
+  
+  # Create destination directory if it doesn't exist
+  mkdir -p "$cert_dest_path"
+  
+  # Copy certificate files
+  cp "$cert_src_path/${domain}.crt" "$cert_dest_path/${domain}.crt" || success=false
+  cp "$cert_src_path/${domain}.key" "$cert_dest_path/${domain}.key" || success=false
+  
+  # Copy issuer cert if it exists
+  if [ -f "$cert_src_path/${domain}.issuer.crt" ]; then
+    cp "$cert_src_path/${domain}.issuer.crt" "$cert_dest_path/${domain}.issuer.crt" || success=false
+  fi
+  
+  # Set standard secure permissions
+  # 644 for certificates, 600 for keys
+  chmod 644 "$cert_dest_path/${domain}.crt" || success=false
+  chmod 600 "$cert_dest_path/${domain}.key" || success=false
+  
+  # Set issuer cert permissions if it exists
+  if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
+    chmod 644 "$cert_dest_path/${domain}.issuer.crt" || success=false
+  fi
+  
+  # Set ownership if specified
+  if [ -n "$cert_owner" ] && [ -n "$cert_group" ]; then
+    if [ -f "$cert_dest_path/${domain}.issuer.crt" ]; then
+      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" "$cert_dest_path/${domain}.issuer.crt" || success=false
+    else
+      chown "$cert_owner":"$cert_group" "$cert_dest_path/${domain}.crt" "$cert_dest_path/${domain}.key" || success=false
+    fi
+  fi
+  
+  if $success; then
+    echo "Certificate files copied successfully"
+    return 0
+  else
+    echo "Error copying certificate files"
+    return 1
+  fi
+}
+
+reload_service() {
+  local domain="$1"
+  local success=true
+  
+  # Check if service reload is defined
+  if [ -z "$service_name" ] && [ -z "$service_command" ]; then
+    echo "No service reload defined, skipping reload"
+    return 0
+  fi
+  
+  echo "Reloading service..."
+  
+  if [ -n "$service_command" ]; then
+    echo "Running command: $service_command"
+    eval "$service_command" || success=false
+  elif [ -n "$service_name" ]; then
+    echo "Reloading $service_name..."
+    systemctl reload "$service_name" || systemctl restart "$service_name" || success=false
+  fi
+  
+  if $success; then
+    echo "Service reloaded successfully"
+    return 0
+  else
+    echo "Error reloading service"
+    return 1
+  fi
+}
+
+# Check if domain is provided as parameter
+if [ $# -lt 1 ]; then
+  echo "Error: Domain parameter is required"
+  echo "Usage: $0 <domain>"
+  exit 1
+fi
+
+# Get domain from parameter
+domain="$1"
+
+# Main execution
+echo "Certificate renewal hook triggered for $domain"
+
+# Call the functions
+copy_certificate_files "$domain"
+copy_result=$?
+
+reload_service "$domain"
+reload_result=$?
+
+# Send webhook notification
+message="$domain certificate was successfully renewed"
+
+if [ -n "$cert_dest_path" ]; then
+  message="${message}, files copied"
+fi
+
+if [ -n "$service_name" ] || [ -n "$service_command" ]; then
+  message="${message}, and service reloaded"
+fi
+
+if [ $copy_result -eq 0 ] && [ $reload_result -eq 0 ]; then
+  echo "$message"
+else
+  echo "$domain certificate was renewed but post-renewal tasks failed"
+fi