aoache_vhost: include LE certificate generation - WIP

2020-05-09 22:24:32 +02:00
parent ac6c75c19f
commit 65c00099ef
4 changed files with 49 additions and 8 deletions
--- a/README.md
+++ b/README.md
@@ -19,6 +19,7 @@ apache_access_log: {{ apache_base_dir}}/logs/access_log
 apache_php_socket: {{ apache_base_dir }}/php-fpm.sock
 apache_use_php: true
 apache_use_ssl: true
+apache_use_certbot: true
 apache_stats: true
 apache_ssl_certificate: /etc/letsencrypt/live/{{ apache_server_name }}/cert.pem
 apache_ssl_chain: /etc/letsencrypt/live/{{ apache_server_name }}/fullchain.pem
--- a/defaults/main.yml
+++ b/defaults/main.yml
@@ -6,6 +6,7 @@ apache_access_log: "{{ apache_base_dir}}/logs/access_log"
 apache_php_socket: "{{ apache_base_dir }}/php-fpm.sock"
 apache_use_php: true
 apache_use_ssl: true
+apache_use_certbot: true
 apache_ssl_certificate: "/etc/letsencrypt/live/{{ apache_server_name }}/cert.pem"
 apache_ssl_chain: "/etc/letsencrypt/live/{{ apache_server_name }}/fullchain.pem"
 apache_ssl_key: "/etc/letsencrypt/live/{{ apache_server_name }}/privkey.pem "
--- a/tasks/certbot.yml
+++ b/tasks/certbot.yml
@@ -0,0 +1,34 @@
+---
+- name: install certbot
+  yum:
+    name: certbot
+    state: present
+
+- name: install apache config file without ssl
+  vars:
+    apache_use_ssl: false
+  template:
+    src: vhost.conf.jj
+    dest: /etc/httpd/conf.d/{{ apache_server_name }}.conf
+    mode: 0644
+  notify: restart apache
+
+- name: if needed, we restart apache
+  meta: flush_handlers
+
+- name: generate certificates
+  vars:
+    subdomains: "{{ apache_server_alias | join( ' -d ' ) }}"
+  command: certbot certonly --webroot --webroot-path {{ apache_document_root }}  -d {{ subdomains }}
+  args:
+    creates: "{{ apache_ssl_chain }}"
+
+- name: create cronjob for renewal
+  cron:
+    name: certbot
+    cron_file: certbot
+    user: root
+    hour: "01"
+    minute: "00"
+    weekday: "6"
+    job: "/usr/bin/certbot renew && /sbin/apachectl graceful"
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -1,5 +1,6 @@
 ---
 # tasks file for apache_vhost
+
 - name: create dedicated user
  user:
    name: "{{ apache_user }}"
@@ -9,13 +10,6 @@
    home: "{{ apache_base_dir }}"
    shell: /bin/bash

- name: vhost config file
-  template:
-    src: vhost.conf.jj
-    dest: /etc/httpd/conf.d/{{ apache_server_name }}.conf
-    mode: 0644
-  notify: restart apache
-
 - name: php-fpm config file
  template:
    src: pool.conf.jj
@@ -37,10 +31,21 @@
    - "{{ apache_base_dir }}/session"
    - "{{ apache_base_dir }}/wsdlcache"

+- name: generate cert
+  include_tasks: certbot.yml
+  when: apache_use_certbot
+
+- name: vhost config file
+  template:
+    src: vhost.conf.jj
+    dest: /etc/httpd/conf.d/{{ apache_server_name }}.conf
+    mode: 0644
+  notify: restart apache
+
 - name: logrotate config file
  template:
    src: logrotate.conf.jj
-    dest: "/etc/logrotate.d/{{ apache_server_name }}.conf"
+    dest: "/etc/logrotate.d/vhost.conf"
    mode: 0644

 - name: goaccess