From 99053b7f3e47a34b775493572bed26876706afbd Mon Sep 17 00:00:00 2001 From: "Ivo C.S. Wingelaar" Date: Sat, 12 Oct 2024 21:42:33 +0200 Subject: [PATCH] Add transfer role from the Certbot container This role will install logic to transfer the (renewed) certificates from the Certbot container to a directory easily accessible by a distribution-installed nginx. --- .../handlers/main.yml | 7 ++++ .../tasks/machinectl.yml | 24 ++++++++++++++ .../tasks/main.yml | 32 +++++++++++++++++++ .../templates/certbot-dropin.conf.j2 | 3 ++ .../certbot-move-certificates.service.j2 | 7 ++++ .../templates/extract-certificate-files.j2 | 8 +++++ .../move-certificate-files-to-root.j2 | 5 +++ 7 files changed, 86 insertions(+) create mode 100644 roles/podman_certbot_root_transfer/handlers/main.yml create mode 100644 roles/podman_certbot_root_transfer/tasks/machinectl.yml create mode 100644 roles/podman_certbot_root_transfer/tasks/main.yml create mode 100644 roles/podman_certbot_root_transfer/templates/certbot-dropin.conf.j2 create mode 100644 roles/podman_certbot_root_transfer/templates/certbot-move-certificates.service.j2 create mode 100644 roles/podman_certbot_root_transfer/templates/extract-certificate-files.j2 create mode 100644 roles/podman_certbot_root_transfer/templates/move-certificate-files-to-root.j2 diff --git a/roles/podman_certbot_root_transfer/handlers/main.yml b/roles/podman_certbot_root_transfer/handlers/main.yml new file mode 100644 index 0000000..1c9ae02 --- /dev/null +++ b/roles/podman_certbot_root_transfer/handlers/main.yml @@ -0,0 +1,7 @@ +--- +- name: Reload user systemd daemon + ansible.builtin.systemd_service: + daemon_reload: true + scope: user + become_method: community.general.machinectl + become_user: podman diff --git a/roles/podman_certbot_root_transfer/tasks/machinectl.yml b/roles/podman_certbot_root_transfer/tasks/machinectl.yml new file mode 100644 index 0000000..908c312 --- /dev/null +++ b/roles/podman_certbot_root_transfer/tasks/machinectl.yml @@ -0,0 +1,24 @@ +--- +- name: Install systemd files for certbot certificate renewal + ansible.builtin.template: + src: "{{ filename }}.j2" + dest: ~/.config/systemd/user/{{ filename }} + mode: "0640" + vars: + filename: certbot-move-certificates.service + notify: Reload user systemd daemon + +- name: Create systemd user override drop-in directory + ansible.builtin.file: + dest: ~/.config/systemd/user/container-certbot.service.d + state: directory + mode: "0750" + +- name: Install override file to move the generated Certbot certificates + ansible.builtin.template: + src: "{{ filename }}.j2" + dest: ~/.config/systemd/user/container-certbot.service.d/{{ filename }} + mode: "0640" + vars: + filename: certbot-dropin.conf + notify: Reload user systemd daemon diff --git a/roles/podman_certbot_root_transfer/tasks/main.yml b/roles/podman_certbot_root_transfer/tasks/main.yml new file mode 100644 index 0000000..b78e981 --- /dev/null +++ b/roles/podman_certbot_root_transfer/tasks/main.yml @@ -0,0 +1,32 @@ +--- +- name: Create SCE certbot directories + ansible.builtin.file: + dest: /etc/sce-certbot + state: directory + mode: "0750" + +- name: Install script to move the TLS certificates to root + ansible.builtin.template: + src: move-certificate-files-to-root.j2 + dest: /usr/local/bin/move-certificate-files-to-root + mode: "0740" + +- name: Install script to extract the certificate files from the Podman volume + ansible.builtin.template: + src: extract-certificate-files.j2 + dest: /usr/local/bin/extract-certificate-files + mode: "0755" + +- name: Allow podman user to execute the move command + community.general.sudoers: + name: allow-podman-move-certificates + user: podman + state: present + commands: + - /usr/local/bin/move-certificate-files-to-root + nopassword: true + +- name: Configure Certbot service + ansible.builtin.import_tasks: machinectl.yml + become_method: community.general.machinectl + become_user: podman diff --git a/roles/podman_certbot_root_transfer/templates/certbot-dropin.conf.j2 b/roles/podman_certbot_root_transfer/templates/certbot-dropin.conf.j2 new file mode 100644 index 0000000..90aacf8 --- /dev/null +++ b/roles/podman_certbot_root_transfer/templates/certbot-dropin.conf.j2 @@ -0,0 +1,3 @@ +# {{ ansible_managed }} +[Unit] +OnSuccess=certbot-move-certificates.service diff --git a/roles/podman_certbot_root_transfer/templates/certbot-move-certificates.service.j2 b/roles/podman_certbot_root_transfer/templates/certbot-move-certificates.service.j2 new file mode 100644 index 0000000..b2a71ed --- /dev/null +++ b/roles/podman_certbot_root_transfer/templates/certbot-move-certificates.service.j2 @@ -0,0 +1,7 @@ +# {{ ansible_managed }} +[Unit] +Description=Move generated certbot certificates to root path + +[Service] +Type=oneshot +ExecStart=/usr/local/bin/extract-certificate-files diff --git a/roles/podman_certbot_root_transfer/templates/extract-certificate-files.j2 b/roles/podman_certbot_root_transfer/templates/extract-certificate-files.j2 new file mode 100644 index 0000000..8ff22d3 --- /dev/null +++ b/roles/podman_certbot_root_transfer/templates/extract-certificate-files.j2 @@ -0,0 +1,8 @@ +#!/bin/bash +# {{ ansible_managed }} + +MOUNT=$(podman volume inspect certbot-etc --format "{{ '{{' }} .Mountpoint {{ '}}' }}") + +mkdir -p certbot-tx +cp -rL $MOUNT/live/* certbot-tx +sudo /usr/local/bin/move-certificate-files-to-root $(realpath certbot-tx) diff --git a/roles/podman_certbot_root_transfer/templates/move-certificate-files-to-root.j2 b/roles/podman_certbot_root_transfer/templates/move-certificate-files-to-root.j2 new file mode 100644 index 0000000..382445e --- /dev/null +++ b/roles/podman_certbot_root_transfer/templates/move-certificate-files-to-root.j2 @@ -0,0 +1,5 @@ +#!/bin/bash +# {{ ansible_managed }} + +# TODO: evaluate proper argument escaping +cp -r $1/* /etc/sce-certbot