Add transfer role from the Certbot container

This role will install logic to transfer the (renewed) certificates from the Certbot container to a directory easily accessible by a distribution-installed nginx.
2024-10-12 21:42:33 +02:00 · 2024-10-12 21:42:33 +02:00 · 99053b7f3e
commit 99053b7f3e
parent 4da71eadec
7 changed files with 86 additions and 0 deletions
--- a/roles/podman_certbot_root_transfer/handlers/main.yml
+++ b/roles/podman_certbot_root_transfer/handlers/main.yml
@ -0,0 +1,7 @@
 ---
 - name: Reload user systemd daemon
  ansible.builtin.systemd_service:
    daemon_reload: true
    scope: user
  become_method: community.general.machinectl
  become_user: podman
--- a/roles/podman_certbot_root_transfer/tasks/machinectl.yml
+++ b/roles/podman_certbot_root_transfer/tasks/machinectl.yml
@ -0,0 +1,24 @@
 ---
 - name: Install systemd files for certbot certificate renewal
  ansible.builtin.template:
    src: "{{ filename }}.j2"
    dest: ~/.config/systemd/user/{{ filename }}
    mode: "0640"
  vars:
    filename: certbot-move-certificates.service
  notify: Reload user systemd daemon
 - name: Create systemd user override drop-in directory
  ansible.builtin.file:
    dest: ~/.config/systemd/user/container-certbot.service.d
    state: directory
    mode: "0750"
 - name: Install override file to move the generated Certbot certificates
  ansible.builtin.template:
    src: "{{ filename }}.j2"
    dest: ~/.config/systemd/user/container-certbot.service.d/{{ filename }}
    mode: "0640"
  vars:
    filename: certbot-dropin.conf
  notify: Reload user systemd daemon
--- a/roles/podman_certbot_root_transfer/tasks/main.yml
+++ b/roles/podman_certbot_root_transfer/tasks/main.yml
@ -0,0 +1,32 @@
 ---
 - name: Create SCE certbot directories
  ansible.builtin.file:
    dest: /etc/sce-certbot
    state: directory
    mode: "0750"
 - name: Install script to move the TLS certificates to root
  ansible.builtin.template:
    src: move-certificate-files-to-root.j2
    dest: /usr/local/bin/move-certificate-files-to-root
    mode: "0740"
 - name: Install script to extract the certificate files from the Podman volume
  ansible.builtin.template:
    src: extract-certificate-files.j2
    dest: /usr/local/bin/extract-certificate-files
    mode: "0755"
 - name: Allow podman user to execute the move command
  community.general.sudoers:
    name: allow-podman-move-certificates
    user: podman
    state: present
    commands:
      - /usr/local/bin/move-certificate-files-to-root
    nopassword: true
 - name: Configure Certbot service
  ansible.builtin.import_tasks: machinectl.yml
  become_method: community.general.machinectl
  become_user: podman
--- a/roles/podman_certbot_root_transfer/templates/certbot-dropin.conf.j2
+++ b/roles/podman_certbot_root_transfer/templates/certbot-dropin.conf.j2
@ -0,0 +1,3 @@
 # {{ ansible_managed }}
 [Unit]
 OnSuccess=certbot-move-certificates.service
--- a/roles/podman_certbot_root_transfer/templates/certbot-move-certificates.service.j2
+++ b/roles/podman_certbot_root_transfer/templates/certbot-move-certificates.service.j2
@ -0,0 +1,7 @@
 # {{ ansible_managed }}
 [Unit]
 Description=Move generated certbot certificates to root path
 [Service]
 Type=oneshot
 ExecStart=/usr/local/bin/extract-certificate-files
--- a/roles/podman_certbot_root_transfer/templates/extract-certificate-files.j2
+++ b/roles/podman_certbot_root_transfer/templates/extract-certificate-files.j2
@ -0,0 +1,8 @@
 #!/bin/bash
 # {{ ansible_managed }}
 MOUNT=$(podman volume inspect certbot-etc --format "{{ '{{' }} .Mountpoint {{ '}}' }}")
 mkdir -p certbot-tx
 cp -rL $MOUNT/live/* certbot-tx
 sudo /usr/local/bin/move-certificate-files-to-root $(realpath certbot-tx)
--- a/roles/podman_certbot_root_transfer/templates/move-certificate-files-to-root.j2
+++ b/roles/podman_certbot_root_transfer/templates/move-certificate-files-to-root.j2
@ -0,0 +1,5 @@
 #!/bin/bash
 # {{ ansible_managed }}
 # TODO: evaluate proper argument escaping
 cp -r $1/* /etc/sce-certbot