From f68efa7797b629942de4f2b7540dbd68e2cb2e48 Mon Sep 17 00:00:00 2001 From: Jakub Kadlčík Date: Jun 06 2019 22:02:48 +0000 Subject: copr-dist-git: automatize cert renewal with certbot-renew.timer --- diff --git a/roles/copr/dist_git/tasks/main.yml b/roles/copr/dist_git/tasks/main.yml index cdd78d8..f9be653 100644 --- a/roles/copr/dist_git/tasks/main.yml +++ b/roles/copr/dist_git/tasks/main.yml @@ -83,6 +83,12 @@ state: directory setype: httpd_sys_content_t + - name: Automatize cert renewal + service: + name: certbot-renew.timer + state: started + enabled: yes + - name: temporary logrotation fix until copr-dist-git 0.26 is released & deployed copy: src="logrotate.d/copr-dist-git" dest="/etc/logrotate.d/copr-dist-git" diff --git a/roles/copr/dist_git/templates/sysconfig/certbot b/roles/copr/dist_git/templates/sysconfig/certbot new file mode 100644 index 0000000..ad1263a --- /dev/null +++ b/roles/copr/dist_git/templates/sysconfig/certbot @@ -0,0 +1,54 @@ +## NOTE ## +# If a hook is set here then it will be used for all +# certificates and will override any per certificate +# hook configuration in place. + +# Command to be run in a shell before obtaining any +# certificates. Intended primarily for renewal, where it +# can be used to temporarily shut down a webserver that +# might conflict with the standalone plugin. This will +# only be called if a certificate is actually to be +# obtained/renewed. When renewing several certificates +# that have identical pre-hooks, only the first will be +# executed. +# +# An example to stop the MTA before updating certs would be +# PRE_HOOK="--pre-hook 'systemctl stop postfix'" +PRE_HOOK="" + +# Command to be run in a shell after attempting to +# obtain/renew certificates. Can be used to deploy +# renewed certificates, or to restart any servers that +# were stopped by --pre-hook. This is only run if an +# attempt was made to obtain/renew a certificate. If +# multiple renewed certificates have identical post- +# hooks, only one will be run. +# +# An example to restart httpd would be: +# POST_HOOK="--post-hook 'systemctl restart httpd'" +POST_HOOK="" + +# Command to be run in a shell once for each +# successfully renewed certificate. For this command, +# the shell variable $RENEWED_LINEAGE will point to the +# config live subdirectory containing the new certs and +# keys; the shell variable $RENEWED_DOMAINS will contain +# a space-delimited list of renewed cert domains +# +# An example to run a script to alert each cert would be: +# RENEW_HOOK="--renew-hook /usr/local/bin/cert-notifier.sh" +RENEW_HOOK="" + +# Any other misc arguments for the renewal +# See certbot -h renew for full list +# +# An example to force renewal for certificates not due yet +# CERTBOT_ARGS="--force-renewal" +# +# The following command is produced +# certbot renew **CERTBOT_ARGS +{% if devel %} +CERTBOT_ARGS="--force-renewal --webroot -w /srv/web/acme-challenge --cert-name copr-dist-git-dev.fedorainfracloud.org" +{% else %} +CERTBOT_ARGS="--force-renewal --webroot -w /srv/web/acme-challenge --cert-name copr-dist-git.fedorainfracloud.org" +{% endif %}