Remove acmetool role, adapt certificate paths for certbot

abc4ba1a · MichiK · e126c5d1 · e126c5d1 · e126c5d1 · e126c5d1
Commit abc4ba1a authored 4 years ago by MichiK
--- a/roles/acmetool/defaults/main.yml
+++ b/roles/acmetool/defaults/main.yml
-# Please note that acmetool_webroot is defined in the defaults of the
-# nginx-http role as it is needed for the default HTTP configuration of
-# nginx (much simpler that way).
-
-acmetool_cert_domains:
- - "{{ inventory_hostname }}"
-
-# This is the production environment. To use the staging environment, please
-# override for the host(s) in question with the following URL:
-# https://acme-staging.api.letsencrypt.org/directory
-#
-# When this changes, you need to delete /var/lib/acme/conf/target manually!
-acmetool_server:  "https://acme-v01.api.letsencrypt.org/directory"
--- a/roles/acmetool/meta/main.yml
+++ b/roles/acmetool/meta/main.yml
-dependencies:
- - nginx-http
--- a/roles/acmetool/tasks/main.yml
+++ b/roles/acmetool/tasks/main.yml
- name: install acmetool
-  apt:
-    package: acmetool
-    update_cache: yes
-    cache_valid_time: 3600
-    state: present
-
- name: create acmetool conf and webroot directories
-  file:
-    dest: "/var/lib/acme/{{ item }}"
-    state: directory
-  with_items:
-   - "conf"
-   - "webroot"
-
- name: install acmetool response file
-  template:
-    src: "responses.j2"
-    dest: "/var/lib/acme/conf/responses"
-
- name: execute acmetool quickstart
-  command: "acmetool quickstart --batch"
-  args:
-    creates: "/var/lib/acme/conf/target"
-
- name: request a certificate
-  command: 'acmetool want --batch {{ item }}'
-  args:
-    creates: "/var/lib/acme/live/{{ item }}"
-  with_items: "{{ acmetool_cert_domains }}"
--- a/roles/acmetool/templates/responses.j2
+++ b/roles/acmetool/templates/responses.j2
-# {{ ansible_managed }}
-
-"acme-enter-email": "{{ admin_email }}"
-"acme-agreement:https://letsencrypt.org/documents/LE-SA-v1.2-November-15-2017.pdf": true
-"acmetool-quickstart-choose-server": {{ acmetool_server }}
-"acmetool-quickstart-choose-method": webroot
-"acmetool-quickstart-webroot-path": "{{ acmetool_webroot }}/acme-challenge"
-"acmetool-quickstart-complete": true
-"acmetool-quickstart-install-cronjob": true
-"acmetool-quickstart-install-haproxy-script": true
-"acmetool-quickstart-install-redirector-systemd": true
-"acmetool-quickstart-key-type": rsa
-"acmetool-quickstart-rsa-key-size": 4096
--- a/roles/dovecot/meta/main.yml
+++ b/roles/dovecot/meta/main.yml
 ---

 dependencies:
-  - { role: acmetool }
+#  - { role: acmetool }
--- a/roles/dovecot/templates/10-ssl.conf.j2
+++ b/roles/dovecot/templates/10-ssl.conf.j2
 # {{ ansible_managed }}

 ssl = required
-ssl_cert = </var/lib/acme/live/{{ dovecot_hostname }}/fullchain
-ssl_key = </var/lib/acme/live/{{ dovecot_hostname }}/privkey
+ssl_cert = </etc/letsencrypt/live/{{ dovecot_hostname }}/fullchain.pem
+ssl_key = </etc/letsencrypt/live/{{ dovecot_hostname }}/privkey.pem
 ssl_min_protocol = {{ dovecot_min_ssl_protocol }}
 ssl_prefer_server_ciphers = {{ "yes" if dovecot_prefer_server_ciphers else "no" }}
 ssl_cipher_list = '{{ dovecot_ssl_ciphers }}'
--- a/roles/nginx-http/defaults/main.yml
+++ b/roles/nginx-http/defaults/main.yml
-acmetool_webroot: "/var/lib/acme/webroot"
+certbot_webroot: "/var/www/certbot"

 nginx_http_locations:
 - location: "/"

--- a/roles/nginx-http/tasks/main.yml
+++ b/roles/nginx-http/tasks/main.yml
@@ -29,6 +29,11 @@
    state: link
  register: nginx_default_enabled

+- name: make sure the certbot webroot exists
+  file:
+    dest: "{{ certbot_webroot }}"
+    state: directory
+
 # We do this here instead of using the handler so that when the a role that
 # depends on this as well as on acmetool (e.g. nginx-https) is used in a
 # playbook, nginx is restarted with the proper configuration before the

--- a/roles/nginx-http/templates/default.j2
+++ b/roles/nginx-http/templates/default.j2
@@ -12,7 +12,7 @@ server {
 {% endfor %}

  location ^~ /.well-known {
-    alias {{ acmetool_webroot }};
+    root {{ certbot_webroot }};
  }

 }

--- a/roles/nginx-https/meta/main.yml
+++ b/roles/nginx-https/meta/main.yml
 dependencies:
 - nginx-http
- - acmetool
--- a/roles/nginx-https/templates/https-site.j2
+++ b/roles/nginx-https/templates/https-site.j2
@@ -3,8 +3,8 @@
 server {

  server_name {{ item.name }};
-  ssl_certificate /var/lib/acme/live/{{ item.name }}/fullchain;
-  ssl_certificate_key /var/lib/acme/live/{{ item.name }}/privkey;
+  ssl_certificate /etc/letsencrypt/live/{{ item.name }}/fullchain.pem;
+  ssl_certificate_key /etc/letsencrypt/live/{{ item.name }}/privkey.pem;

  include ssl.conf;
 {% if "options" in item %}

--- a/roles/postfix/meta/main.yml
+++ b/roles/postfix/meta/main.yml
 dependencies:
- - acmetool
+# - acmetool
--- a/roles/postfix/templates/main.cf.j2
+++ b/roles/postfix/templates/main.cf.j2
@@ -44,8 +44,8 @@ smtp_use_tls = yes
 smtp_generic_maps = hash:/etc/postfix/generic

 smtpd_banner = $myhostname loves ESMTP
-smtpd_tls_cert_file=/var/lib/acme/live/{{ inventory_hostname }}/fullchain
-smtpd_tls_key_file=/var/lib/acme/live/{{ inventory_hostname }}/privkey
+smtpd_tls_cert_file=/etc/letsencrypt/live/{{ inventory_hostname }}/fullchain.pem
+smtpd_tls_key_file=/etc/letsencrypt/live/{{ inventory_hostname }}/privkey.pem
 smtpd_tls_dh1024_param_file = {{ postfix_ssl_dhparam }}
 smtpd_tls_eecdh_grade = ultra
 smtpd_tls_loglevel = 0

--- a/services-base.yml
+++ b/services-base.yml
@@ -6,6 +6,5 @@
  become: yes
  roles:
   - nginx-http
-   - acmetool
   - nginx-https
   - postfix