50_Automation_with_Ansible.md 2.68 KB
Newer Older
Hahn Axel (hahn)'s avatar
Hahn Axel (hahn) committed
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# Automation with Ansible

This is an example how our own installation works.

Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
"central server" that manages and holds all certifiactes.

In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
calls of cm.sh - from multiple machines or becaus of parallel tasks in your
playbook are no problem.

![Workflow with Ansible](images/lets-encrypt-workflow-ansible.png)

The following snippets give you an idea how it is done. Even if it is not
a comlete source with all values of the variables.

## 1. Execute cm.sh

The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or
renew of a certificate - whatever is needed.

```yaml
- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
  shell: | 
    ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
  become_user: "{{ lookup('env','USER') }}"
  delegate_to: localhost
  # maybe you need to set
  # become: true|false
```

## 2. Rsync certs locally

With rsync it syncs the certificate folder locally to the Ansible machine.

```yaml
- name: "sync certs locally"
  shell: | 
    rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
  become_user: "{{ lookup('env','USER') }}"
  delegate_to: localhost
  # maybe you need to set
  # become: true|false
```

## 3. Deploy files

Now we can use normal Ansible copy mechanisms to brin these files to the target system.

```yaml
- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
  copy:
    src:  '{{ item[0] }}'
    dest: '{{ item[1] }}'
    mode: '{{ item[2] }}'
    backup: true
  notify: "{{ ssl_change_notify | default([]) }}"
  loop:
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer',       '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer'      , '0444']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer',  '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem',        '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem'       , '0400']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem',    '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem'   , '0444']
    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer',         '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer'        , '0444']
    #                              ^
    #                              |
    #                              filestructure after ACME.SH dump
```