update docs

d6713d91 · Hahn Axel (hahn) · 73a3a6b5 · d6713d91 · d6713d91 · d6713d91
Commit d6713d91 authored 3 years ago by Hahn Axel (hahn)
--- a/docs/30_Usage.md
+++ b/docs/30_Usage.md
@@ -129,6 +129,14 @@ In a scenario of automatic deployment with Ansible or Puppet you don't want to f

 creates (or renews if close to expiriation) a certificate with 2 hostnames in it.

+This ensure action handles the logic if a certificate must be
+
+* created (if it does not exist) or
+* renewed (it already exists) or
+* re-created (the list of dns names in the certificate was changed)
+
+It detects if a domain in the certificate can use a txt record or needs dns auth mode.
+
 ## Show certificate data

 Use the listing `[APPPATH]/cm.sh list` or maybe filter it `[APPPATH]/cm.sh list | grep "mail."`

--- a/docs/50_Automation_with_Ansible.md
+++ b/docs/50_Automation_with_Ansible.md
+# Automation with Ansible
+
+This is an example how our own installation works.
+
+Ansible can be started manually on a worksation of a sysadmin or on AWX. So we need a
+"central server" that manages and holds all certifiactes.
+
+In cm.sh is a queuing to handle only one certificate. Multiple simoultanous
+calls of cm.sh - from multiple machines or becaus of parallel tasks in your
+playbook are no problem.
+
+![Workflow with Ansible](images/lets-encrypt-workflow-ansible.png)
+
+The following snippets give you an idea how it is done. Even if it is not
+a comlete source with all values of the variables.
+
+## 1. Execute cm.sh
+
+The Ansible instances start the `cm.sh` as SSH command. This triggers the the creation or
+renew of a certificate - whatever is needed.
+
+```yaml
+- name: 'on {{ ssl_master_certhost }} - start {{ ssl_certman_dir }}/cm.sh ensure ...'
+  shell: | 
+    ssh {{ ssl_master_user }}@{{ ssl_master_certhost }} {{ ssl_certman_dir }}/cm.sh ensure {{ ssl_fqdn }} {{ ssl_aliases | join(' ')}}
+  become_user: "{{ lookup('env','USER') }}"
+  delegate_to: localhost
+  # maybe you need to set
+  # become: true|false
+```
+
+## 2. Rsync certs locally
+
+With rsync it syncs the certificate folder locally to the Ansible machine.
+
+```yaml
+- name: "sync certs locally"
+  shell: | 
+    rsync -rav {{ ssl_master_user }}@{{ ssl_master_certhost }}:{{ ssl_master_install_dir }}/certs/ {{ ssl_certs_local_dir }}
+  become_user: "{{ lookup('env','USER') }}"
+  delegate_to: localhost
+  # maybe you need to set
+  # become: true|false
+```
+
+## 3. Deploy files
+
+Now we can use normal Ansible copy mechanisms to brin these files to the target system.
+
+```yaml
+- name: Install key + certificate for {{ ssl_fqdn }} + intermediate CA
+  copy:
+    src:  '{{ item[0] }}'
+    dest: '{{ item[1] }}'
+    mode: '{{ item[2] }}'
+    backup: true
+  notify: "{{ ssl_change_notify | default([]) }}"
+  loop:
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.cert.cer',       '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.cert.cer'      , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.fullchain.cer',  '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.fullchain.cer' , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.key.pem',        '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.key.pem'       , '0400']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.haproxy.pem',    '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.haproxy.pem'   , '0444']
+    - [ '{{ ssl_certs_local_dir }}/{{ ssl_fqdn }}/{{ ssl_fqdn }}.ca.cer',         '{{ CONST.ssl.certdir }}/{{ ssl_fqdn }}.ca.cer'        , '0444']
+    #                              ^
+    #                              |
+    #                              filestructure after ACME.SH dump
+```
--- a/docs/_index.md
+++ b/docs/_index.md
@@ -87,3 +87,9 @@ to verify when what was done what for a given domain.
 Automation is wonderful. You create systems and certificates for them on the fly.
 And you destroy test machines. A parameter "list-old" shows certiciates that were not renewed
 anymore and are older 90 days.
+
+## Overview
+
+This is an overview of the components for issuing a certificate that take part:
+
+![Components](images/cert-manager-components.png)
\ No newline at end of file
--- a/docs/images/cert-manager-components.png
+++ b/docs/images/cert-manager-components.png
--- a/docs/images/lets-encrypt-workflow-ansible.png
+++ b/docs/images/lets-encrypt-workflow-ansible.png
--- a/docs/style.css
+++ b/docs/style.css
@@ -34,6 +34,16 @@

 /* ---------- tags ---------- */

+a.Brand::before {
+	background: rgb(255,0,51);
+	color: #fff;
+    font-family: arial;
+	font-weight: bold;
+	padding: 0.5em 0.3em;
+	content: 'IML';
+    margin-right: 0.4em;
+}
+
 body, *{color: var(--color);}
 body{background: var(--bg-body);}