[fix] role:tlswert_acme_inwx

2024-06-09 12:54:47 +02:00 · 2024-06-09 12:54:47 +02:00 · fc925d491a
commit fc925d491a
parent e175c56d61
4 changed files with 151 additions and 2 deletions
--- a/roles/tlscert_acme_inwx/defaults/main.json
+++ b/roles/tlscert_acme_inwx/defaults/main.json
@ -3,7 +3,6 @@
 	"var_tlscert_acme_inwx_acme_account_key_path": "/etc/letsencrypt/key",
 	"var_tlscert_acme_inwx_inwx_account_username": "REPLACE_ME",
 	"var_tlscert_acme_inwx_inwx_account_password": "REPLACE_ME",
-	"var_tlscert_acme_inwx_domain_base": "example.org",
-	"var_tlscert_acme_inwx_domain_path": "foo",
+	"var_tlscert_acme_inwx_domain": "foo.example.org",
 	"var_tlscert_acme_inwx_ssl_directory": "/etc/ssl"
 }
--- a/roles/tlscert_acme_inwx/files/tls-get
+++ b/roles/tlscert_acme_inwx/files/tls-get
@ -0,0 +1,133 @@
+#!/usr/bin/env python3
+
+import sys as _sys
+import os as _os
+import json as _json
+import pathlib as _pathlib
+import argparse as _argparse
+
+
+def file_read(path):
+	handle = open(path, "r")
+	content = handle.read()
+	handle.close()
+	return content
+	
+
+def main():
+	## args
+	argument_parser = _argparse.ArgumentParser()
+	argument_parser.add_argument(
+		"-c",
+		"--conf-path",
+		type = str,
+		dest = "conf_path",
+		metavar = "<conf-path>",
+		default = _os.path.join(str(_pathlib.Path.home()), ".tls-get-conf.json"),
+	)
+	argument_parser.add_argument(
+		dest = "domain",
+		metavar = "<domain>",
+		help = "the domain for which the TLS certificate shall be generated"
+	)
+	argument_parser.add_argument(
+		"-t",
+		"--target-directory",
+		dest = "target_directory",
+		type = str,
+		metavar = "<target-directory>",
+		default = "/etc/ssl",
+	)
+	argument_parser.add_argument(
+		"-x",
+		"--challenge-prefix",
+		dest = "challenge_prefix",
+		type = str,
+		metavar = "<challenge-prefix>",
+		default = "_acme-challenge",
+		help = "which subdomain to use for ACME challanges",
+	)
+	argument_parser.add_argument(
+		"-w",
+		"--delay",
+		dest = "delay",
+		type = float,
+		default = 60.0,
+		metavar = "<delay>",
+		help = "seconds to wait at end of certbot auth hook",
+	)
+	argument_parser.add_argument(
+		"-q",
+		"--dry-run",
+		dest = "dry_run",
+		action = "store_true",
+		default = False,
+		help = "whether to only print the command on stdout instead of executing it",
+	)
+	args = argument_parser.parse_args()
+	
+	## vars
+	conf = _json.loads(file_read(args.conf_path))
+	le_dir = "/etc/letsencrypt/live"
+	
+	## exec
+	command_certbot = " ".join(
+		[
+			"certbot",
+			"certonly",
+			("--email='%s'" % conf["acme_account"]["email"]),
+			# ("--work-dir='%s'" % conf["misc"]["working_directory"]),
+			"--preferred-challenges='dns'",
+			"--non-interactive",
+			"--agree-tos",
+			("--domain='%s'" % args.domain),
+			"--manual",
+			(
+				"--manual-auth-hook='%s'"
+				% " ".join(
+					[
+						"/usr/local/bin/inwx",
+						("--username=\"%s\"" % conf["inwx_account"]["username"]),
+						("--password=\"%s\"" % conf["inwx_account"]["password"]),
+						"certbot-hook",
+						("--delay=%.4f" % args.delay),
+					]
+				)
+			),
+			(
+				"--post-hook='%s'"
+				% " ".join(
+					[
+						"/usr/local/bin/inwx",
+						("--username=\"%s\"" % conf["inwx_account"]["username"]),
+						("--password=\"%s\"" % conf["inwx_account"]["password"]),
+						"delete",
+						("--domain=\"%s\"" % (args.challenge_prefix + "." + args.domain)),
+						("--type=\"TXT\""),
+					]
+				)
+			),
+		]
+	)
+	if (args.dry_run):
+		_sys.stdout.write(command_certbot + "\n")
+	else:
+		_os.system(command_certbot)
+		subjects = [
+			{"source_name": "privkey", "target_directory": "private"},
+			{"source_name": "cert", "target_directory": "certs"},
+			{"source_name": "chain", "target_directory": "chains"},
+			{"source_name": "fullchain", "target_directory": "fullchains"},
+		]
+		for subject in subjects:
+			_os.system(
+				"mkdir --parents %s && cp --dereference %s %s"
+				% (
+					_os.path.join(args.target_directory, subject["target_directory"]),
+					_os.path.join(le_dir, args.domain, "%s.pem" % subject["source_name"]),
+					_os.path.join(args.target_directory, subject["target_directory"], "%s.pem" % args.domain),
+				)
+			)
+	
+
+main()
--- a/roles/tlscert_acme_inwx/info.md
+++ b/roles/tlscert_acme_inwx/info.md
@ -1,3 +1,8 @@
+## Beschreibung
+
+- richtet die regelmäßige TLS-Zertifikats-Erstellung für eine Domäne und führt eine Erstellung direkt aus
+
+
 ## Verweise

 - [Digital Ocean | How To Acquire a Let's Encrypt Certificate Using Ansible](https://www.digitalocean.com/community/tutorials/how-to-acquire-a-let-s-encrypt-certificate-using-ansible-on-ubuntu-18-04)
--- a/roles/tlscert_acme_inwx/templates/tls-get-conf.json.j2
+++ b/roles/tlscert_acme_inwx/templates/tls-get-conf.json.j2
@ -0,0 +1,12 @@
+{
+	"acme_account": {
+		"email": "{{var_tlscert_acme_inwx_acme_account_email}}"
+	},
+	"inwx_account": {
+		"username": "{{var_tlscert_acme_inwx_inwx_account_username}}",
+		"password": "{{var_tlscert_acme_inwx_inwx_account_password}}"
+	},
+	"misc": {
+		"working_directory": "/tmp/acme"
+	}
+}