first commit

certdistrib.yml.example

@@ -0,0 +1,11 @@
+---
+- name: certdistrib
+  hosts: certdistrib
+  become: yes
+  roles:
+    - role: certdistrib
+  vars:
+    dns_dehydratedpath: hws-ns1:/etc/dehydrated/certs
+    local_certpath: /opt/certdistrib/certs
+
+# vim: set tabstop=2 shiftwidth=2 expandtab smarttab:

tasks/main.yml

@@ -0,0 +1,53 @@
+---
+- name: "copy certificates from dns master's dehydrated"
+  command: "rsync -a --info=NAME {{ dns_dehydratedpath }}/ {{ local_certpath }}"
+  delegate_to: localhost
+  run_once: yes
+  register: dns_rsync
+  changed_when: "dns_rsync.stdout != ''"
+
+- name: "create cert directory"
+  file:
+    path: "/etc/ssl/{{ item }}"
+    state: directory
+  loop: "{{ certdistrib }}"
+
+- name: "copy fullchain"
+  copy:
+    src: "{{ local_certpath }}/{{ item }}/fullchain.pem"
+    dest: "/etc/ssl/{{ item }}/fullchain.pem"
+  loop: "{{ certdistrib }}"
+  register: copy_cert
+
+- name: "copy key"
+  copy:
+    src: "{{ local_certpath }}/{{ item }}/privkey.pem"
+    dest: "/etc/ssl/{{ item }}/privkey.pem"
+  loop: "{{ certdistrib }}"
+  register: copy_key
+
+- name: "create privfull"
+  copy:
+    content: "{{ lookup('file', local_certpath +'/'+ item +'/privkey.pem') }}\n{{ lookup('file', local_certpath +'/'+ item +'/fullchain.pem') }}\n"
+    dest: "/etc/ssl/{{ item }}/privfull.pem"
+  loop: "{{ certdistrib }}"
+  register: create_privfull
+
+- name: reload services
+  shell: "if systemctl is-active {{ item }}; then systemctl reload {{ item }}; fi"
+  changed_when: no
+  loop:
+    - apache2
+    - httpd
+    - nginx
+    - haproxy
+  when: "copy_cert.changed or copy_key.changed or create_privfull.changed"
+
+- name: extra reload command
+  shell: "{{ certdistrib_reload }}"
+  when:
+    - "copy_cert.changed or copy_key.changed or create_privfull.changed"
+    - certdistrib_reload is defined
+
+
+# vim: set tabstop=2 shiftwidth=2 expandtab smarttab: