Home Explore Help
Sign In
kolter
/
ansible-playbooks
1
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Tree: ba51ac94ec
Branches Tags
ansible-playboo...
/
roles
/
common
/
templates
/
dehydrated
/
hooks
/
apache2.sh.j2

apache2.sh.j2 8.6 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246 
  1. #!/usr/bin/env bash
    2. 

  2. {% if ansible_prolog %}
    3. 

  3. {% from 'templates/ansible/prolog.j2' import prolog with context %}
    4. 

  4. {{ prolog() }}
    5. 

  5. {% endif %}
    6. 

  6. 

  7. deploy_challenge() {
    8. 

  8.     local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
    9. 

  9. 

  10.     # This hook is called once for every domain that needs to be
    11. 

  11.     # validated, including any alternative names you may have listed.
    12. 

  12.     #
    13. 

  13.     # Parameters:
    14. 

  14.     # - DOMAIN
    15. 

  15.     #   The domain name (CN or subject alternative name) being
    16. 

  16.     #   validated.
    17. 

  17.     # - TOKEN_FILENAME
    18. 

  18.     #   The name of the file containing the token to be served for HTTP
    19. 

  19.     #   validation. Should be served by your web server as
    20. 

  20.     #   /.well-known/acme-challenge/${TOKEN_FILENAME}.
    21. 

  21.     # - TOKEN_VALUE
    22. 

  22.     #   The token value that needs to be served for validation. For DNS
    23. 

  23.     #   validation, this is what you want to put in the _acme-challenge
    24. 

  24.     #   TXT record. For HTTP validation it is the value that is expected
    25. 

  25.     #   be found in the $TOKEN_FILENAME file.
    26. 

  26. 

  27.     # Simple example: Use nsupdate with local named
    28. 

  28.     # printf 'server 127.0.0.1\nupdate add _acme-challenge.%s 300 IN TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
    29. 

  29. }
    30. 

  30. 

  31. clean_challenge() {
    32. 

  32.     local DOMAIN="${1}" TOKEN_FILENAME="${2}" TOKEN_VALUE="${3}"
    33. 

  33. 

  34.     # This hook is called after attempting to validate each domain,
    35. 

  35.     # whether or not validation was successful. Here you can delete
    36. 

  36.     # files or DNS records that are no longer needed.
    37. 

  37.     #
    38. 

  38.     # The parameters are the same as for deploy_challenge.
    39. 

  39. 

  40.     # Simple example: Use nsupdate with local named
    41. 

  41.     # printf 'server 127.0.0.1\nupdate delete _acme-challenge.%s TXT "%s"\nsend\n' "${DOMAIN}" "${TOKEN_VALUE}" | nsupdate -k /var/run/named/session.key
    42. 

  42. }
    43. 

  43. 

  44. sync_cert() {
    45. 

  45.     local KEYFILE="${1}" CERTFILE="${2}" FULLCHAINFILE="${3}" CHAINFILE="${4}" REQUESTFILE="${5}"
    46. 

  46. 

  47.     # This hook is called after the certificates have been created but before
    48. 

  48.     # they are symlinked. This allows you to sync the files to disk to prevent
    49. 

  49.     # creating a symlink to empty files on unexpected system crashes.
    50. 

  50.     #
    51. 

  51.     # This hook is not intended to be used for further processing of certificate
    52. 

  52.     # files, see deploy_cert for that.
    53. 

  53.     #
    54. 

  54.     # Parameters:
    55. 

  55.     # - KEYFILE
    56. 

  56.     #   The path of the file containing the private key.
    57. 

  57.     # - CERTFILE
    58. 

  58.     #   The path of the file containing the signed certificate.
    59. 

  59.     # - FULLCHAINFILE
    60. 

  60.     #   The path of the file containing the full certificate chain.
    61. 

  61.     # - CHAINFILE
    62. 

  62.     #   The path of the file containing the intermediate certificate(s).
    63. 

  63.     # - REQUESTFILE
    64. 

  64.     #   The path of the file containing the certificate signing request.
    65. 

  65. 

  66.     # Simple example: sync the files before symlinking them
    67. 

  67.     # sync "${KEYFILE}" "${CERTFILE} "${FULLCHAINFILE}" "${CHAINFILE}" "${REQUESTFILE}"
    68. 

  68. }
    69. 

  69. 

  70. deploy_cert() {
    71. 

  71.     local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}" TIMESTAMP="${6}"
    72. 

  72. 

  73.     # This hook is called once for each certificate that has been
    74. 

  74.     # produced. Here you might, for instance, copy your new certificates
    75. 

  75.     # to service-specific locations and reload the service.
    76. 

  76.     #
    77. 

  77.     # Parameters:
    78. 

  78.     # - DOMAIN
    79. 

  79.     #   The primary domain name, i.e. the certificate common
    80. 

  80.     #   name (CN).
    81. 

  81.     # - KEYFILE
    82. 

  82.     #   The path of the file containing the private key.
    83. 

  83.     # - CERTFILE
    84. 

  84.     #   The path of the file containing the signed certificate.
    85. 

  85.     # - FULLCHAINFILE
    86. 

  86.     #   The path of the file containing the full certificate chain.
    87. 

  87.     # - CHAINFILE
    88. 

  88.     #   The path of the file containing the intermediate certificate(s).
    89. 

  89.     # - TIMESTAMP
    90. 

  90.     #   Timestamp when the specified certificate was created.
    91. 

  91. 

  92.     # Simple example: Copy file to nginx config
    93. 

  93.     # cp "${KEYFILE}" "${FULLCHAINFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
    94. 

  94.     # systemctl reload nginx
    95. 

  95. 

  96.     if systemctl -q is-active apache2 ; then
    97. 

  97.         if apache2ctl configtest >/dev/null 2>&1 ; then
    98. 

  98.             systemctl reload-or-try-restart apache2
    99. 

  99.         else
    100. 

  100.             echo "Apache configuration check failed with the following error:"
    101. 

  101.             apache2ctl configtest
    102. 

  102.         fi
    103. 

  103.     fi
    104. 

  104. }
    105. 

  105. 

  106. deploy_ocsp() {
    107. 

  107.     local DOMAIN="${1}" OCSPFILE="${2}" TIMESTAMP="${3}"
    108. 

  108. 

  109.     # This hook is called once for each updated ocsp stapling file that has
    110. 

  110.     # been produced. Here you might, for instance, copy your new ocsp stapling
    111. 

  111.     # files to service-specific locations and reload the service.
    112. 

  112.     #
    113. 

  113.     # Parameters:
    114. 

  114.     # - DOMAIN
    115. 

  115.     #   The primary domain name, i.e. the certificate common
    116. 

  116.     #   name (CN).
    117. 

  117.     # - OCSPFILE
    118. 

  118.     #   The path of the ocsp stapling file
    119. 

  119.     # - TIMESTAMP
    120. 

  120.     #   Timestamp when the specified ocsp stapling file was created.
    121. 

  121. 

  122.     # Simple example: Copy file to nginx config
    123. 

  123.     # cp "${OCSPFILE}" /etc/nginx/ssl/; chown -R nginx: /etc/nginx/ssl
    124. 

  124.     # systemctl reload nginx
    125. 

  125. 

  126.     if systemctl -q is-active apache2 ; then
    127. 

  127.         if apache2ctl configtest >/dev/null 2>&1 ; then
    128. 

  128.             systemctl reload-or-try-restart apache2
    129. 

  129.         else
    130. 

  130.             echo "Apache configuration check failed with the following error:"
    131. 

  131.             apache2ctl configtest
    132. 

  132.         fi
    133. 

  133.     fi
    134. 

  134. }
    135. 

  135. 

  136. 

  137. unchanged_cert() {
    138. 

  138.     local DOMAIN="${1}" KEYFILE="${2}" CERTFILE="${3}" FULLCHAINFILE="${4}" CHAINFILE="${5}"
    139. 

  139. 

  140.     # This hook is called once for each certificate that is still
    141. 

  141.     # valid and therefore wasn't reissued.
    142. 

  142.     #
    143. 

  143.     # Parameters:
    144. 

  144.     # - DOMAIN
    145. 

  145.     #   The primary domain name, i.e. the certificate common
    146. 

  146.     #   name (CN).
    147. 

  147.     # - KEYFILE
    148. 

  148.     #   The path of the file containing the private key.
    149. 

  149.     # - CERTFILE
    150. 

  150.     #   The path of the file containing the signed certificate.
    151. 

  151.     # - FULLCHAINFILE
    152. 

  152.     #   The path of the file containing the full certificate chain.
    153. 

  153.     # - CHAINFILE
    154. 

  154.     #   The path of the file containing the intermediate certificate(s).
    155. 

  155. }
    156. 

  156. 

  157. invalid_challenge() {
    158. 

  158.     local DOMAIN="${1}" RESPONSE="${2}"
    159. 

  159. 

  160.     # This hook is called if the challenge response has failed, so domain
    161. 

  161.     # owners can be aware and act accordingly.
    162. 

  162.     #
    163. 

  163.     # Parameters:
    164. 

  164.     # - DOMAIN
    165. 

  165.     #   The primary domain name, i.e. the certificate common
    166. 

  166.     #   name (CN).
    167. 

  167.     # - RESPONSE
    168. 

  168.     #   The response that the verification server returned
    169. 

  169. 

  170.     # Simple example: Send mail to root
    171. 

  171.     # printf "Subject: Validation of ${DOMAIN} failed!\n\nOh noez!" | sendmail root
    172. 

  172. }
    173. 

  173. 

  174. request_failure() {
    175. 

  175.     local STATUSCODE="${1}" REASON="${2}" REQTYPE="${3}" HEADERS="${4}"
    176. 

  176. 

  177.     # This hook is called when an HTTP request fails (e.g., when the ACME
    178. 

  178.     # server is busy, returns an error, etc). It will be called upon any
    179. 

  179.     # response code that does not start with '2'. Useful to alert admins
    180. 

  180.     # about problems with requests.
    181. 

  181.     #
    182. 

  182.     # Parameters:
    183. 

  183.     # - STATUSCODE
    184. 

  184.     #   The HTML status code that originated the error.
    185. 

  185.     # - REASON
    186. 

  186.     #   The specified reason for the error.
    187. 

  187.     # - REQTYPE
    188. 

  188.     #   The kind of request that was made (GET, POST...)
    189. 

  189.     # - HEADERS
    190. 

  190.     #   HTTP headers returned by the CA
    191. 

  191. 

  192.     # Simple example: Send mail to root
    193. 

  193.     # printf "Subject: HTTP request failed failed!\n\nA http request failed with status ${STATUSCODE}!" | sendmail root
    194. 

  194. }
    195. 

  195. 

  196. generate_csr() {
    197. 

  197.     local DOMAIN="${1}" CERTDIR="${2}" ALTNAMES="${3}"
    198. 

  198. 

  199.     # This hook is called before any certificate signing operation takes place.
    200. 

  200.     # It can be used to generate or fetch a certificate signing request with external
    201. 

  201.     # tools.
    202. 

  202.     # The output should be just the cerificate signing request formatted as PEM.
    203. 

  203.     #
    204. 

  204.     # Parameters:
    205. 

  205.     # - DOMAIN
    206. 

  206.     #   The primary domain as specified in domains.txt. This does not need to
    207. 

  207.     #   match with the domains in the CSR, it's basically just the directory name.
    208. 

  208.     # - CERTDIR
    209. 

  209.     #   Certificate output directory for this particular certificate. Can be used
    210. 

  210.     #   for storing additional files.
    211. 

  211.     # - ALTNAMES
    212. 

  212.     #   All domain names for the current certificate as specified in domains.txt.
    213. 

  213.     #   Again, this doesn't need to match with the CSR, it's just there for convenience.
    214. 

  214. 

  215.     # Simple example: Look for pre-generated CSRs
    216. 

  216.     # if [ -e "${CERTDIR}/pre-generated.csr" ]; then
    217. 

  217.     #   cat "${CERTDIR}/pre-generated.csr"
    218. 

  218.     # fi
    219. 

  219. }
    220. 

  220. 

  221. startup_hook() {
    222. 

  222.   # This hook is called before the cron command to do some initial tasks
    223. 

  223.   # (e.g. starting a webserver).
    224. 

  224. 

  225.   :
    226. 

  226. }
    227. 

  227. 

  228. exit_hook() {
    229. 

  229.   local ERROR="${1:-}"
    230. 

  230. 

  231.   # This hook is called at the end of the cron command and can be used to
    232. 

  232.   # do some final (cleanup or other) tasks.
    233. 

  233.   #
    234. 

  234.   # Parameters:
    235. 

  235.   # - ERROR
    236. 

  236.   #   Contains error message if dehydrated exits with error
    237. 

  237. }
    238. 

  238. 

  239. HANDLER="$1"
    240. 

  240. shift
    241. 

  241. 

  242. if [[ "${HANDLER}" =~ ^(deploy_challenge|clean_challenge|sync_cert|deploy_cert|deploy_ocsp|unchanged_cert|invalid_challenge|request_failure|generate_csr|startup_hook|exit_hook)$ ]]; then
    243. 

  243.   "$HANDLER" "$@"
    244. 

  244. fi
    245. 

  245. 

  246. exit 0
    247.