Add example systemd unit files and ansible roles

.gitignore

@@ -1,6 +1,6 @@
-dist
-keyvault-certdeploy
-keyvault-certdeploy.yml
+/dist
+/keyvault-certdeploy
+/keyvault-certdeploy.yml
 
 # Created by .ignore support plugin (hsz.mobi)
 ### JetBrains template

examples/ansible/playbook.yml

@@ -0,0 +1,8 @@
+---
+- name: example play
+  hosts: all
+  vars:
+    keyvault_certdeploy_vault_name: some-keyvault-name
+  roles:
+    - { role: keyvault-certdeploy.cert, cert: "example.org" }
+    - { role: keyvault-certdeploy.cert, cert: "example.net" }

examples/ansible/roles/keyvault-certdeploy.cert/meta/main.yml

@@ -0,0 +1,3 @@
+---
+dependencies:
+  - { role: keyvault-certdeploy.common }

examples/ansible/roles/keyvault-certdeploy.cert/tasks/cert.yml

@@ -0,0 +1,9 @@
+---
+- name: add keyvault-certdeploy config for {{ cert }}
+  template:
+    src: cert.yml.j2
+    dest: "{{ keyvault_certdeploy_configd }}/50_{{ cert }}.yml"
+    mode: 0400
+  notify:
+    - build keyvault-certdeploy config
+

examples/ansible/roles/keyvault-certdeploy.cert/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+- { import_tasks: cert.yml, tags: [ ssl, ssl-cert, cert, certs, acme, acme-cert ] }

examples/ansible/roles/keyvault-certdeploy.cert/templates/cert.yml.j2

@@ -0,0 +1,19 @@
+  # {{ ansible_managed }}
+  - cn: {{ cert }}
+    keyalgo: rsa
+    privkey: /etc/ssl/private/{{ cert }}.rsa.key.pem
+    cert: /etc/ssl/certs/{{ cert }}.rsa.crt.pem
+    chain: /etc/ssl/certs/{{ cert }}.rsa.chain.pem
+    fullchain: /etc/ssl/certs/{{ cert }}.rsa.fullchain.pem
+    fullchainprivkey: /etc/ssl/private/{{ cert }}.rsa.fullchain.key.pem
+    hooks:
+      - run-parts {{ keyvault_certdeploy_hooksd }}
+  - cn: {{ cert }}
+    keyalgo: ecdsa
+    privkey: /etc/ssl/private/{{ cert }}.ecdsa.key.pem
+    cert: /etc/ssl/certs/{{ cert }}.ecdsa.crt.pem
+    chain: /etc/ssl/certs/{{ cert }}.ecdsa.chain.pem
+    fullchain: /etc/ssl/certs/{{ cert }}.ecdsa.fullchain.pem
+    fullchainprivkey: /etc/ssl/private/{{ cert }}.ecdsa.fullchain.key.pem
+    hooks:
+      - run-parts {{ keyvault_certdeploy_hooksd }}

examples/ansible/roles/keyvault-certdeploy.common/defaults/main.yml

@@ -0,0 +1 @@
+keyvault_certdeploy_vault_url: https://{{ keyvault_certdeploy_vault_name }}.vault.azure.net/

examples/ansible/roles/keyvault-certdeploy.common/files/hooks/apache2

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+if [[ -f /usr/sbin/apache2ctl ]]; then
+    systemctl reload apache2
+fi

examples/ansible/roles/keyvault-certdeploy.common/files/hooks/haproxy

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+if [[ -f /usr/sbin/haproxy ]]; then
+    systemctl reload haproxy
+fi

examples/ansible/roles/keyvault-certdeploy.common/files/hooks/nginx

@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+
+if [[ -f /usr/sbin/nginx ]]; then
+    systemctl reload nginx
+fi

examples/ansible/roles/keyvault-certdeploy.common/handlers/main.yml

@@ -0,0 +1,7 @@
+# assemble main
+- name: assemble keyvault-certdeploy config
+  assemble:
+    src: "{{ keyvault_certdeploy_configd }}"
+    dest: "{{ keyvault_certdeploy_config }}"
+    mode: 0400
+  listen: build keyvault-certdeploy config

examples/ansible/roles/keyvault-certdeploy.common/tasks/keyvault-certdeploy.yml

@@ -0,0 +1,84 @@
+---
+- name: download package
+  get_url:
+    url: "{{ keyvault_certdeploy_url }}"
+    checksum: "{{ keyvault_certdeploy_checksum }}"
+    dest: /usr/local/src/keyvault-certdeploy.tar.gz
+  register: download
+- name: install
+  block:
+    - name: extract files
+      unarchive:
+        src: /usr/local/src/keyvault-certdeploy.tar.gz
+        remote_src: yes
+        dest: /usr/local/sbin
+        exclude:
+          - LICENSE
+  when: download.changed
+- name: set permissions
+  file:
+    path: /usr/local/sbin/keyvault-certdeploy
+    owner: root
+    group: root
+    mode: 0550
+- name: create config source directory
+  file:
+    path: "{{ keyvault_certdeploy_configd }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0500
+- name: copy cert vault configuration
+  template:
+    src: vault.yml.j2
+    dest: "{{ keyvault_certdeploy_configd }}/00_vault.yml"
+  notify:
+    - build keyvault-certdeploy config
+- name: create hooks directory
+  file:
+    path: "{{ keyvault_certdeploy_hooksd }}"
+    state: directory
+    owner: root
+    group: root
+    mode: 0500
+- name: deploy default hooks
+  copy:
+    src: hooks/{{ item }}
+    dest: "{{ keyvault_certdeploy_hooksd }}/10_{{ item }}"
+    mode: 0500
+  loop:
+    - apache2
+    - haproxy
+    - nginx
+- name: deploy service environment file
+  template:
+    src: env.j2
+    dest: "{{ keyvault_certdeploy_config_root }}/.env"
+    owner: root
+    group: root
+    mode: 0400
+- name: deploy systemd services
+  template:
+    src: "{{ item }}.j2"
+    dest: /etc/systemd/system/{{ item }}
+    owner: root
+    group: root
+    mode: 0444
+  loop:
+    - keyvault-certdeploy.service
+    - keyvault-certdeploy-periodic.service
+    - keyvault-certdeploy-periodic.timer
+- name: enable services
+  systemd:
+    name: "{{ item }}.service"
+    enabled: yes
+    daemon_reload: yes
+  loop:
+    - keyvault-certdeploy
+    - keyvault-certdeploy-periodic
+- name: enable timer
+  systemd:
+    name: keyvault-certdeploy-periodic.timer
+    enabled: yes
+    state: started
+    daemon_reload: yes

examples/ansible/roles/keyvault-certdeploy.common/tasks/main.yml

@@ -0,0 +1,2 @@
+---
+- { import_tasks: keyvault-certdeploy.yml, tags: [ keyvault-certdeploy ] }

examples/ansible/roles/keyvault-certdeploy.common/templates/env.j2

@@ -0,0 +1,9 @@
+# ++++++++++++++++++++++++++++++++++++++++++++
+# DO NOT EDIT MANUALLY
+# ++++++++++++++++++++++++++++++++++++++++++++
+# {{ ansible_managed }}
+{% if keyvault_certdeploy_auth is defined %}
+AZURE_TENANT_ID={{ keyvault_certdeploy_auth.tenant_id }}
+AZURE_CLIENT_ID={{ keyvault_certdeploy_auth.client_id }}
+AZURE_CLIENT_SECRET={{ keyvault_certdeploy_auth.client_secret }}
+{% endif %}

examples/ansible/roles/keyvault-certdeploy.common/templates/keyvault-certdeploy-periodic.service.j2

@@ -0,0 +1,11 @@
+# ++++++++++++++++++++++++++++++++++++++++++++
+# DO NOT EDIT MANUALLY
+# ++++++++++++++++++++++++++++++++++++++++++++
+# {{ ansible_managed }}
+[Unit]
+Description=Fetch updates of certificates periodically
+
+[Service]
+Type=oneshot
+EnvironmentFile=-{{ keyvault_certdeploy_config_root }}/.env
+ExecStart=/usr/local/sbin/keyvault-certdeploy sync -v

examples/ansible/roles/keyvault-certdeploy.common/templates/keyvault-certdeploy-periodic.timer.j2

@@ -0,0 +1,13 @@
+# ++++++++++++++++++++++++++++++++++++++++++++
+# DO NOT EDIT MANUALLY
+# ++++++++++++++++++++++++++++++++++++++++++++
+# {{ ansible_managed }}
+[Unit]
+Description=Periodically check for certificate updates
+
+[Timer]
+OnBootSec=1d
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target

examples/ansible/roles/keyvault-certdeploy.common/templates/keyvault-certdeploy.service.j2

@@ -0,0 +1,16 @@
+# ++++++++++++++++++++++++++++++++++++++++++++
+# DO NOT EDIT MANUALLY
+# ++++++++++++++++++++++++++++++++++++++++++++
+# {{ ansible_managed }}
+[Unit]
+Description=Fetch updates of certificates on boot
+After=systemd-networkd-wait-online.service
+Before=network-online.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=-{{ keyvault_certdeploy_config_root }}/.env
+ExecStart=/usr/local/sbin/keyvault-certdeploy sync -v --nohooks
+
+[Install]
+WantedBy=network-online.target

examples/ansible/roles/keyvault-certdeploy.common/templates/vault.yml.j2

@@ -0,0 +1,8 @@
+# ++++++++++++++++++++++++++++++++++++++++++++
+# DO NOT EDIT MANUALLY
+# ++++++++++++++++++++++++++++++++++++++++++++
+# {{ ansible_managed }}
+keyvault:
+  name: {{ keyvault_certdeploy_vault_name }}
+  url: {{ keyvault_certdeploy_vault_url }}
+certs:

examples/ansible/roles/keyvault-certdeploy.common/vars/main.yml

@@ -0,0 +1,9 @@
+---
+keyvault_certdeploy_version: 1.0.0-beta4
+keyvault_certdeploy_url: "https://github.com/emgag/keyvault-certdeploy/releases/download/v{{ keyvault_certdeploy_version }}/keyvault-certdeploy_{{ keyvault_certdeploy_version }}_linux_amd64.tar.gz"
+keyvault_certdeploy_checksum: "sha256:936bd700a968086142ff40cd403e165d6c6ff3f15309a9a37b7008e2454ac580"
+
+keyvault_certdeploy_config_root: /etc/keyvault-certdeploy
+keyvault_certdeploy_config: "{{ keyvault_certdeploy_config_root }}/keyvault-certdeploy.yml"
+keyvault_certdeploy_configd: "{{ keyvault_certdeploy_config_root }}/conf.d"
+keyvault_certdeploy_hooksd: "{{ keyvault_certdeploy_config_root }}/hooks.d"

examples/systemd/keyvault-certdeploy-periodic.service.j2

@@ -0,0 +1,7 @@
+[Unit]
+Description=Fetch updates of certificates periodically
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/keyvault-certdeploy/.env
+ExecStart=/usr/local/sbin/keyvault-certdeploy sync -v

examples/systemd/keyvault-certdeploy-periodic.timer.j2

@@ -0,0 +1,9 @@
+[Unit]
+Description=Periodically check for certificate updates
+
+[Timer]
+OnBootSec=1d
+OnUnitActiveSec=1d
+
+[Install]
+WantedBy=timers.target

examples/systemd/keyvault-certdeploy.service

@@ -0,0 +1,12 @@
+[Unit]
+Description=Fetch updates of certificates on boot
+After=systemd-networkd-wait-online.service
+Before=network-online.target
+
+[Service]
+Type=oneshot
+EnvironmentFile=-/etc/keyvault-certdeploy/.env
+ExecStart=/usr/local/sbin/keyvault-certdeploy sync -v --nohooks
+
+[Install]
+WantedBy=network-online.target