diff --git a/filter_plugins/utils.py b/filter_plugins/utils.py index cae1c90..2a128d3 100644 --- a/filter_plugins/utils.py +++ b/filter_plugins/utils.py @@ -10,6 +10,7 @@ class FilterModule(object): "valid_domain": self.valid_domain, "valid_ip": self.valid_ip, "check_email": self.check_email, + "le_domains_changed": self.le_domains_changed, } @staticmethod @@ -39,3 +40,42 @@ class FilterModule(object): return True + @staticmethod + def le_domains_changed(running_config: str, cert_key: str, config_domains: list) -> bool: + changed = False + run_domains = [] + + for non_domain in ['_', '*']: + # removing wildcards + try: + config_domains.remove(non_domain) + except ValueError: + pass + + block_started = False + for line in running_config.split('\n'): + if block_started: + if line.find('Certificate Name:') != -1: + # block ended + break + + elif line.find('Domains:') != -1: + run_domains = line.split(': ')[1].split(' ') + + elif line.find(f"Certificate Name: {cert_key}") != -1: + block_started = True + + # checking if any domain was added + for domain in config_domains: + if domain not in run_domains: + changed = True + break + + if not changed: + # checking if any domain was removed + for domain in run_domains: + if domain not in config_domains: + changed = True + break + + return changed diff --git a/tasks/debian/letsencrypt/apache.yml b/tasks/debian/letsencrypt/apache.yml index 99dfd75..f7d3c9f 100644 --- a/tasks/debian/letsencrypt/apache.yml +++ b/tasks/debian/letsencrypt/apache.yml @@ -6,9 +6,10 @@ state: present - name: Certificates | Debian | LetsEncrypt Certbot | Apache | Checking sites - ansible.builtin.shell: 'ls /etc/apache2/sites-enabled/' + ansible.builtin.command: 'ls /etc/apache2/sites-enabled/' changed_when: false register: enabled_apache_sites + check_mode: false - name: Certificates | Debian | LetsEncrypt Certbot | Apache | Deploying temporary apache site ansible.builtin.template: diff --git a/tasks/debian/letsencrypt/cert.yml b/tasks/debian/letsencrypt/cert.yml index 54e295f..66a2a5a 100644 --- a/tasks/debian/letsencrypt/cert.yml +++ b/tasks/debian/letsencrypt/cert.yml @@ -1,7 +1,5 @@ --- -# todo: check domains registered in current certificate (certbot certificates) and remove it if there are more than configured before re-configuring it - - name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Creating directory" ansible.builtin.file: path: "{{ item }}" @@ -13,7 +11,7 @@ - "{{ CERT_CONFIG.path }}" - "{{ le_path }}" -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Command to be executed" +- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Certbot command (FYI)" ansible.builtin.debug: msg: "certbot certonly --non-interactive --agree-tos --no-redirect --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }} @@ -22,9 +20,9 @@ --config-dir {{ CERT_CONFIG.letsencrypt.path }} {% for domain in le_cert.domains %}{% if domain | valid_domain %}--domain {{ domain }} {% endif %}{% endfor %} {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}" - when: existing_certs_raw.stdout.find(name) == -1 + when: le_changed -- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Starting certbot" +- name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Running certbot" ansible.builtin.command: "certbot certonly --non-interactive --agree-tos --no-redirect --{{ CERT_CONFIG.letsencrypt.service }} --cert-name {{ le_name }} -{{ CERT_CONFIG.letsencrypt.verbosity }} @@ -32,7 +30,7 @@ --config-dir {{ CERT_CONFIG.letsencrypt.path }} {% for domain in le_cert.domains %}{% if domain | valid_domain %}--domain {{ domain }} {% endif %}{% endfor %} {% if le_cert.email is not none %}--email {{ le_cert.email }} {% else %}--email {{ CERT_CONFIG.cert.email }} {% endif %}" - when: existing_certs_raw.stdout.find(name) == -1 + when: le_changed - name: "Certificates | Debian | LetsEncrypt Certbot | {{ le_name }} | Linking cert" ansible.builtin.file: diff --git a/tasks/debian/letsencrypt/main.yml b/tasks/debian/letsencrypt/main.yml index e259f55..2146af1 100644 --- a/tasks/debian/letsencrypt/main.yml +++ b/tasks/debian/letsencrypt/main.yml @@ -24,9 +24,10 @@ when: CERT_CONFIG.letsencrypt.service == 'nginx' - name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs - ansible.builtin.shell: 'certbot certificates' + ansible.builtin.command: 'certbot certificates' register: existing_certs_raw changed_when: false + check_mode: false - name: Certificates | Debian | LetsEncrypt Certbot | Adding certificates ansible.builtin.include_tasks: cert.yml @@ -37,12 +38,12 @@ le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}" le_name: "{{ cert_item.key | safe_key }}" le_path: "{{ CERT_CONFIG.letsencrypt.path }}/live/{{ le_name }}" + le_changed: "{{ existing_certs_raw.stdout | le_domains_changed(le_name, le_cert.domains) }}" loop_control: loop_var: cert_item no_log: true with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}" - - name: Certificates | Debian | LetsEncrypt Certbot | Removing certificates ansible.builtin.command: "certbot revoke --cert-name {{ le_name }} && certbot delete --cert-name {{ le_name }}" when: diff --git a/tasks/debian/letsencrypt/nginx.yml b/tasks/debian/letsencrypt/nginx.yml index da365dc..3d50b9f 100644 --- a/tasks/debian/letsencrypt/nginx.yml +++ b/tasks/debian/letsencrypt/nginx.yml @@ -6,9 +6,10 @@ state: present - name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Checking sites - ansible.builtin.shell: 'ls /etc/nginx/sites-enabled/' + ansible.builtin.command: 'ls /etc/nginx/sites-enabled/' changed_when: false register: enabled_nginx_sites + check_mode: false - name: Certificates | Debian | LetsEncrypt Certbot | Nginx | Deploying temporary apache site ansible.builtin.template: