diff --git a/.github/workflows/integration_test_result.yml b/.github/workflows/integration_test_result.yml index 079fdd7..1ff3585 100644 --- a/.github/workflows/integration_test_result.yml +++ b/.github/workflows/integration_test_result.yml @@ -13,7 +13,7 @@ jobs: timeout-minutes: 1 env: CI_JOB: 'ansible-test-molecule-${{ github.event.repository.name }}' - CI_DOMAIN: 'ci.ansibleguy.net' + CI_DOMAIN: 'ci.oss.oxl.app' steps: - name: Checkout diff --git a/.github/workflows/integration_test_run.yml b/.github/workflows/integration_test_run.yml index cb8ca4d..23019bd 100644 --- a/.github/workflows/integration_test_run.yml +++ b/.github/workflows/integration_test_run.yml @@ -10,7 +10,7 @@ jobs: timeout-minutes: 1 env: CI_JOB: 'ansible-test-molecule-${{ github.event.repository.name }}' - CI_DOMAIN: 'ci.ansibleguy.net' + CI_DOMAIN: 'ci.oss.oxl.app' steps: - name: Checkout diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml index ee7e3b7..adf049e 100644 --- a/.github/workflows/lint.yml +++ b/.github/workflows/lint.yml @@ -63,7 +63,7 @@ jobs: - name: Preparing for AnsibleLint run: | mkdir -p '/tmp/ansible_lint/roles/' - ln -s "${{ github.workspace }}" "/tmp/ansible_lint/roles/ansibleguy.${{ github.event.repository.name }}" + ln -s "${{ github.workspace }}" "/tmp/ansible_lint/roles/oxlorg.certs" shell: bash - name: Running AnsibleLint diff --git a/LICENSE.txt b/LICENSE.txt index 1fb963e..eacdc0a 100644 --- a/LICENSE.txt +++ b/LICENSE.txt @@ -7,5 +7,5 @@ The above copyright notice and this permission notice shall be included in all c THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -E-Mail: contact@ansibleguy.net -Web: https://github.com/ansibleguy +E-Mail: contact@oxl.at +Web: https://github.com/O-X-L diff --git a/README.md b/README.md index d6e6f83..fc8317d 100644 --- a/README.md +++ b/README.md @@ -2,16 +2,16 @@ Ansible Role to create certificates to use on a linux server. -[![Lint](https://github.com/ansibleguy/infra_certs/actions/workflows/lint.yml/badge.svg)](https://github.com/ansibleguy/infra_certs/actions/workflows/lint.yml) -[![Ansible Galaxy](https://badges.ansibleguy.net/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/ansibleguy/infra_certs) +[![Lint](https://github.com/O-X-L/ansible-role-certs/actions/workflows/lint.yml/badge.svg)](https://github.com/O-X-L/ansible-role-certs/actions/workflows/lint.yml) +[![Ansible Galaxy](https://badges.oss.oxl.app/galaxy.badge.svg)](https://galaxy.ansible.com/ui/standalone/roles/oxlorg/certs) **Molecule Integration-Tests**: -* Status: [![Molecule Test Status](https://badges.ansibleguy.net/infra_certs.molecule.svg)](https://github.com/ansibleguy/_meta_cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2) | -[![Functional-Tests](https://github.com/ansibleguy/infra_certs/actions/workflows/integration_test_result.yml/badge.svg)](https://github.com/ansibleguy/infra_certs/actions/workflows/integration_test_result.yml) -* Logs: [API](https://ci.ansibleguy.net/api/job/ansible-test-molecule-infra_certs/logs?token=2b7bba30-9a37-4b57-be8a-99e23016ce70&lines=1000) | [Short](https://badges.ansibleguy.net/log/molecule_infra_certs_test_short.log) | [Full](https://badges.ansibleguy.net/log/molecule_infra_certs_test.log) +* Status: [![Molecule Test Status](https://badges.oss.oxl.app/infra_certs.molecule.svg)](https://github.com/O-X-L/ansible-role-oxl-cicd/blob/latest/templates/usr/local/bin/cicd/molecule.sh.j2) | +[![Functional-Tests](https://github.com/O-X-L/ansible-role-certs/actions/workflows/integration_test_result.yml/badge.svg)](https://github.com/O-X-L/ansible-role-certs/actions/workflows/integration_test_result.yml) +* Logs: [API](https://ci.oss.oxl.app/api/job/ansible-test-molecule-infra_certs/logs?token=2b7bba30-9a37-4b57-be8a-99e23016ce70&lines=1000) | [Short](https://badges.oss.oxl.app/log/molecule_infra_certs_test_short.log) | [Full](https://badges.oss.oxl.app/log/molecule_infra_certs_test.log) -Internal CI: [Tester Role](https://github.com/ansibleguy/_meta_cicd) | [Jobs API](https://github.com/O-X-L/github-self-hosted-jobs-systemd) +Internal CI: [Tester Role](https://github.com/O-X-L/ansible-role-oxl-cicd) | [Jobs API](https://github.com/O-X-L/github-self-hosted-jobs-systemd) **Tested:** @@ -24,13 +24,13 @@ Internal CI: [Tester Role](https://github.com/ansibleguy/_meta_cicd) | [Jobs API ```bash # latest -ansible-galaxy role install git+https://github.com/ansibleguy/infra_certs +ansible-galaxy role install git+https://github.com/O-X-L/ansible-role-certs # from galaxy -ansible-galaxy install ansibleguy.infra_certs +ansible-galaxy install oxlorg.certs # or to custom role-path -ansible-galaxy install ansibleguy.infra_certs --roles-path ./roles +ansible-galaxy install oxlorg.certs --roles-path ./roles # install dependencies ansible-galaxy install -r requirements.yml @@ -60,8 +60,8 @@ certs: letsencrypt: certs: myNiceSite: - domains: ['myRandomSite.net', 'ansibleguy.net'] - email: 'certs@template.ansibleguy.net' + domains: ['myRandomSite.net', 'oxl.at'] + email: 'certs@template.oxl.at' service: 'apache' ``` @@ -79,8 +79,8 @@ certs: cn: 'My great certificate!' org: 'AnsibleGuy' country: 'AT' - email: 'certs@template.ansibleguy.net' - domains: ['mySoGreat.site', 'ansibleguy.net'] + email: 'certs@template.oxl.at' + domains: ['mySoGreat.site', 'oxl.at'] ips: ['192.168.44.2'] pwd: !vault ... ``` @@ -97,14 +97,14 @@ certs: cn: 'My great certificate!' org: 'AnsibleGuy' country: 'AT' - email: 'certs@template.ansibleguy.net' - domains: ['mySoGreat.site', 'ansibleguy.net'] + email: 'certs@template.oxl.at' + domains: ['mySoGreat.site', 'oxl.at'] ca: path: '/etc/ca' cn: 'SUPER CertificateAuthority' org: 'AnsibleGuy' country: 'AT' - email: 'certs@template.ansibleguy.net' + email: 'certs@template.oxl.at' pwd: !vault ... ``` @@ -165,10 +165,10 @@ ansible-playbook -K -D -i inventory/hosts.yml playbook.yml -e debug=yes * **Note:** Most of the role's functionality can be opted in or out. - For all available options - see the default-config located in [the main defaults-file](https://github.com/ansibleguy/infra_certs/blob/latest/defaults/main/1_main.yml)! + For all available options - see the default-config located in [the main defaults-file](https://github.com/O-X-L/ansible-role-certs/blob/latest/defaults/main/1_main.yml)! -* **Note:** If you have the need to **mass manage certificates** - you might want to check out the [ansibleguy.infra_pki](https://github.com/ansibleguy/infra_pki) role that enables you to create and manage a full **P**ublic **K**ey **I**nfrastructure. +* **Note:** If you have the need to **mass manage certificates** - you might want to check out the [oxlorg.pki](https://github.com/O-X-L/ansible-role-pki) role that enables you to create and manage a full **P**ublic **K**ey **I**nfrastructure. * **Note:** The certificate file-name (_name variable as defined or else CommonName_) will be updated: diff --git a/defaults/main/1_main.yml b/defaults/main/1_main.yml index 3ad54d0..7481dd3 100644 --- a/defaults/main/1_main.yml +++ b/defaults/main/1_main.yml @@ -91,8 +91,8 @@ defaults_certs: # letsencrypt example: # certs: # example1: -# domains: ['example1.ansibleguy.net'] -# email: 'dummy@ansibleguy.net' +# domains: ['example1.oxl.at'] +# email: 'dummy@oxl.at' # example2: -# domains: ['example2.ansibleguy.net'] -# email: 'dummy@ansibleguy.net' +# domains: ['example2.oxl.at'] +# email: 'dummy@oxl.at' diff --git a/meta/main.yml b/meta/main.yml index fe333da..6d15faa 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -1,16 +1,18 @@ --- galaxy_info: - author: 'AnsibleGuy ' - namespace: 'ansibleguy' + author: 'Rath Pascal ' + namespace: 'oxlorg' license: 'MIT' - issue_tracker_url: 'https://github.com/ansibleguy/infra_certs/issues' + issue_tracker_url: 'https://github.com/O-X-L/ansible-role-certs/issues' min_ansible_version: '2.14' description: 'Meat-role to generate/manage certificates for other roles' platforms: - name: Debian versions: - bullseye + - bookworm + - trixies galaxy_tags: - 'certificates' - 'certs' diff --git a/molecule/default/Usage.md b/molecule/default/Usage.md index 8c32094..192fe6b 100644 --- a/molecule/default/Usage.md +++ b/molecule/default/Usage.md @@ -5,6 +5,6 @@ Check out the [Molecule Tutorial](https://github.com/ansibleguy/ansible_tutorial # Running ```bash -cd roles/ansibleguy.ROLE +cd roles/oxlorg.certs molecule test ``` diff --git a/molecule/default/converge.yml b/molecule/default/converge.yml index c52048f..4de6d43 100644 --- a/molecule/default/converge.yml +++ b/molecule/default/converge.yml @@ -5,7 +5,7 @@ - name: Converge Internal hosts: test-ag-certs-internal roles: - - role: ansibleguy.infra_certs + - role: oxlorg.certs vars: certs: mode: 'selfsigned' @@ -13,11 +13,11 @@ cert: name: 'self_srv' - domains: ['cert.test.ansibleguy.net'] + domains: ['cert.test.oxl.at'] ips: ['192.168.0.1'] cn: 'SelfSigned Server Cert' org: 'AnsibleGuy Test' - email: 'testmaster@ansibleguy.net' + email: 'testmaster@oxl.at' ou: 'Test' country: 'AT' state: 'Styria' @@ -25,11 +25,11 @@ valid_days: 5 key_usage: 'serverAuth' crl_distribution: - crl_issuer: 'URI:https://ca.template.ansibleguy.net/' - full_name: 'URI:https://ca.template.ansibleguy.net/revocations.crl' + crl_issuer: 'URI:https://ca.template.oxl.at/' + full_name: 'URI:https://ca.template.oxl.at/revocations.crl' reasons: ['key_compromise', 'ca_compromise'] - - role: ansibleguy.infra_certs + - role: oxlorg.certs vars: certs: mode: 'selfsigned' @@ -40,7 +40,7 @@ cn: 'SelfSigned Client Cert' key_usage: 'clientAuth' - - role: ansibleguy.infra_certs + - role: oxlorg.certs vars: certs: mode: 'selfsigned' @@ -48,10 +48,10 @@ cert: name: 'self_other' - san_other: 'DNS:cert.templates.ansibleguy.net,email:other@cert.template.ansibleguy.net' + san_other: 'DNS:cert.templates.oxl.at,email:other@cert.template.oxl.at' cn: 'SelfSigned Other Cert' - - role: ansibleguy.infra_certs + - role: oxlorg.certs vars: certs: mode: 'ca' @@ -59,11 +59,11 @@ cert: name: 'self_minca_srv' - domains: ['cert.test.ansibleguy.net'] + domains: ['cert.test.oxl.at'] ips: ['192.168.0.1'] cn: 'CA-Signed Server Cert' org: 'AnsibleGuy Test' - email: 'testmaster@ansibleguy.net' + email: 'testmaster@oxl.at' ou: 'Test' country: 'AT' state: 'Styria' @@ -71,11 +71,11 @@ valid_days: 5 key_usage: 'serverAuth' crl_distribution: - crl_issuer: 'URI:https://ca.template.ansibleguy.net/' - full_name: 'URI:https://ca.template.ansibleguy.net/revocations.crl' + crl_issuer: 'URI:https://ca.template.oxl.at/' + full_name: 'URI:https://ca.template.oxl.at/revocations.crl' reasons: ['key_compromise', 'ca_compromise'] - - role: ansibleguy.infra_certs + - role: oxlorg.certs vars: certs: mode: 'ca' @@ -86,7 +86,7 @@ cn: 'CA-Signed Client Cert' key_usage: 'clientAuth' - - role: ansibleguy.infra_certs + - role: oxlorg.certs vars: certs: mode: 'ca' @@ -94,14 +94,14 @@ cert: name: 'self_minca_pwd' - domains: ['cert.test.ansibleguy.net'] + domains: ['cert.test.oxl.at'] ips: ['192.168.0.1'] cn: 'CA-Signed Server Cert' pwd: 'Nope.' key_usage: 'serverAuth' crl_distribution: - crl_issuer: 'URI:https://ca.template.ansibleguy.net/' - full_name: 'URI:https://ca.template.ansibleguy.net/revocations.crl' + crl_issuer: 'URI:https://ca.template.oxl.at/' + full_name: 'URI:https://ca.template.oxl.at/revocations.crl' reasons: ['key_compromise', 'ca_compromise'] ca: @@ -109,7 +109,7 @@ pwd: 'YouWantMyTreasure?YouCanHaveIt!SearchForIt-SomewhereOutThere-Hidden-IsTheBiggestTreasureOfTheWorld.' cn: 'SelfSigned CA Cert' org: 'AnsibleGuy Test' - email: 'testmaster@ansibleguy.net' + email: 'testmaster@oxl.at' ou: 'Test' country: 'AT' state: 'Styria' @@ -125,12 +125,12 @@ letsencrypt: certs: test: - domains: ['infra-certs.test.ansibleguy.net'] - email: 'testmaster@ansibleguy.net' + domains: ['infra-certs.test.oxl.at'] + email: 'testmaster@oxl.at' path: '/etc/ssl/le_test' renew_timer: 'Mon *-*-* 03:00:00' service: 'nginx' roles: - - ansibleguy.infra_certs + - oxlorg.certs diff --git a/playbook.yml b/playbook.yml index abd8cd4..9930330 100644 --- a/playbook.yml +++ b/playbook.yml @@ -7,4 +7,4 @@ become: true gather_facts: yes roles: - - ansibleguy.infra_certs + - oxlorg.certs diff --git a/tasks/debian/letsencrypt/main.yml b/tasks/debian/letsencrypt/main.yml index 478b752..9002bee 100644 --- a/tasks/debian/letsencrypt/main.yml +++ b/tasks/debian/letsencrypt/main.yml @@ -93,16 +93,38 @@ group: 'root' mode: 0644 loop: - - 'ansibleguy.infra_certs.LetsEncryptCertbot.service' - - 'ansibleguy.infra_certs.LetsEncryptCertbot.timer' + - 'letsencrypt-certbot.service' + - 'letsencrypt-certbot.timer' - name: Certificates | LetsEncrypt Certbot | Enabling cert-renewal timer ansible.builtin.systemd: daemon_reload: yes - name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer' + name: 'letsencrypt-certbot.timer' enabled: yes state: started +- name: Certificates | LetsEncrypt Certbot | Removing legacy services (1/2) + ansible.builtin.systemd: + name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer' + enabled: false + state: stopped + register: legacy_svc_removal + failed_when: + - legacy_svc_removal.failed + - "'does not exist' not in legacy_svc_removal.msg" + - "'Could not find' not in legacy_svc_removal.msg" + +- name: Certificates | LetsEncrypt Certbot | Removing legacy services (1/2) + ansible.builtin.template: + src: "templates/etc/systemd/system/{{ item }}.j2" + dest: "/etc/systemd/system/{{ item }}" + owner: 'root' + group: 'root' + mode: 0644 + loop: + - 'ansibleguy.infra_certs.LetsEncryptCertbot.service' + - 'ansibleguy.infra_certs.LetsEncryptCertbot.timer' + # Renew all previously obtained certificates that are near expiry - name: Certificates | LetsEncrypt Certbot | Running renewal ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}" diff --git a/templates/etc/apache2/sites-enabled/le_dummy.conf.j2 b/templates/etc/apache2/sites-enabled/le_dummy.conf.j2 index ab4f4b4..214ef52 100644 --- a/templates/etc/apache2/sites-enabled/le_dummy.conf.j2 +++ b/templates/etc/apache2/sites-enabled/le_dummy.conf.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -# ansibleguy.infra_certs - dummy site used for letsencrypt certbot +# oxlorg.certs - dummy site used for letsencrypt certbot ServerName dummy.letsencrypt.localhost diff --git a/templates/etc/nginx/sites-enabled/le_dummy.j2 b/templates/etc/nginx/sites-enabled/le_dummy.j2 index 78345fd..0a7ca1f 100644 --- a/templates/etc/nginx/sites-enabled/le_dummy.j2 +++ b/templates/etc/nginx/sites-enabled/le_dummy.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -# ansibleguy.infra_certs - dummy site used for letsencrypt certbot +# oxlorg.certs - dummy site used for letsencrypt certbot server { listen 80; diff --git a/templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.service.j2 b/templates/etc/systemd/system/letsencrypt-certbot.service.j2 similarity index 91% rename from templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.service.j2 rename to templates/etc/systemd/system/letsencrypt-certbot.service.j2 index b677f23..c79f2b5 100644 --- a/templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.service.j2 +++ b/templates/etc/systemd/system/letsencrypt-certbot.service.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -# ansibleguy.infra_certs +# oxlorg.certs [Unit] Description=Service to renew LetsEncrypt Certificates using certbot diff --git a/templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.timer.j2 b/templates/etc/systemd/system/letsencrypt-certbot.timer.j2 similarity index 90% rename from templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.timer.j2 rename to templates/etc/systemd/system/letsencrypt-certbot.timer.j2 index 29ac212..2912b74 100644 --- a/templates/etc/systemd/system/ansibleguy.infra_certs.LetsEncryptCertbot.timer.j2 +++ b/templates/etc/systemd/system/letsencrypt-certbot.timer.j2 @@ -1,5 +1,5 @@ # {{ ansible_managed }} -# ansibleguy.infra_certs +# oxlorg.certs [Unit] Description=Timer to renew LetsEncrypt Certificates using certbot