initial working version; readme updated

README.md

@@ -2,14 +2,56 @@
 
 ## Purpose
 
-This role install the [acme.sh](https://acme.sh) project on a Linux server and sets up a domain with DNS challenge with Cloudflare.
+This role install the [acme.sh](https://acme.sh) project on a Linux server and sets up domain(s) with DNS challenge with Cloudflare.
 
 ## Variables
 
 All variables are in the defaults folder, however the most importants are:
 
-- acme_sh_user_groups: ["docker"]  # Add to docker group the acme user
+All domains are in the list, so the list can contains multiple domain configs. In the example we set only one cert with wildcard domain.
-- acme_sh_email: "example@example.com"  # mail address with acme install
+- Domains is a list in list format. You can set root domain and wildcard domain. However it is important that the first element used in the filenames, so avoid to use wildcard in the first position!
+- Hooks: Refer acme.sh help or documentation, these are runs in the different stages of issue and renew. Everytime scripts runs in the domain directory so you can use relative command to copy the cert as source.
+- acme_sh_issue_env_vars: Following the acme.sh documentation you need to optain three data (two API keys and a zone ID) from Cloudflare and need to set them here.
+
+And again, you need to set these vars for every single cert issue (that can contain multiple subdoms, see CA for more info and limitations).
+
+Most important of global variables are
+- acme_sh_email: The e-mail address at acme.sh installation
+- acme_sh_user_groups: Add acme user to groups. In this example add to docker so can manage containers and certs related to them.
+
+```
+acme_sh_domains:
+  - domains:
+      - "yourdomain.com" # it is the root domain
+      - "*.yourdomain.com" # get wildcard
+    pre_hook:
+    post_hook: |
+      #!/bin/sh
+      echo "OK" > ~/domtest.txt
+      echo "$PWD" >> ~/domtest.txt
+    renew_hook:  |
+      #!/bin/sh
+      echo "OK" > ~/domtest.txt
+      echo "$PWD" >> ~/domtest.txt
+    acme_sh_issue_env_vars:
+      CF_Token: ""
+      CF_Zone_ID: ""
+      CF_Account_ID: ""
+acme_sh_user_groups: ["docker"]
+acme_sh_email: ""
+```
+
+## Paths
+
+You can look for every variables in the defaults folder and can set up the user, additional groups (e.g. if you want to use this with Docker), paths. It is important that every cert got an own folder and all of files stored here.
+
+Hooks are different shell scripts to make easier to manage or modify them later.
+
+It is a good practice to create new user with the role for acme.sh. You can add it to Docker group or give limited sudo privileges (see sudoers.d) so a possible attack can make harder to impact your server negative.
 
 ## todo
-- Issue cert on domains
+- Avoid resetting the default CA on every run
+- List commands if needed to give limited sudo privileges for acme user. List commands in an array that can run by acme.
+- Set up notification system of acme.sh
+- Reconnect after adding acme to groups to avoid possible access denied problems
+

defaults/main.yaml

@@ -1,4 +1,4 @@
-acme_sh_env_vars: []
+
 acme_sh_domains: []
 acme_sh_user: "acme"
 acme_sh_user_groups: []
@@ -10,10 +10,6 @@ acme_sh_cert_home: "{{ acme_sh_home }}/certs"
 acme_sh_config_home: "{{ acme_sh_home }}/config"
 acme_sh_email: ""
 acme_sh_default_ca_server: "https://acme-v02.api.letsencrypt.org/directory"
-acme_sh_pre_hook: ""
-acme_sh_post_hook: ""
-acme_sh_renew_hook: ""
 acme_sh_set_notify: ""
 acme_sh_set_notify_level: "2"
-acme_sh_docker_group: ""
 

tasks/install_acmesh.yml

@@ -24,12 +24,4 @@
       --config-home {{ acme_sh_config_home | quote }}
       --set-default-ca
       --server {{ acme_sh_default_ca_server | quote }}
-
+    creates: "{{ acme_sh_home }}/ca_set_by_ansible"
-- name: Register CA
-  ansible.builtin.command:
-    chdir: "{{ acme_sh_home }}"
-    cmd: |
-      /bin/sh acme.sh
-      --config-home {{ acme_sh_config_home | quote }}
-      --register-account
-      

tasks/issue_cert.yml

@@ -1,9 +0,0 @@
-- name: Register CA
-  ansible.builtin.command:
-    chdir: "{{ acme_sh_home }}"
-    cmd: |
-      /bin/sh acme.sh
-      --config-home {{ acme_sh_config_home | quote }}
-      --set-default-ca
-      --server {{ acme_sh_default_ca_server | quote }}
-

tasks/issue_certs.yml

@@ -0,0 +1,45 @@
+- name: Create directory hierarchyes for certs
+  ansible.builtin.file:
+    mode: "755"
+    path: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc"
+    state: directory
+  loop: "{{ acme_sh_domains }}"
+
+- name: Copy pre_hooks
+  ansible.builtin.copy:
+    content: "{{ item['pre_hook'] | default('') }}"
+    dest: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/pre_hook.sh"
+    mode: "755"
+  loop: "{{ acme_sh_domains }}"
+
+- name: Copy post_hooks
+  ansible.builtin.copy:
+    content: "{{ item['post_hook'] | default('')}}"
+    dest: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/post_hook.sh"
+    mode: "755"
+  loop: "{{ acme_sh_domains }}"
+
+- name: Copy update_hooks
+  ansible.builtin.copy:
+    content: "{{ item['renew_hook'] | default('')}}"
+    dest: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/renew_hook.sh"
+    mode: "755"
+  loop: "{{ acme_sh_domains }}"
+
+
+- name: Issue certs
+  ansible.builtin.command:
+    chdir: "{{ acme_sh_home }}"
+    cmd: |
+      /bin/sh acme.sh
+      --config-home {{ acme_sh_config_home | quote }}
+      --issue
+      --dns dns_cf
+      -d {{ item['domains'] | join(' -d ') }}
+      --pre-hook {{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/pre_hook.sh
+      --post-hook {{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/post_hook.sh
+      --renew-hook {{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/update_hook.sh
+    creates: "{{ acme_sh_cert_home }}/{{ item['domains'][0] }}_ecc/fullchain.cer"
+  environment: "{{ item['acme_sh_issue_env_vars'] }}"
+  loop: "{{ acme_sh_domains }}"
+

tasks/main.yaml

@@ -24,3 +24,8 @@
   become: true
   become_user: "{{ acme_sh_user }}"
   ansible.builtin.import_tasks: "install_acmesh.yml"
+
+- name: Issue certs
+  become: true
+  become_user: "{{ acme_sh_user }}"
+  ansible.builtin.import_tasks: "issue_certs.yml"