Sourcing environment variables from the playbook was redundant.

2023-07-03 18:02:16 -07:00 · 2023-07-03 18:02:16 -07:00 · 89d530bc4b
commit 89d530bc4b
parent 74a305ef1e
4 changed files with 26 additions and 20 deletions
--- a/README.md
+++ b/README.md
@ -2,6 +2,8 @@

 This role runs [acme-lego](https://go-acme.github.io/lego/) on the localhost, such that the acme account and DNS api credentials are never communicated to the server. It also creates boilerplate nginx configuration in accordance with the Mozilla's recomended TLS configuration.

+This role supports using multiple providers at the same time, just source all the credentials needed beforehand.
+
 ## Requirements

 The `nginx_config` role which is distributed in the nginx_core collection.
@ -23,6 +25,16 @@ acme_domains:
  - { domain: myhost.example.com, provider: easydns }
 ```

+Lego uses environment variables to authenticate to your DNS provider. You should source those secrets as environment variables before running the playbook.
+
+If for some reason you cannot source the environment variables ahead of running the playbook, you can define them as Ansible variables.
+
+```yaml
+lego_environment:
+  - NAMECHEAP_API_USER: '...'
+  - NAMECHEAP_API_KEY: '...'
+```
+
 ## Secrets

 The api keys are sprinkled throughout the task as environment variables until I come up with a smarter way to do that.
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -4,12 +4,11 @@ acme_system_user: acme
 acme_system_group: acme
 nginx_config_dhparam: "{{ acme_path }}/dhparams.pem"
 nginx_user: nginx
-#EASYDNS_TOKEN: "{{ lookup('ansible.builtin.env', 'EASYDNS_TOKEN') }}"
-#EASYDNS_KEY: "{{ lookup('ansible.builtin.env', 'EASYDNS_KEY') }}"
-NAMECHEAP_API_USER: "{{ lookup('ansible.builtin.env', 'NAMECHEAP_API_USER') }}"
-NAMECHEAP_API_KEY: "{{ lookup('ansible.builtin.env', 'NAMECHEAP_API_KEY') }}"

-# lego_path refers to the local ansible user's home directory, used in delegate_to: localhost
+lego_environment:
+  EXAMPLE_DNS_PROVIDER_USERNAME: "example"
+
+# lego_path refers to the local ansible user's home directory, used in a task with delegate_to: localhost
 lego_path: ~/.secrets/acme
 # This might work if the playbook is executing as the local user:
 #lego_path: "{{ ansible_env.HOME }}/.secrets/acme/certificates"
--- a/tasks/lego.yml
+++ b/tasks/lego.yml
@ -24,11 +24,8 @@
  changed_when: False
  ignore_errors: true
  tags: lego
-  environment:
-#   EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
-#   EASYDNS_KEY: "{{ EASYDNS_KEY }}"
-    NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
-    NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
+  environment: []
+# environment: "{{ lego_environment }}"
  
 - name: Print lego output with dns.disable-cp
  ansible.builtin.debug:
@ -47,11 +44,8 @@
  delegate_to: localhost
  changed_when: False
  tags: lego
-  environment:
-#   EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
-#   EASYDNS_KEY: "{{ EASYDNS_KEY }}"
-    NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
-    NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
+  environment: []
+# environment: "{{ lego_environment }}"
  
 - name: Print lego output without dns.disable-cp
  ansible.builtin.debug:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -1,11 +1,12 @@
 ---
- name: Assert all secrets have been configured.
+- name: Assert secrets have been configured.
  ansible.builtin.assert:
    that:
-      - NAMECHEAP_API_USER != ''
-      - NAMECHEAP_API_KEY != ''
-    fail_msg: "FAILED: Secrets have not been configured."
-  no_log: true
+      - acme_domains is defined
+      - acme_email is defined
+      - acme_email != ''
+    fail_msg: "FAILED: No ACME variables have been configured for this host."
+# no_log: true

 - name: Set up the ACME system user and group.
  import_tasks: setup-user.yml