Sourcing environment variables from the playbook was redundant.
This commit is contained in:
parent
74a305ef1e
commit
89d530bc4b
12
README.md
12
README.md
@ -2,6 +2,8 @@
|
||||
|
||||
This role runs [acme-lego](https://go-acme.github.io/lego/) on the localhost, such that the acme account and DNS api credentials are never communicated to the server. It also creates boilerplate nginx configuration in accordance with the Mozilla's recomended TLS configuration.
|
||||
|
||||
This role supports using multiple providers at the same time, just source all the credentials needed beforehand.
|
||||
|
||||
## Requirements
|
||||
|
||||
The `nginx_config` role which is distributed in the nginx_core collection.
|
||||
@ -23,6 +25,16 @@ acme_domains:
|
||||
- { domain: myhost.example.com, provider: easydns }
|
||||
```
|
||||
|
||||
Lego uses environment variables to authenticate to your DNS provider. You should source those secrets as environment variables before running the playbook.
|
||||
|
||||
If for some reason you cannot source the environment variables ahead of running the playbook, you can define them as Ansible variables.
|
||||
|
||||
```yaml
|
||||
lego_environment:
|
||||
- NAMECHEAP_API_USER: '...'
|
||||
- NAMECHEAP_API_KEY: '...'
|
||||
```
|
||||
|
||||
## Secrets
|
||||
|
||||
The api keys are sprinkled throughout the task as environment variables until I come up with a smarter way to do that.
|
||||
|
@ -4,12 +4,11 @@ acme_system_user: acme
|
||||
acme_system_group: acme
|
||||
nginx_config_dhparam: "{{ acme_path }}/dhparams.pem"
|
||||
nginx_user: nginx
|
||||
#EASYDNS_TOKEN: "{{ lookup('ansible.builtin.env', 'EASYDNS_TOKEN') }}"
|
||||
#EASYDNS_KEY: "{{ lookup('ansible.builtin.env', 'EASYDNS_KEY') }}"
|
||||
NAMECHEAP_API_USER: "{{ lookup('ansible.builtin.env', 'NAMECHEAP_API_USER') }}"
|
||||
NAMECHEAP_API_KEY: "{{ lookup('ansible.builtin.env', 'NAMECHEAP_API_KEY') }}"
|
||||
|
||||
# lego_path refers to the local ansible user's home directory, used in delegate_to: localhost
|
||||
lego_environment:
|
||||
EXAMPLE_DNS_PROVIDER_USERNAME: "example"
|
||||
|
||||
# lego_path refers to the local ansible user's home directory, used in a task with delegate_to: localhost
|
||||
lego_path: ~/.secrets/acme
|
||||
# This might work if the playbook is executing as the local user:
|
||||
#lego_path: "{{ ansible_env.HOME }}/.secrets/acme/certificates"
|
@ -24,11 +24,8 @@
|
||||
changed_when: False
|
||||
ignore_errors: true
|
||||
tags: lego
|
||||
environment:
|
||||
# EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
|
||||
# EASYDNS_KEY: "{{ EASYDNS_KEY }}"
|
||||
NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
|
||||
NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
|
||||
environment: []
|
||||
# environment: "{{ lego_environment }}"
|
||||
|
||||
- name: Print lego output with dns.disable-cp
|
||||
ansible.builtin.debug:
|
||||
@ -47,11 +44,8 @@
|
||||
delegate_to: localhost
|
||||
changed_when: False
|
||||
tags: lego
|
||||
environment:
|
||||
# EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
|
||||
# EASYDNS_KEY: "{{ EASYDNS_KEY }}"
|
||||
NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
|
||||
NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
|
||||
environment: []
|
||||
# environment: "{{ lego_environment }}"
|
||||
|
||||
- name: Print lego output without dns.disable-cp
|
||||
ansible.builtin.debug:
|
||||
|
@ -1,11 +1,12 @@
|
||||
---
|
||||
- name: Assert all secrets have been configured.
|
||||
- name: Assert secrets have been configured.
|
||||
ansible.builtin.assert:
|
||||
that:
|
||||
- NAMECHEAP_API_USER != ''
|
||||
- NAMECHEAP_API_KEY != ''
|
||||
fail_msg: "FAILED: Secrets have not been configured."
|
||||
no_log: true
|
||||
- acme_domains is defined
|
||||
- acme_email is defined
|
||||
- acme_email != ''
|
||||
fail_msg: "FAILED: No ACME variables have been configured for this host."
|
||||
# no_log: true
|
||||
|
||||
- name: Set up the ACME system user and group.
|
||||
import_tasks: setup-user.yml
|
||||
|
Loading…
Reference in New Issue
Block a user