Skip to content
This repository has been archived by the owner on Sep 27, 2024. It is now read-only.

Latest commit

 

History

History
82 lines (53 loc) · 4.22 KB

File metadata and controls

82 lines (53 loc) · 4.22 KB

Traefik certs dumper Ansible role

⚠️ WARNING: this role is now maintained in mother-of-all-self-hosting/ansible-role-traefik-certs-dumper.

This is an Ansible role which installs traefik-certs-dumper - a tool which dumps ACME certificates (like Let's Encrypt) from Traefik's acme.json file into some directory. The playbook installs the tool to run as a Docker container wrapped in a systemd service.

This role implicitly depends on com.devture.ansible.role.systemd_docker_base.

This role is related to the com.devture.ansible.role.traefik role and integrates nicely with it, but using them both together is not a requirement.

Usage

Example playbook:

- hosts: servers
  roles:
    - role: galaxy/com.devture.ansible.role.systemd_docker_base

    # You can also install Traefik in another way and avoid using this role.
    - role: galaxy/com.devture.ansible.role.traefik

    - role: galaxy/com.devture.ansible.role.traefik_certs_dumper

    - role: another_role

Example playbook configuration (group_vars/servers or other):

# Traefik role (com.devture.ansible.role.traefik) configuration here, if you're using it.
# If not, you can adjust the configuration below to make it work with your own Traefik server.

devture_traefik_certs_dumper_uid: "{{ my_uid }}"
devture_traefik_certs_dumper_gid: "{{ my_gid }}"

devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path }}"

systemd

devture-traefik-certs-dumper.service

You can then start the devture-traefik-certs-dumper.service systemd service, which watches for a certificate file (acme.json, but configurable via devture_traefik_certs_dumper_ssl_acme_file_name) in the SSL certificates directory (devture_traefik_certs_dumper_ssl_dir_path).

When a certificate file appears or whenever it changes in the future, all of its certificates are:

  • dumped using traefik-certs-dumper to /devture-traefik-certs-dumper/dumped-certificates (configurable via devture_traefik_certs_dumper_dumped_certificates_dir_path)
  • re-chowned, so that they're owned by devture_traefik_certs_dumper_dumped_certificates_dir_owner / devture_traefik_certs_dumper_dumped_certificates_dir_owner (defaulting to devture_traefik_certs_dumper_uid and devture_traefik_certs_dumper_gid, respectively)

The directory tree would look like this:

/devture-traefik-certs-dumper/dumped-certificates/
├── example.com
│   ├── certificate.crt
│   └── privatekey.key
├── another.example.com
│   ├── certificate.crt
│   └── privatekey.key
└── private
    └── letsencrypt.key

To help you launch other services which depend on these dumped certificate files, this role also provides an instantiated systemd service called [email protected].

You can adjust your systemd .service file definitions to add Requires and After clauses like this:

Requires=devture-traefik-certs-dumper-wait-for-domain@DOMAIN_NAME.service
After=devture-traefik-certs-dumper-wait-for-domain@DOMAIN_NAME.service

Then, upon launching your service:

  • the "waiter" service will be started as a dependency

  • it will wait for certificates for the specified domain (DOMAIN_NAME) to become available (e.g. /devture-traefik-certs-dumper/dumped-certificates/DOMAIN_NAME/certificate.crt and /devture-traefik-certs-dumper/dumped-certificates/DOMAIN_NAME/privatekey.key)

By default, the "waiter" service waits for 30 seconds (configurable via devture_traefik_certs_dumper_waiter_max_iterations) before giving up and aborting execution of your service.