3 files changed, 213 insertions, 0 deletions
diff --git a/roles/lacme/files/etc/lacme/lacme.conf b/roles/lacme/files/etc/lacme/lacme.conf
new file mode 100644
index 0000000..28633b6
--- /dev/null
+++ b/roles/lacme/files/etc/lacme/lacme.conf
@@ -0,0 +1,123 @@
+# For certificate issuance (newOrder command), specify a space-separated
+# certificate configuration files or directories to use
+#
+#config-certs = lacme-certs.conf lacme-certs.conf.d/
+
+
+[client]
+
+# The value of "socket" specifies the path to the lacme-accountd(1)
+# UNIX-domain socket to connect to for signature requests from the ACME
+# client.  lacme(8) aborts if the socket is readable or writable by
+# other users, or if its parent directory is writable by other users.
+# This setting is ignored when lacme-accountd(1) is spawned by lacme(8),
+# since the two processes communicate through a socket pair.  See the
+# "accountd" section below for details.
+#
+#socket = %t/S.lacme
+
+# username to drop privileges to (setting both effective and real uid).
+# Skip privilege drop if the value is empty (not recommended).
+#
+#user = _lacme-client
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Skip privilege drop if the value is empty (not recommended).
+#
+#group = nogroup
+
+# ACME client command.
+#
+#command = /usr/libexec/lacme/client
+
+# URI of the ACME server's directory.  NOTE: Use the staging server
+# <https://acme-staging-v02.api.letsencrypt.org/directory> for testing
+# as it has relaxed rate-limiting.
+#
+#server = https://acme-v02.api.letsencrypt.org/directory
+
+# Timeout in seconds after which the client stops polling the ACME
+# server and considers the request failed.
+#
+#timeout = 30
+
+# Whether to verify the server certificate chain.
+#
+#SSL_verify = yes
+
+# Specify the version of the SSL protocol used to transmit data.
+#
+#SSL_version = SSLv23:!TLSv1_1:!TLSv1:!SSLv3:!SSLv2
+
+# Specify the cipher list for the connection.
+#
+#SSL_cipher_list = EECDH+AESGCM:!MEDIUM:!LOW:!EXP:!aNULL:!eNULL
+
+
+[webserver]
+
+# Comma- or space-separated list of addresses to listen on, for instance
+# "0.0.0.0:80 [::]:80".
+#
+#listen = /run/lacme-www.socket
+
+# Directory under which an external HTTP daemon is configured to serve
+# GET requests for challenge files under "/.well-known/acme-challenge/"
+# (for each virtual host requiring authorization) as static files.
+# NOTE: the directory must exist and be writable by the lacme client
+# user.
+#
+#challenge-directory =
+
+# username to drop privileges to (setting both effective and real uid).
+# Skip privilege drop if the value is empty (not recommended).
+#
+#user = _lacme-www
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Skip privilege drop if the value is empty (not recommended).
+#
+#group = nogroup
+
+# ACME webserver command.
+#
+#command = /usr/libexec/lacme/webserver
+
+# Whether to automatically install iptables(8) rules to open the
+# ADDRESS[:PORT] specified with listen.  Theses rules are automatically
+# removed once lacme(8) exits.
+#
+#iptables = No
+
+
+[accountd]
+# lacme-accound(1) section.  Comment out this section (including its
+# header), or use the --socket= CLI option, to make lacme(8) connect to
+# an existing lacme-accountd(1) process via a UNIX-domain socket.
+
+# username to drop privileges to (setting both effective and real uid).
+# Skip privilege drop if the value is empty.
+#
+#user =
+
+# groupname to drop privileges to (setting both effective and real gid,
+# and also setting the list of supplementary gids to that single group).
+# Skip privilege drop if the value is empty.
+#
+#group =
+
+# lacme-accountd(1) command.
+#
+#command = /usr/bin/lacme-accountd
+
+# Path to the lacme-accountd(1) configuration file.
+#
+#config =
+
+# Be quiet.
+#
+#quiet = Yes
+
+; vim:ft=dosini
diff --git a/roles/lacme/tasks/main.yml b/roles/lacme/tasks/main.yml
new file mode 100644
index 0000000..b031b25
--- /dev/null
+++ b/roles/lacme/tasks/main.yml
@@ -0,0 +1,18 @@
+- name: Install lacme
+  apt: pkg={{ packages }} install_recommends=no
+  vars:
+    packages:
+    - liblwp-protocol-https-perl
+    - lacme
+
+- name: Copy lacme/lacme-certs.conf
+  copy: src=etc/lacme/lacme.conf
+        dest=/etc/lacme/lacme.conf
+        owner=root group=root
+        mode=0644
+
+- name: Copy lacme/lacme-certs.conf
+  template: src=etc/lacme/lacme-certs.conf.j2
+            dest=/etc/lacme/lacme-certs.conf
+            owner=root group=root
+            mode=0644
diff --git a/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2 b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
new file mode 100644
index 0000000..6694a0c
--- /dev/null
+++ b/roles/lacme/templates/etc/lacme/lacme-certs.conf.j2
@@ -0,0 +1,72 @@
+hash = sha512
+keyusage = digitalSignature, keyEncipherment
+
+{% if 'IMAP' in group_names %}
+[imap]
+certificate-key = /etc/dovecot/ssl/imap.fripost.org.key
+certificate-chain = /etc/dovecot/ssl/imap.fripost.org.pem
+subject = /O=Fripost/CN=imap.fripost.org
+subjectAltName = DNS:imap.fripost.org,DNS:sieve.fripost.org
+notify = /bin/systemctl reload dovecot
+{% endif %}
+
+{% if 'MSA' in group_names %}
+[smtp]
+certificate-key = /etc/postfix-{{ postfix_instance.MSA.name }}/ssl/smtp.fripost.org.key
+certificate-chain = /etc/postfix-{{ postfix_instance.MSA.name }}/ssl/smtp.fripost.org.pem
+subject = /O=Fripost/CN=smtp.fripost.org
+notify = /bin/systemctl reload postfix
+{% endif %}
+
+{% if 'MX' in group_names %}
+[mx]
+certificate-key = /etc/postfix-{{ postfix_instance.MX.name }}/ssl/mx.fripost.org.key
+certificate-chain = /etc/postfix-{{ postfix_instance.MX.name }}/ssl/mx.fripost.org.pem
+subject = /O=Fripost/CN=mx{{ mxno }}.fripost.org
+notify = /bin/systemctl reload postfix
+{% endif %}
+
+{% if 'lists' in group_names %}
+[lists]
+certificate-key = /etc/nginx/ssl/lists.fripost.org.key
+certificate-chain = /etc/nginx/ssl/lists.fripost.org.pem
+subject = /O=Fripost/CN=lists.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+{% if 'wiki' in group_names %}
+[www]
+certificate-key = /etc/nginx/ssl/www.fripost.org.key
+certificate-chain = /etc/nginx/ssl/www.fripost.org.pem
+subject = /O=Fripost/CN=fripost.org
+subjectAltName = DNS:fripost.org,DNS:www.fripost.org,DNS:wiki.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+{% if 'webmail' in group_names %}
+[webmail]
+certificate-key = /etc/nginx/ssl/mail.fripost.org.key
+certificate-chain = /etc/nginx/ssl/mail.fripost.org.pem
+subject = /O=Fripost/CN=mail.fripost.org
+subjectAltName = DNS:mail.fripost.org,DNS:webmail.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+{% if 'git' in group_names %}
+[git]
+certificate-key = /etc/nginx/ssl/git.fripost.org.key
+certificate-chain = /etc/nginx/ssl/git.fripost.org.pem
+subject = /O=Fripost/CN=git.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+{% if 'nextcloud' in group_names %}
+[cloud]
+certificate-key = /etc/nginx/ssl/cloud.fripost.org.key
+certificate-chain = /etc/nginx/ssl/cloud.fripost.org.pem
+subject = /O=Fripost/CN=cloud.fripost.org
+subjectAltName = DNS:cloud.fripost.org,DNS:www.cloud.fripost.org
+notify = /bin/systemctl reload nginx
+{% endif %}
+
+; vim:ft=dosini