Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper
An Ansible role which installs [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) to run as a Docker container wrapped in a systemd service
https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper
ansible-role docker traefik traefik-certs-dumper
Last synced: about 2 months ago
JSON representation
An Ansible role which installs [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) to run as a Docker container wrapped in a systemd service
- Host: GitHub
- URL: https://github.com/devture/com.devture.ansible.role.traefik_certs_dumper
- Owner: devture
- License: agpl-3.0
- Created: 2023-02-08T13:48:14.000Z (almost 2 years ago)
- Default Branch: main
- Last Pushed: 2024-07-17T13:19:02.000Z (6 months ago)
- Last Synced: 2024-07-17T16:16:12.901Z (6 months ago)
- Topics: ansible-role, docker, traefik, traefik-certs-dumper
- Language: Jinja
- Homepage:
- Size: 25.4 KB
- Stars: 0
- Watchers: 3
- Forks: 0
- Open Issues: 1
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# Traefik certs dumper Ansible role
⚠️ **WARNING**: this role is now maintained in [mother-of-all-self-hosting/ansible-role-traefik-certs-dumper](https://github.com/mother-of-all-self-hosting/ansible-role-traefik-certs-dumper).
This is an [Ansible](https://www.ansible.com/) role which installs [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) - a tool which dumps [ACME](https://en.wikipedia.org/wiki/Automatic_Certificate_Management_Environment) certificates (like [Let's Encrypt](https://letsencrypt.org/)) from [Traefik](https://traefik.io/)'s `acme.json` file into some directory. The playbook installs the tool to run as a [Docker](https://www.docker.com/) container wrapped in a systemd service.
This role *implicitly* depends on [`com.devture.ansible.role.systemd_docker_base`](https://github.com/devture/com.devture.ansible.role.systemd_docker_base).
This role is related to the [com.devture.ansible.role.traefik](https://github.com/devture/com.devture.ansible.role.traefik) role and integrates nicely with it, but using them both together is **not** a requirement.
## Usage
Example playbook:
```yaml
- hosts: servers
roles:
- role: galaxy/com.devture.ansible.role.systemd_docker_base
# You can also install Traefik in another way and avoid using this role.
- role: galaxy/com.devture.ansible.role.traefik
- role: galaxy/com.devture.ansible.role.traefik_certs_dumper
- role: another_role
```
Example playbook configuration (`group_vars/servers` or other):
```yaml
# Traefik role (com.devture.ansible.role.traefik) configuration here, if you're using it.
# If not, you can adjust the configuration below to make it work with your own Traefik server.
devture_traefik_certs_dumper_uid: "{{ my_uid }}"
devture_traefik_certs_dumper_gid: "{{ my_gid }}"
devture_traefik_certs_dumper_ssl_dir_path: "{{ devture_traefik_ssl_dir_path }}"
```
### systemd
#### devture-traefik-certs-dumper.service
You can then start the `devture-traefik-certs-dumper.service` systemd service, which watches for a certificate file (`acme.json`, but configurable via `devture_traefik_certs_dumper_ssl_acme_file_name`) in the SSL certificates directory (`devture_traefik_certs_dumper_ssl_dir_path`).
When a certificate file appears or whenever it changes in the future, all of its certificates are:
- dumped using [traefik-certs-dumper](https://github.com/ldez/traefik-certs-dumper) to `/devture-traefik-certs-dumper/dumped-certificates` (configurable via `devture_traefik_certs_dumper_dumped_certificates_dir_path`)
- re-chowned, so that they're owned by `devture_traefik_certs_dumper_dumped_certificates_dir_owner` / `devture_traefik_certs_dumper_dumped_certificates_dir_owner` (defaulting to `devture_traefik_certs_dumper_uid` and `devture_traefik_certs_dumper_gid`, respectively)
The directory tree would look like this:
```
/devture-traefik-certs-dumper/dumped-certificates/
├── example.com
│ ├── certificate.crt
│ └── privatekey.key
├── another.example.com
│ ├── certificate.crt
│ └── privatekey.key
└── private
└── letsencrypt.key
```
#### [email protected]
To help you launch other services which depend on these dumped certificate files, this role also provides an [instantiated systemd service](https://www.freedesktop.org/software/systemd/man/systemd.service.html#Service%20Templates) called `[email protected]`.
You can adjust your systemd `.service` file definitions to add `Requires` and `After` clauses like this:
```
Requires=devture-traefik-certs-dumper-wait-for-domain@DOMAIN_NAME.service
After=devture-traefik-certs-dumper-wait-for-domain@DOMAIN_NAME.service
```
Then, upon launching your service:
- the "waiter" service will be started as a dependency
- it will wait for certificates for the specified domain (`DOMAIN_NAME`) to become available (e.g. `/devture-traefik-certs-dumper/dumped-certificates/DOMAIN_NAME/certificate.crt` and `/devture-traefik-certs-dumper/dumped-certificates/DOMAIN_NAME/privatekey.key`)
By default, the "waiter" service waits for 30 seconds (configurable via `devture_traefik_certs_dumper_waiter_max_iterations`) before giving up and aborting execution of your service.