Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/tritondatacenter/ansible-triton-dehydrated

Ansible playbook for triton-dehydrated
https://github.com/tritondatacenter/ansible-triton-dehydrated

ansible-role letsencrypt

Last synced: 3 months ago
JSON representation

Ansible playbook for triton-dehydrated

Host: GitHub
URL: https://github.com/tritondatacenter/ansible-triton-dehydrated
Owner: TritonDataCenter
License: mpl-2.0
Created: 2021-04-06T19:31:42.000Z (almost 4 years ago)
Default Branch: main
Last Pushed: 2024-08-12T20:46:12.000Z (6 months ago)
Last Synced: 2024-08-12T22:30:59.053Z (6 months ago)
Topics: ansible-role, letsencrypt
Language: Jinja
Size: 21.5 KB
Stars: 1
Watchers: 8
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE.txt

Awesome Lists containing this project

README

# triton-dehydrated

An ansible playbook to install and configure [triton-dehydrated][td] to generate
[Let's Encrypt][le] certificates.

[td]: https://github.com/joyent/triton-dehydrated
[le]: https://www.letsencrypt.org/

## Requirements

This playbook will only work on virtual instances created in [Triton][t]. Any
image provided by Joyent should reasonably be expected to work.

The Triton Datacenter must have [CNS][cns] configured and be globally
resolvable.

The [triton-ansible-inventory][tai] module may also be helpful, but is not
required.

[t]: https://github.com/joyent/triton
[cns]: https://github.com/joyent/triton-cns
[tai]: https://github.com/joyent/triton-ansible-inventory

## Role Variables

This role requires a `letsencrypt` object that supports the following
properties. Any properties may be ommitted and a suitable default will be used.
At least one of `domains`, `suffix_domains`, `ecesa_domains`,
`ecdsa_suffix_domains` must be provided for certificates to be issued. If not,
dehydrated will still be installed and configured to run but it will exit
immediately.

* `ca`: Must be `$prod_ca` or `$staging_ca`, or a valid Let's Encrypt CA URL. Defaults to `$staging_ca`. Leave this set to `$staging_ca` as you develop so that you don't hit the rate limit cap. Change to `$prod_ca` when you're ready to deploy to production.
* `certdir`: Directory where cettificates will be output. Defaults to `/opt/ssl`.
* `contact`: Email address of the Let's Encrypt account.
* `domains`: Array of RSA certificates to issue. Each element will be an issued certificate. Additional SAN names are space separated.
* `ecdsa_domains`: Array of ECDSA certificates to issue. Otherwise the same as `domains`.
* `ecdsa_suffix_domains`: Array of domain *suffixes* for ECDSA cetrificates. I.e., the hostname will be prepended to each name and a certificate generated.
* `owner`: UNIX file ownership. Defaults to `root:root`. This gets passed to `chown`
* `restart_services`: Array of services that will be restarted.
* `suffix_domains`: Array of domain *suffixes* for RSA cetrificates. I.e., the hostname will be prepended to each name and a certificate generated.
* `well_known`: Let's Encrypt `WELLKNOWN` directory. Defaults to `/var/www/dehydrated`.

Additionally, there are top level `triton_dehydrated_version` and
`triton_dehydrated_download_url` variables that can be overriden if necessary.

## Dependencies

This playbook should work on any image published by Joyent and running on
Triton with CNS names configured to be globally resolvable.

## Example Playbook

- hosts: servers
roles:
- role: joyent.triton-dehydrated
vars:
letsencrypt:
ca: "$prod_ca"
contact: "[email protected]"
domains:
- www.example.com api.backend.example.com
restart_services:
- nginx

## License

MPL-2.0. See LICENSE.txt in this repository.

## Author Information