init

playbooks/letsencrypt/irc-post-hook.sh

@@ -0,0 +1,32 @@
+#!/bin/sh
+set -e
+
+# The location your renewal tool places your certificates.
+CERT_DIR="/etc/letsencrypt/live/irc.secretbee.buzz"
+
+# The location of the InspIRCd config directory.
+INSPIRCD_CONFIG_DIR="/etc/inspircd"
+
+# The location of the InspIRCd pid file.
+INSPIRCD_PID_FILE="/var/run/inspircd/inspircd.pid"
+
+# The user:group that owns the inspircd config directory on the host.
+INSPIRCD_OWNER="root:root"
+
+if [ -e ${CERT_DIR} -a -e ${INSPIRCD_CONFIG_DIR} ]
+then
+    cp "${CERT_DIR}/fullchain.pem" "${INSPIRCD_CONFIG_DIR}/cert.pem"
+    cp "${CERT_DIR}/privkey.pem" "${INSPIRCD_CONFIG_DIR}/key.pem"
+    chown ${INSPIRCD_OWNER} "${INSPIRCD_CONFIG_DIR}/cert.pem" "${INSPIRCD_CONFIG_DIR}/key.pem"
+
+    if podman container exists inspircd 2>/dev/null
+    then
+        podman kill --signal USR1 inspircd
+    elif [ -r ${INSPIRCD_PID_FILE} ]
+    then
+        kill -USR1 $(cat ${INSPIRCD_PID_FILE})
+    elif [ -d /lib/systemd ] && systemctl --quiet is-active inspircd
+    then
+        systemctl kill --signal USR1 inspircd
+    fi
+fi

playbooks/letsencrypt/letsencrypt.yml

@@ -0,0 +1,49 @@
+- name: Letsencrypt
+  hosts: pi
+  become: true
+  tasks:
+    - name: Install Certbot
+      ansible.builtin.apt:
+        name: python3-certbot-nginx
+        state: present
+
+    - name: Request root certificates
+      changed_when: true
+      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains secretbee.buzz
+
+    - name: Request root certificates
+      changed_when: true
+      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains lounge.secretbee.buzz
+
+    - name: Request irc certificates
+      changed_when: true
+      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains irc.secretbee.buzz
+
+    - name: Request git certificates
+      changed_when: true
+      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains git.secretbee.buzz
+
+    - name: Request grafana certificates
+      changed_when: true
+      ansible.builtin.command: certbot certonly --nginx -m secretbumblebee@proton.me --agree-tos -n --domains grafana.secretbee.buzz
+
+    - name: Add post hook script
+      ansible.builtin.copy:
+        src: irc-post-hook.sh
+        dest: /opt/irc-post-hook.sh
+        owner: root
+        group: root
+        mode: '0755'
+
+    - name: Renew for post hook
+      changed_when: true
+      ansible.builtin.command: certbot renew --cert-name irc.secretbee.buzz --deploy-hook /opt/irc-post-hook.sh --force-renewal
+
+    - name: Change permission on live
+      ansible.builtin.file:
+        path: /etc/letsencrypt/live/
+        mode: '0755'
+    - name: Change permission on live
+      ansible.builtin.file:
+        path: /etc/letsencrypt/archive/
+        mode: '0755'

playbooks/letsencrypt/nginx-post-hook.sh

@@ -0,0 +1,7 @@
+#!/bin/sh
+set -e
+
+if podman container exists nginx 2>/dev/null
+then
+    podman kill --signal HUP nginx
+fi