Add k8s shutdown/openup scripts

Add nut ansible roles
Add acme certificate ansible role

ansible/roles/acme_certificate/tasks/main.yaml

@@ -0,0 +1,128 @@
+---
+
+- name: Create ACME account directory
+  ansible.builtin.file:
+    group: root
+    mode: '0700'
+    owner: root
+    path: /etc/ssl/private/ACME
+    state: directory
+
+- name: Create ACME account key
+  community.crypto.openssl_privatekey:
+    cipher: auto
+    curve: secp384r1
+    format: pkcs1
+    group: root
+    mode: '0600'
+    owner: root
+    passphrase: "{{ acme_certificate_account_key_passphrase }}"
+    path: /etc/ssl/private/ACME/account.key
+    size: 384
+    state: present
+    type: Ed25519
+
+- name: Generate RSA private key
+  community.crypto.openssl_privatekey:
+    cipher: auto
+    curve: secp384r1
+    format: pkcs1
+    group: root
+    mode: '0600'
+    owner: root
+    passphrase: "{{ ssl_passphrase }}"
+    path: "/etc/ssl/private/{{ acme_certificate_subject }}.key"
+    size: 4096
+    state: present
+    type: RSA
+
+- name: Generate CSR
+  community.crypto.openssl_csr:
+    common_name: "{{ acme_certificate_subject }}"
+    country_name: "{{ acme_certificate_csr_country }}"
+    digest: sha256
+    email_address: "{{ acme_certificate_csr_email }}"
+    group: root
+    locality_name: "{{ acme_certificate_csr_locality }}"
+    mode: '0600'
+    organization_name: "{{ acme_certificate_csr_organization }}"
+    owner: root
+    path: "/etc/ssl/private/{{ acme_certificate_subject }}.csr"
+    privatekey_path: "/etc/ssl/private/{{ acme_certificate_subject }}.key"
+    state: present
+    state_or_province_name: "{{ acme_certificate_csr_state }}"
+    use_common_name_for_san: true
+
+- name: Submit ACME certificate request
+  community.crypto.acme_certificate:
+    account_email: "{{ acme_certificate_account_email }}"
+    account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}"
+    account_key_src: /etc/ssl/private/ACME/account.key
+    acme_directory: "{{ acme_certificate_directory }}"
+    acme_version: 2
+    chain_dest: "/etc/ssl/private/{{ acme_certificate_subject }}.chain"
+    challenge: dns-01
+    csr: "/etc/ssl/private/{{ acme_certificate_subject }}.csr"
+    dest: "/etc/ssl/private/{{ acme_certificate_subject }}.crt"
+    modify_account: true
+    select_crypto_backend: cryptography
+    terms_agreed: true
+    validate_certs: true
+  register: challenge
+
+- name: Debug ACME certificate challenge
+  ansible.builtin.debug:
+    var: challenge
+
+- name: Proceed if challenge is changed
+  when:
+    - challenge is changed
+    - acme_certificate_subject in challenge.challenge_data
+  block:
+
+    - name: Answer ACME certificate challenge
+      community.general.nsupdate:
+        key_algorithm: "{{ rfc2136_key_algorithm }}"
+        key_name: "{{ rfc2136_key_name }}"
+        key_secret: "{{ rfc2136_key_secret }}"
+        port: 53
+        protocol: tcp
+        record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}"
+        server: "{{ rfc2136_server_address }}"
+        state: present
+        ttl: 3600
+        type: TXT
+        value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}"
+        zone: "{{ acme_certificate_zone }}"
+
+    - name: Retrieve ACME certificate
+      community.crypto.acme_certificate:
+        account_email: "{{ acme_certificate_account_email }}"
+        account_key_passphrase: "{{ acme_certificate_account_key_passphrase }}"
+        account_key_src: /etc/ssl/private/ACME/account.key
+        acme_directory: "{{ acme_certificate_directory }}"
+        acme_version: 2
+        chain_dest: "/etc/ssl/private/{{ acme_certificate_subject }}.chain"
+        challenge: dns-01
+        csr: "/etc/ssl/private/{{ acme_certificate_subject }}.csr"
+        data: "{{ challenge }}"
+        dest: "/etc/ssl/private/{{ acme_certificate_subject }}.crt"
+        modify_account: true
+        select_crypto_backend: cryptography
+        terms_agreed: true
+        validate_certs: true
+
+    - name: Cleanup ACME challenge
+      community.general.nsupdate:
+        key_algorithm: "{{ rfc2136_key_algorithm }}"
+        key_name: "{{ rfc2136_key_name }}"
+        key_secret: "{{ rfc2136_key_secret }}"
+        port: 53
+        protocol: tcp
+        record: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].record }}"
+        server: "{{ rfc2136_server_address }}"
+        state: absent
+        ttl: 3600
+        type: TXT
+        value: "{{ challenge.challenge_data[acme_certificate_subject]['dns-01'].resource_value }}"
+        zone: "{{ acme_certificate_zone }}"

ansible/roles/nut_client/files/nut-monitor_overrride.conf

@@ -0,0 +1,3 @@
+[Unit]
+Requires=network-online.target
+After=network-online.target

ansible/roles/nut_client/tasks/main.yaml

@@ -0,0 +1,23 @@
+- name: Template out upsmon.conf
+  ansible.builtin.template:
+    src: upsmon.conf.j2
+    dest: /etc/nut/upsmon.conf
+    trim_blocks: true
+    owner: root
+    group: nut
+    mode: '0640'
+
+- name: Copy nut-monitor systemd drop in file
+  when: not ( nut_client_local_server | default(true) )
+  ansible.builtin.template:
+    src: nut-monitor_override.conf
+    dest: /etc/systemd/system/nut-monitor.service.d/override.conf
+    owner: root
+    group: root
+    mode: '0644'
+
+- name: Start and enable nut-monitor
+  ansible.builtin.service:
+    name: nut-monitor
+    state: restarted
+    enabled: true

ansible/roles/nut_client/templates/upsmon.conf.j2

@@ -0,0 +1,33 @@
+# File configured by Ansible playbook
+# Configuration reference:
+# https://man.archlinux.org/man/upsmon.conf.5
+
+{% for ups in nut_client_ups_devices %}
+{% if ups.type == 'primary' %}
+MONITOR {{ ups.name }}@{{ ups.host | default('localhost') }}:{{ ups.port | default(3493) }} {{ ups.powervalue | default('1') }} {{ nut_client_primary_username }} {{ nut_client_primary_password }} primary
+{% elif ups.type == 'secondary' %}
+MONITOR {{ ups.name }}@{{ ups.host | default('localhost') }}:{{ ups.port | default(3493) }} {{ ups.powervalue | default('1') }} {{ nut_client_secondary_username }} {{ nut_client_secondary_password }} secondary
+{% endif %}
+{% endfor %}
+FINALDELAY {{ nut_client_final_delay | default('5') }}
+NOCOMMWARNTIME 300
+RBWARNTIME 43200
+OFFDURATION 30
+SHUTDOWNCMD "{{ nut_client_shutdown_cmd | default('/usr/bin/poweroff') }}"
+SHUTDOWNEXIT {{ nut_client_shutdown_exit | default('true') }}
+POWERDOWNFLAG "/etc/killpower"
+DEADTIME 15
+HOSTSYNC {{ nut_client_hostsync | default('30') }}
+POLLFREQALERT 5
+POLLFREQ 5
+MINSUPPLIES {{ nut_client_min_supplies | default('1') }}
+CERTPATH /usr/ssl/certs
+FORCESSL 1
+CERTVERIFY 1
+NOTIFYCMD {{ nut_client_notify_cmd | default('/usr/bin/notify-send') }}
+{% for message in  nut_client_notify_messages %}
+NOTIFYMSG {{ message.name }} {{ message.message }}
+{% endfor %}
+{% for notify in  nut_client_notify_flags %}
+NOTIFYFLAG {{ notify.name }} {{ notify.flags }}
+{% endfor %}

ansible/roles/nut_server/tasks/main.yaml

@@ -41,17 +41,3 @@
     name: nut-server
     state: restarted
     enabled: true
-
-- name: Template out upsmon.conf
-  ansible.builtin.template:
-    src: upsmon.conf.j2
-    dest: /etc/nut/upsmon.conf
-    owner: root
-    group: nut
-    mode: '0640'
-
-- name: Start and enable nut-monitor
-  ansible.builtin.service:
-    name: nut-monitor
-    state: restarted
-    enabled: true

ansible/roles/nut_server/templates/upsd.users.j2

@@ -0,0 +1,11 @@
+[{{ nut_client_primary_username }}]
+     password = {{ nut_client_primary_password }}
+     upsmon primary
+     actions = SET
+     instcmds = ALL
+
+[{{ nut_client_secondary_username }}]
+     password = {{ nut_client_secondary_password }}
+     upsmon secondary
+     actions = SET
+     instcmds = ALL