diff options
Diffstat (limited to 'playbooks/roles/certbot/tasks')
| -rw-r--r-- | playbooks/roles/certbot/tasks/main.yml | 64 |
1 files changed, 64 insertions, 0 deletions
diff --git a/playbooks/roles/certbot/tasks/main.yml b/playbooks/roles/certbot/tasks/main.yml new file mode 100644 index 0000000..717eac0 --- /dev/null +++ b/playbooks/roles/certbot/tasks/main.yml @@ -0,0 +1,64 @@ +--- + +- name: Install certbot deps + ansible.builtin.apt: + name: + - python3-certbot + - python3-certbot-dns-cloudflare + state: present + +- name: Install + ansible.builtin.template: + src: cloudflare-credentials.ini.j2 + dest: "{{ cloudflare_credentials_destination }}" + mode: 0700 + +- name: Ensure existance of {{ certbot_post_hook_dir }} + ansible.builtin.file: + path: "{{ certbot_post_hook_dir }}" + state: directory + mode: o=rw,g=r,a+x + +- name: Add renewal_post_upgrade hook + ansible.builtin.copy: + src: renewal_post_upgrade.sh + dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh" + mode: a+x + owner: root + group: root + +- name: Check for existence of certificates + ansible.builtin.stat: + path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem" + loop: "{{ host_domains[inventory_hostname] }}" + register: cert_check +- name: Construct domains needing ACME requests list + ansible.builtin.set_fact: + domain_request_list: > + {% for domain in host_domains[inventory_hostname] %} + {% set domain_index = loop.index0 %} + {% if not cert_check.results[domain_index].stat.exists %} + {{ domain }} + {% endif %} + {% endfor %} + +- name: Request acmedns challenges if there are such domains that need certs + ansible.builtin.shell: > + certbot certonly --dns-cloudflare \ + --dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \ + --non-interactive \ + --manual-public-ip-logging-ok \ + --agree-tos -m {{ certbot_email }} \ + --preferred-challenges dns --debug-challenges \ + --dns-cloudflare-propagation-seconds 40 \ + -d {{ item }} + loop: "{{ domain_request_list.split() }}" + changed_when: domain_request_list | trim != '' + +- name: Certbot daily renewal cron job + ansible.builtin.cron: + name: "letsencrypt_daily_renewal" + special_time: "daily" + job: "certbot renew --non-interactive" + cron_file: "certbot_renewal" + user: root |