blob: 717eac0a39d2927a19926ac694c85d67aff0207b (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
|
---
- name: Install certbot deps
ansible.builtin.apt:
name:
- python3-certbot
- python3-certbot-dns-cloudflare
state: present
- name: Install
ansible.builtin.template:
src: cloudflare-credentials.ini.j2
dest: "{{ cloudflare_credentials_destination }}"
mode: 0700
- name: Ensure existance of {{ certbot_post_hook_dir }}
ansible.builtin.file:
path: "{{ certbot_post_hook_dir }}"
state: directory
mode: o=rw,g=r,a+x
- name: Add renewal_post_upgrade hook
ansible.builtin.copy:
src: renewal_post_upgrade.sh
dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh"
mode: a+x
owner: root
group: root
- name: Check for existence of certificates
ansible.builtin.stat:
path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem"
loop: "{{ host_domains[inventory_hostname] }}"
register: cert_check
- name: Construct domains needing ACME requests list
ansible.builtin.set_fact:
domain_request_list: >
{% for domain in host_domains[inventory_hostname] %}
{% set domain_index = loop.index0 %}
{% if not cert_check.results[domain_index].stat.exists %}
{{ domain }}
{% endif %}
{% endfor %}
- name: Request acmedns challenges if there are such domains that need certs
ansible.builtin.shell: >
certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \
--non-interactive \
--manual-public-ip-logging-ok \
--agree-tos -m {{ certbot_email }} \
--preferred-challenges dns --debug-challenges \
--dns-cloudflare-propagation-seconds 40 \
-d {{ item }}
loop: "{{ domain_request_list.split() }}"
changed_when: domain_request_list | trim != ''
- name: Certbot daily renewal cron job
ansible.builtin.cron:
name: "letsencrypt_daily_renewal"
special_time: "daily"
job: "certbot renew --non-interactive"
cron_file: "certbot_renewal"
user: root
|
