xoxys.lego/tasks/main.yml

---
- name: Include OS specific vars
  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
  vars:
    params:
      files:
        - "{{ ansible_lsb.id | default('') | lower }}.yml"
        - "{{ ansible_os_family | lower }}.yml"
      paths:
        - "vars"
      errors: "ignore"

- name: Install lego
  ansible.legacy.unarchive:
    src: https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz
    dest: "{{ __lego_bin_dir }}"
    remote_src: True
    extra_opts:
      - "{{ __lego_bin_name }}"
    mode: "0750"

- name: Create lego base dir
  ansible.builtin.file:
    path: "{{ __lego_base_dir }}/hooks"
    state: directory
    owner: root
    group: root
    mode: "0750"

- name: Create LetsEncrypt certificates directory
  ansible.builtin.file:
    path: "{{ __lego_base_dir }}/.lego/certificates"
    state: directory
    owner: root
    group: root
    mode: "0700"
    recurse: True

- name: Create hook scripts
  ansible.builtin.copy:
    content: "{{ item.hook }}"
    dest: "{{ __lego_base_dir }}/hooks/{{ item.name }}.sh"
    owner: root
    group: root
    mode: "0700"
  when: item.hook is defined
  loop: "{{ lego_certificates }}"
  loop_control:
    label: "{{ item.name }}"

- name: Obtain certificates for domains
  ansible.builtin.command: >-
    {{ __lego_bin_file }}
    --accept-tos
    --email="{{ lego_acme_account_email }}"
    --domains {{ " --domains ".join(item.domains) }}
    --key-type="{{ lego_key_type }}"
    --dns="cloudflare"
    {{ '--dns.resolvers="' + lego_dns_resolvers | join(',') + '"' if lego_dns_resolvers | length > 0 else '' }}
    run
    {{ '--run-hook="' + __lego_base_dir + '/hooks/' + item.name + '.sh"' if item.hook is defined else '' }}
  args:
    creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt"
  environment:
    LEGO_SERVER: "{{ lego_acme_server }}/directory"
    LEGO_PATH: "{{ __lego_base_dir }}/.lego"
    CLOUDFLARE_DNS_API_TOKEN: "{{ lego_cloudflare_api_token }}"
  when: not item.skip_create | default(False) | bool
  loop: "{{ lego_certificates }}"
  loop_control:
    label: "{{ item.name }}"

- name: Write environment file
  ansible.builtin.template:
    src: etc/sysconfig/lego.j2
    dest: "{{ __lego_systemd_env }}"
    mode: "0600"
  notify: __lego_restart

- name: Write timer file
  ansible.builtin.template:
    src: etc/systemd/system/lego-renew.timer.j2
    dest: /etc/systemd/system/lego-renew.timer
    mode: "0644"
  notify: __lego_restart

- name: Write service file
  ansible.builtin.template:
    src: etc/systemd/system/lego-renew.service.j2
    dest: /etc/systemd/system/lego-renew.service
    mode: "0644"
  notify: __lego_restart

- name: Ensure renew timer is up and running
  ansible.builtin.service:
    name: lego-renew.timer
    daemon_reload: True
    enabled: True
    state: "{{ lego_renew_enabled | ternary('started', 'stopped', 'started') }}"
initial commit 2024-09-27 18:40:51 +00:00			`---`
fix systemd env location 2024-09-28 20:32:56 +00:00			`- name: Include OS specific vars`
			`ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"`
			`vars:`
			`params:`
			`files:`
			`- "{{ ansible_lsb.id \| default('') \| lower }}.yml"`
			`- "{{ ansible_os_family \| lower }}.yml"`
			`paths:`
			`- "vars"`
			`errors: "ignore"`

initial commit 2024-09-27 18:40:51 +00:00			`- name: Install lego`
			`ansible.legacy.unarchive:`
			`src: https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz`
			`dest: "{{ __lego_bin_dir }}"`
			`remote_src: True`
			`extra_opts:`
			`- "{{ __lego_bin_name }}"`
			`mode: "0750"`

			`- name: Create lego base dir`
			`ansible.builtin.file:`
use systemd for renew job 2024-09-28 20:22:42 +00:00			`path: "{{ __lego_base_dir }}/hooks"`
initial commit 2024-09-27 18:40:51 +00:00			`state: directory`
			`owner: root`
			`group: root`
			`mode: "0750"`

			`- name: Create LetsEncrypt certificates directory`
			`ansible.builtin.file:`
			`path: "{{ __lego_base_dir }}/.lego/certificates"`
			`state: directory`
			`owner: root`
			`group: root`
			`mode: "0700"`
			`recurse: True`

add hook support 2024-09-27 20:04:16 +00:00			`- name: Create hook scripts`
			`ansible.builtin.copy:`
			`content: "{{ item.hook }}"`
use systemd for renew job 2024-09-28 20:22:42 +00:00			`dest: "{{ __lego_base_dir }}/hooks/{{ item.name }}.sh"`
add hook support 2024-09-27 20:04:16 +00:00			`owner: root`
			`group: root`
fix hook 2024-09-27 22:57:06 +00:00			`mode: "0700"`
add hook support 2024-09-27 20:04:16 +00:00			`when: item.hook is defined`
			`loop: "{{ lego_certificates }}"`
			`loop_control:`
			`label: "{{ item.name }}"`

initial commit 2024-09-27 18:40:51 +00:00			`- name: Obtain certificates for domains`
add cron and key type config options 2024-09-27 19:37:17 +00:00			`ansible.builtin.command: >-`
add hook support 2024-09-27 20:04:16 +00:00			`{{ __lego_bin_file }}`
accept tos during lego run 2024-09-27 20:24:19 +00:00			`--accept-tos`
add cron and key type config options 2024-09-27 19:37:17 +00:00			`--email="{{ lego_acme_account_email }}"`
			`--domains {{ " --domains ".join(item.domains) }}`
			`--key-type="{{ lego_key_type }}"`
			`--dns="cloudflare"`
add dns resolver option 2024-09-27 22:38:17 +00:00			`{{ '--dns.resolvers="' + lego_dns_resolvers \| join(',') + '"' if lego_dns_resolvers \| length > 0 else '' }}`
add hook support 2024-09-27 20:04:16 +00:00			`run`
use systemd for renew job 2024-09-28 20:22:42 +00:00			`{{ '--run-hook="' + __lego_base_dir + '/hooks/' + item.name + '.sh"' if item.hook is defined else '' }}`
initial commit 2024-09-27 18:40:51 +00:00			`args:`
			`creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt"`
			`environment:`
drop account setup 2024-09-27 19:18:56 +00:00			`LEGO_SERVER: "{{ lego_acme_server }}/directory"`
initial commit 2024-09-27 18:40:51 +00:00			`LEGO_PATH: "{{ __lego_base_dir }}/.lego"`
fix cloudflare token env 2024-09-27 20:15:02 +00:00			`CLOUDFLARE_DNS_API_TOKEN: "{{ lego_cloudflare_api_token }}"`
drop account setup 2024-09-27 19:18:56 +00:00			`when: not item.skip_create \| default(False) \| bool`
initial commit 2024-09-27 18:40:51 +00:00			`loop: "{{ lego_certificates }}"`
			`loop_control:`
add hook support 2024-09-27 20:04:16 +00:00			`label: "{{ item.name }}"`
initial commit 2024-09-27 18:40:51 +00:00
use systemd for renew job 2024-09-28 20:22:42 +00:00			`- name: Write environment file`
initial commit 2024-09-27 18:40:51 +00:00			`ansible.builtin.template:`
use systemd for renew job 2024-09-28 20:22:42 +00:00			`src: etc/sysconfig/lego.j2`
fix systemd env location 2024-09-28 20:32:56 +00:00			`dest: "{{ __lego_systemd_env }}"`
use systemd for renew job 2024-09-28 20:22:42 +00:00			`mode: "0600"`
			`notify: __lego_restart`

			`- name: Write timer file`
			`ansible.builtin.template:`
			`src: etc/systemd/system/lego-renew.timer.j2`
			`dest: /etc/systemd/system/lego-renew.timer`
			`mode: "0644"`
			`notify: __lego_restart`

			`- name: Write service file`
			`ansible.builtin.template:`
			`src: etc/systemd/system/lego-renew.service.j2`
			`dest: /etc/systemd/system/lego-renew.service`
			`mode: "0644"`
			`notify: __lego_restart`
initial commit 2024-09-27 18:40:51 +00:00
use systemd for renew job 2024-09-28 20:22:42 +00:00			`- name: Ensure renew timer is up and running`
			`ansible.builtin.service:`
			`name: lego-renew.timer`
			`daemon_reload: True`
			`enabled: True`
disable random delay and fix test 2024-09-28 21:03:36 +00:00			`state: "{{ lego_renew_enabled \| ternary('started', 'stopped', 'started') }}"`