--- - name: Include OS specific vars ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" vars: params: files: - "{{ ansible_lsb.id | default('') | lower }}.yml" - "{{ ansible_os_family | lower }}.yml" paths: - "vars" errors: "ignore" - name: Install lego ansible.legacy.unarchive: src: https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz dest: "{{ __lego_bin_dir }}" remote_src: True extra_opts: - "{{ __lego_bin_name }}" mode: "0750" - name: Create lego base dir ansible.builtin.file: path: "{{ __lego_base_dir }}/hooks" state: directory owner: root group: root mode: "0750" - name: Create LetsEncrypt certificates directory ansible.builtin.file: path: "{{ __lego_base_dir }}/.lego/certificates" state: directory owner: root group: root mode: "0700" recurse: True - name: Create hook scripts ansible.builtin.copy: content: "{{ item.hook }}" dest: "{{ __lego_base_dir }}/hooks/{{ item.name }}.sh" owner: root group: root mode: "0700" when: item.hook is defined loop: "{{ lego_certificates }}" loop_control: label: "{{ item.name }}" - name: Obtain certificates for domains ansible.builtin.command: >- {{ __lego_bin_file }} --accept-tos --email="{{ lego_acme_account_email }}" --domains {{ " --domains ".join(item.domains) }} --key-type="{{ lego_key_type }}" --dns="cloudflare" {{ '--dns.resolvers="' + lego_dns_resolvers | join(',') + '"' if lego_dns_resolvers | length > 0 else '' }} run {{ '--run-hook="' + __lego_base_dir + '/hooks/' + item.name + '.sh"' if item.hook is defined else '' }} args: creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt" environment: LEGO_SERVER: "{{ lego_acme_server }}/directory" LEGO_PATH: "{{ __lego_base_dir }}/.lego" CLOUDFLARE_DNS_API_TOKEN: "{{ lego_cloudflare_api_token }}" when: not item.skip_create | default(False) | bool loop: "{{ lego_certificates }}" loop_control: label: "{{ item.name }}" - name: Write environment file ansible.builtin.template: src: etc/sysconfig/lego.j2 dest: "{{ __lego_systemd_env }}" mode: "0600" notify: __lego_restart - name: Write timer file ansible.builtin.template: src: etc/systemd/system/lego-renew.timer.j2 dest: /etc/systemd/system/lego-renew.timer mode: "0644" notify: __lego_restart - name: Write service file ansible.builtin.template: src: etc/systemd/system/lego-renew.service.j2 dest: /etc/systemd/system/lego-renew.service mode: "0644" notify: __lego_restart - name: Ensure renew timer is up and running ansible.builtin.service: name: lego-renew.timer daemon_reload: True enabled: True state: started