100 lines
2.8 KiB
YAML
100 lines
2.8 KiB
YAML
---
|
|
- name: Include OS specific vars
|
|
ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
|
|
vars:
|
|
params:
|
|
files:
|
|
- "{{ ansible_lsb.id | default('') | lower }}.yml"
|
|
- "{{ ansible_os_family | lower }}.yml"
|
|
paths:
|
|
- "vars"
|
|
errors: "ignore"
|
|
|
|
- name: Install lego
|
|
ansible.legacy.unarchive:
|
|
src: https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz
|
|
dest: "{{ __lego_bin_dir }}"
|
|
remote_src: True
|
|
extra_opts:
|
|
- "{{ __lego_bin_name }}"
|
|
mode: "0750"
|
|
|
|
- name: Create lego base dir
|
|
ansible.builtin.file:
|
|
path: "{{ __lego_base_dir }}/hooks"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0750"
|
|
|
|
- name: Create LetsEncrypt certificates directory
|
|
ansible.builtin.file:
|
|
path: "{{ __lego_base_dir }}/.lego/certificates"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
recurse: True
|
|
|
|
- name: Create hook scripts
|
|
ansible.builtin.copy:
|
|
content: "{{ item.hook }}"
|
|
dest: "{{ __lego_base_dir }}/hooks/{{ item.name }}.sh"
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
when: item.hook is defined
|
|
loop: "{{ lego_certificates }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
|
|
- name: Obtain certificates for domains
|
|
ansible.builtin.command: >-
|
|
{{ __lego_bin_file }}
|
|
--accept-tos
|
|
--email="{{ lego_acme_account_email }}"
|
|
--domains {{ " --domains ".join(item.domains) }}
|
|
--key-type="{{ lego_key_type }}"
|
|
--dns="cloudflare"
|
|
{{ '--dns.resolvers="' + lego_dns_resolvers | join(',') + '"' if lego_dns_resolvers | length > 0 else '' }}
|
|
run
|
|
{{ '--run-hook="' + __lego_base_dir + '/hooks/' + item.name + '.sh"' if item.hook is defined else '' }}
|
|
args:
|
|
creates: "{{ __lego_base_dir }}/.lego/certificates/{{ item.domains[0] }}.crt"
|
|
environment:
|
|
LEGO_SERVER: "{{ lego_acme_server }}/directory"
|
|
LEGO_PATH: "{{ __lego_base_dir }}/.lego"
|
|
CLOUDFLARE_DNS_API_TOKEN: "{{ lego_cloudflare_api_token }}"
|
|
when: not item.skip_create | default(False) | bool
|
|
loop: "{{ lego_certificates }}"
|
|
loop_control:
|
|
label: "{{ item.name }}"
|
|
|
|
- name: Write environment file
|
|
ansible.builtin.template:
|
|
src: etc/sysconfig/lego.j2
|
|
dest: "{{ __lego_systemd_env }}"
|
|
mode: "0600"
|
|
notify: __lego_restart
|
|
|
|
- name: Write timer file
|
|
ansible.builtin.template:
|
|
src: etc/systemd/system/lego-renew.timer.j2
|
|
dest: /etc/systemd/system/lego-renew.timer
|
|
mode: "0644"
|
|
notify: __lego_restart
|
|
|
|
- name: Write service file
|
|
ansible.builtin.template:
|
|
src: etc/systemd/system/lego-renew.service.j2
|
|
dest: /etc/systemd/system/lego-renew.service
|
|
mode: "0644"
|
|
notify: __lego_restart
|
|
|
|
- name: Ensure renew timer is up and running
|
|
ansible.builtin.service:
|
|
name: lego-renew.timer
|
|
daemon_reload: True
|
|
enabled: True
|
|
state: started
|