ansibleguy.infra_certs/tasks/debian/letsencrypt/main.yml

---

- name: Certificates | LetsEncrypt Certbot | Checking config
  ansible.builtin.assert:
    that:
      - CERT_CONFIG.letsencrypt.certs | length > 0
      - CERT_CONFIG.letsencrypt.service | default(false, true)
      - CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email
      - CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
  tags: always

- name: Certificates | LetsEncrypt Certbot | Configure for Apache2
  ansible.builtin.import_tasks: apache.yml
  when: CERT_CONFIG.letsencrypt.service == 'apache'

- name: Certificates | LetsEncrypt Certbot | Configure for Nginx
  ansible.builtin.import_tasks: nginx.yml
  when: CERT_CONFIG.letsencrypt.service == 'nginx'

- name: Certificates | LetsEncrypt Certbot | Pulling existing certs (this can take some time)
  ansible.builtin.command: "certbot certificates --config-dir {{ CERT_CONFIG.letsencrypt.path }}{% if debug or testing %} --staging{% endif %}"
  register: existing_certs_raw
  when: le_existing_certs is undefined
  changed_when: false
  check_mode: false
  timeout: 300

- name: Certificates | LetsEncrypt Certbot | Setting existing certs
  ansible.builtin.set_fact:
    le_existing_certs: "{{ existing_certs_raw.stdout }}"
  when: le_existing_certs is undefined

- name: Certificates | LetsEncrypt Certbot | Existing certificates
  ansible.builtin.debug:
    var: le_existing_certs
  when: debug | bool

- name: Certificates | LetsEncrypt Certbot | Adding certificates
  ansible.builtin.include_tasks: cert.yml
  when:
    - le_cert.domains | length > 0
    - le_cert.state == 'present'
  vars:
    le_cert: "{{ default_le_certbot_cert | combine(cert_item.value, recursive=true) }}"
    le_name: "{{ cert_item.key | safe_key }}"
    le_path: "{{ CERT_CONFIG.letsencrypt.path }}/live/{{ le_name }}"
    le_changed: "{{ le_existing_certs | le_domains_changed(le_name, le_cert.domains) }}"
  loop_control:
    loop_var: cert_item
  no_log: true
  with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"

# todo: task gets stuck
- name: Certificates | LetsEncrypt Certbot | Revoking certificates
  ansible.builtin.command: "certbot revoke --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}"
  changed_when: false
  when:
    - le_cert.state != 'present'
    - le_existing_certs.find(le_name) != -1
  vars:
    le_cert: "{{ default_le_certbot_cert | combine(cert_item.value, recursive=true) }}"
    le_name: "{{ cert_item.key | safe_key }}"
  loop_control:
    loop_var: cert_item
  with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"

- name: Certificates | LetsEncrypt Certbot | Deleting certificates
  ansible.builtin.command: "certbot delete --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}"
  changed_when: false
  when:
    - le_cert.state != 'present'
    - le_existing_certs.find(le_name) != -1
  vars:
    le_cert: "{{ default_le_certbot_cert | combine(cert_item.value, recursive=true) }}"
    le_name: "{{ cert_item.key | safe_key }}"
  loop_control:
    loop_var: cert_item
  with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"

- name: Certificates | LetsEncrypt Certbot | Cleanup for Apache2
  ansible.builtin.import_tasks: apache_cleanup.yml
  when: CERT_CONFIG.letsencrypt.service == 'apache'

- name: Certificates | LetsEncrypt Certbot | Cleanup for Nginx
  ansible.builtin.import_tasks: nginx_cleanup.yml
  when: CERT_CONFIG.letsencrypt.service == 'nginx'

- name: Certificates | LetsEncrypt Certbot | Adding service for certbot renewal
  ansible.builtin.template:
    src: "templates/etc/systemd/system/{{ item }}.j2"
    dest: "/etc/systemd/system/{{ item }}"
    owner: 'root'
    group: 'root'
    mode: 0644
  loop:
    - 'ansibleguy.infra_certs.LetsEncryptCertbot.service'
    - 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'

- name: Certificates | LetsEncrypt Certbot | Enabling cert-renewal timer
  ansible.builtin.systemd:
    daemon_reload: yes
    name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
    enabled: yes
    state: started

# Renew all previously obtained certificates that are near expiry
- name: Certificates | LetsEncrypt Certbot | Running renewal
  ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}"
  when: CERT_CONFIG.letsencrypt.renew
  changed_when: false
  ignore_errors: true