89 lines
3.6 KiB
YAML
89 lines
3.6 KiB
YAML
---
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Checking config
|
|
ansible.builtin.fail:
|
|
msg: "The required configuration was not provided!
|
|
Needed: 'certs.letsencrypt.certs', 'certs.letsencrypt.service',
|
|
'certs.letsencrypt.email or certs.letsencrypt.email.certs.email'"
|
|
when: >
|
|
CERT_CONFIG.letsencrypt.certs | length == 0 or
|
|
CERT_CONFIG.letsencrypt.service is none | default(none, true) or
|
|
(CERT_CONFIG.letsencrypt.email | default(none, true) is none and not CERT_CONFIG.letsencrypt.certs|check_email)
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Checking service
|
|
ansible.builtin.fail:
|
|
msg: "You need to supply a supported LetsEncrypt Certbot service to use! (apache/nginx)"
|
|
when: "CERT_CONFIG.letsencrypt.service | default(none, true) is none or CERT_CONFIG.letsencrypt.service not in ['apache', 'nginx']"
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Apache2
|
|
ansible.builtin.import_tasks: apache.yml
|
|
when: CERT_CONFIG.letsencrypt.service == 'apache'
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Configure for Nginx
|
|
ansible.builtin.import_tasks: nginx.yml
|
|
when: CERT_CONFIG.letsencrypt.service == 'nginx'
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Pulling existing certs
|
|
ansible.builtin.command: 'certbot certificates'
|
|
register: existing_certs_raw
|
|
changed_when: false
|
|
check_mode: false
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Adding certificates
|
|
ansible.builtin.include_tasks: cert.yml
|
|
when:
|
|
- le_cert.domains | length > 0
|
|
- le_cert.state == 'present'
|
|
vars:
|
|
le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}"
|
|
le_name: "{{ cert_item.key | safe_key }}"
|
|
le_path: "{{ CERT_CONFIG.letsencrypt.path }}/live/{{ le_name }}"
|
|
le_changed: "{{ existing_certs_raw.stdout | le_domains_changed(le_name, le_cert.domains) }}"
|
|
loop_control:
|
|
loop_var: cert_item
|
|
no_log: true
|
|
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Removing certificates
|
|
ansible.builtin.command: "certbot revoke --cert-name {{ le_name }} && certbot delete --cert-name {{ le_name }}"
|
|
when:
|
|
- le_cert.state != 'present'
|
|
- existing_certs_raw.stdout.find(le_name) != -1
|
|
vars:
|
|
le_cert: "{{ default_le_certbot_cert_config | combine(cert_item.value, recursive=true) }}"
|
|
le_name: "{{ cert_item.key | safe_key }}"
|
|
loop_control:
|
|
loop_var: cert_item
|
|
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Apache2
|
|
ansible.builtin.import_tasks: apache_cleanup.yml
|
|
when: CERT_CONFIG.letsencrypt.service == 'apache'
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Cleanup for Nginx
|
|
ansible.builtin.import_tasks: nginx_cleanup.yml
|
|
when: CERT_CONFIG.letsencrypt.service == 'nginx'
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Adding service for certbot renewal
|
|
ansible.builtin.template:
|
|
src: "templates/etc/systemd/system/{{ item }}.j2"
|
|
dest: "/etc/systemd/system/{{ item }}"
|
|
owner: 'root'
|
|
group: 'root'
|
|
mode: 0644
|
|
loop:
|
|
- 'ansibleguy.infra_certs.LetsEncryptCertbot.service'
|
|
- 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Enabling cert-renewal timer
|
|
ansible.builtin.systemd:
|
|
daemon_reload: yes
|
|
name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
|
|
enabled: yes
|
|
state: started
|
|
|
|
- name: Certificates | Debian | LetsEncrypt Certbot | Running renewal
|
|
ansible.builtin.command: 'certbot renew --force-renewal'
|
|
when: CERT_CONFIG.letsencrypt.renew
|
|
ignore_errors: true
|