public_git
/
ansibleguy.infra_mariadb
mirror of https://github.com/ansibleguy/infra_certs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
ansibleguy.infra_mariadb/tasks/debian/letsencrypt/main.yml

106 lines
4.1 KiB
YAML
Raw Blame History

---
- name: Certificates | LetsEncrypt Certbot | Checking config
ansible.builtin.assert:
that:
- CERT_CONFIG.letsencrypt.certs | length > 0
- CERT_CONFIG.letsencrypt.service | default(false, true)
- CERT_CONFIG.letsencrypt.email | default(false, true) or CERT_CONFIG.letsencrypt.certs | check_email
- CERT_CONFIG.letsencrypt.service in CERT_HC.letsencrypt.options.service
tags: always
- name: Certificates | LetsEncrypt Certbot | Configure for Apache2
ansible.builtin.import_tasks: apache.yml
when: CERT_CONFIG.letsencrypt.service == 'apache'
- name: Certificates | LetsEncrypt Certbot | Configure for Nginx
ansible.builtin.import_tasks: nginx.yml
when: CERT_CONFIG.letsencrypt.service == 'nginx'
- name: Certificates | LetsEncrypt Certbot | Pulling existing certs (this can take some time)
ansible.builtin.command: "certbot certificates --config-dir {{ CERT_CONFIG.letsencrypt.path }}{% if debug or testing %} --staging{% endif %}"
register: existing_certs_raw
changed_when: false
check_mode: false
timeout: 120
- name: Certificates | LetsEncrypt Certbot | Existing certificates
ansible.builtin.debug:
var: existing_certs_raw.stdout
when: debug | bool
- name: Certificates | LetsEncrypt Certbot | Adding certificates
ansible.builtin.include_tasks: cert.yml
when:
- le_cert.domains | length > 0
- le_cert.state == 'present'
vars:
le_cert: "{{ default_le_certbot_cert | combine(cert_item.value, recursive=true) }}"
le_name: "{{ cert_item.key | safe_key }}"
le_path: "{{ CERT_CONFIG.letsencrypt.path }}/live/{{ le_name }}"
le_changed: "{{ existing_certs_raw.stdout | le_domains_changed(le_name, le_cert.domains) }}"
loop_control:
loop_var: cert_item
no_log: true
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
# todo: task gets stuck
- name: Certificates | LetsEncrypt Certbot | Revoking certificates
ansible.builtin.command: "certbot revoke --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}"
changed_when: false
when:
- le_cert.state != 'present'
- existing_certs_raw.stdout.find(le_name) != -1
vars:
le_cert: "{{ default_le_certbot_cert | combine(cert_item.value, recursive=true) }}"
le_name: "{{ cert_item.key | safe_key }}"
loop_control:
loop_var: cert_item
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
- name: Certificates | LetsEncrypt Certbot | Deleting certificates
ansible.builtin.command: "certbot delete --cert-name {{ le_name }}{% if debug or testing %} --staging{% endif %}"
changed_when: false
when:
- le_cert.state != 'present'
- existing_certs_raw.stdout.find(le_name) != -1
vars:
le_cert: "{{ default_le_certbot_cert | combine(cert_item.value, recursive=true) }}"
le_name: "{{ cert_item.key | safe_key }}"
loop_control:
loop_var: cert_item
with_dict: "{{ CERT_CONFIG.letsencrypt.certs }}"
- name: Certificates | LetsEncrypt Certbot | Cleanup for Apache2
ansible.builtin.import_tasks: apache_cleanup.yml
when: CERT_CONFIG.letsencrypt.service == 'apache'
- name: Certificates | LetsEncrypt Certbot | Cleanup for Nginx
ansible.builtin.import_tasks: nginx_cleanup.yml
when: CERT_CONFIG.letsencrypt.service == 'nginx'
- name: Certificates | LetsEncrypt Certbot | Adding service for certbot renewal
ansible.builtin.template:
src: "templates/etc/systemd/system/{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
owner: 'root'
group: 'root'
mode: 0644
loop:
- 'ansibleguy.infra_certs.LetsEncryptCertbot.service'
- 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
- name: Certificates | LetsEncrypt Certbot | Enabling cert-renewal timer
ansible.builtin.systemd:
daemon_reload: yes
name: 'ansibleguy.infra_certs.LetsEncryptCertbot.timer'
enabled: yes
state: started
# Renew all previously obtained certificates that are near expiry
- name: Certificates | LetsEncrypt Certbot | Running renewal
ansible.builtin.command: "certbot renew --force-renewal{% if debug or testing %} --staging{% endif %}"
when: CERT_CONFIG.letsencrypt.renew
changed_when: false
ignore_errors: true
Reference in New Issue View Git Blame Copy Permalink