82 lines
4.2 KiB
YAML
82 lines
4.2 KiB
YAML
---
|
|
letsencrypt_acme_install: false
|
|
letsencrypt_acme_sh_install: '{{ letsencrypt_acme_install }}'
|
|
letsencrypt_acme_sh_git_install: true
|
|
letsencrypt_update_acme_distribution: false
|
|
letsencrypt_acme_sh_git_url: https://github.com/acmesh-official/acme.sh.git
|
|
letsencrypt_acme_sh_default_ca: 'letsencrypt'
|
|
letsencrypt_acme_user: acme
|
|
letsencrypt_acme_sh_user: '{{ letsencrypt_acme_user }}'
|
|
letsencrypt_acme_user_home: /var/lib/acme
|
|
letsencrypt_acme_git_dest_dir: '{{ letsencrypt_acme_user_home }}/acme_sh_dist'
|
|
letsencrypt_acme_sh_user_home: '{{ letsencrypt_acme_user_home }}'
|
|
letsencrypt_acme_sh_base_data_dir: '{{ letsencrypt_acme_sh_user_home }}/acme_data'
|
|
letsencrypt_acme_sh_certs_data_prefix: '{{ letsencrypt_acme_sh_certificates_install_dir }}'
|
|
letsencrypt_acme_sh_certs_data_path: '{{ letsencrypt_acme_sh_base_data_dir }}/certs/{{ letsencrypt_acme_sh_certs_data_prefix }}'
|
|
letsencrypt_acme_sh_certificates_install_dir: '{{ ansible_fqdn }}'
|
|
letsencrypt_acme_sh_certificates_install_base_path: '{{ letsencrypt_acme_sh_user_home }}/live'
|
|
letsencrypt_acme_sh_certificates_install_path: '{{ letsencrypt_acme_sh_certificates_install_base_path }}/{{ letsencrypt_acme_sh_certificates_install_dir }}'
|
|
letsencrypt_acme_sh_log_dir: /var/log/acme
|
|
letsencrypt_acme_sh_install_cron: false
|
|
letsencrypt_acme_sh_log_enabled: true
|
|
letsencrypt_acme_sh_auto_upgrade: false
|
|
letsencrypt_acme_sh_install_options: '--install'
|
|
letsencrypt_acme_sh_test_request: false
|
|
letsencrypt_acme_sh_use_syslog: true
|
|
letsencrypt_acme_sh_syslog_level: 6
|
|
|
|
# We only support the PowerDNS API. Adding other ones should be straightforward
|
|
letsencrypt_acme_sh_use_dns_provider: false
|
|
letsencrypt_acme_sh_dns_provider_type: dns_pdns
|
|
letsencrypt_acme_sh_dns_api_url: 'http://localhost:8081'
|
|
letsencrypt_acme_sh_dns_api_provider_id: localhost
|
|
# Use a vault variable for this one
|
|
letsencrypt_acme_sh_dns_api_token: XXXXXXX
|
|
letsencrypt_acme_sh_command: acme.sh
|
|
# The data directory is created by the acme.sh install
|
|
letsencrypt_acme_sh_dirs:
|
|
- '{{ letsencrypt_acme_sh_user_home }}/bin'
|
|
- '{{ letsencrypt_acme_sh_base_data_dir }}/certs'
|
|
- '{{ letsencrypt_acme_sh_base_data_dir }}/logs'
|
|
# - '{{ letsencrypt_acme_sh_base_data_dir }}/data'
|
|
letsencrypt_acme_sh_dest_dir: '{{ ansible_fqdn }}'
|
|
letsencrypt_acme_sh_certs_dir: '{{ letsencrypt_acme_sh_base_data_dir }}/certs/{{ letsencrypt_acme_sh_dest_dir }}'
|
|
letsencrypt_acme_certs_dir: '{{ letsencrypt_acme_sh_certificates_install_path }}'
|
|
# The various services maintainers need to put the reconfigure/restart scripts there
|
|
letsencrypt_acme_services_scripts_dir: /usr/lib/acme/hooks
|
|
letsencrypt_acme_sh_services_scripts_dir: '{{ letsencrypt_acme_services_scripts_dir }}'
|
|
letsencrypt_acme_sh_explicitly_install_certs: true
|
|
letsencrypt_force_cert_request: false
|
|
# ECC is better, but most old distributions fail on them
|
|
letsencrypt_acme_sh_use_ecc: false
|
|
letsencrypt_acme_sh_ecc_key_lenght: ec-384
|
|
letsencrypt_acme_sh_rsa_key_lenght: 4096
|
|
letsencrypt_acme_sh_ocsp_must_staple: false
|
|
# Default: ISRG Root X1
|
|
letsencrypt_acme_sh_specific_root_ca: '--preferred-chain "ISRG Root X1"'
|
|
letsencrypt_acme_email: sysadmin@example.com
|
|
letsencrypt_acme_sh_email: '{{ letsencrypt_acme_email }}'
|
|
letsencrypt_acme_standalone_port: 4402
|
|
letsencrypt_acme_sh_standalone_port: '{{ letsencrypt_acme_standalone_port }}'
|
|
letsencrypt_acme_cron_day_of_month: '*'
|
|
letsencrypt_acme_cron_hour: '{{ range(1, 4) | random }}'
|
|
letsencrypt_acme_cron_minute: '{{ range(0, 59) | random }}'
|
|
letsencrypt_acme_services_hook_script: /usr/local/bin/acme-services-hook
|
|
|
|
# Use this when you want a single certificate. Even when multiple provider methods are needed
|
|
# The dns_provider and standalone options are mutually exclusive
|
|
letsencrypt_acme_sh_domains:
|
|
- domain: '{{ ansible_fqdn }}'
|
|
standalone: true
|
|
|
|
letsencrypt_firewalld_http_enabled_on_default_zone: True
|
|
letsencrypt_firewalld_services:
|
|
- { service: 'http', state: 'enabled', zone: '{{ firewalld_default_zone }}' }
|
|
|
|
letsencrypt_acme_sh_domains_install:
|
|
- domain: '{{ letsencrypt_acme_sh_certificates_install_dir }}'
|
|
ecc: '{{ letsencrypt_acme_sh_use_ecc }}'
|
|
cert_file: '{{ letsencrypt_acme_sh_certificates_install_path }}/cert'
|
|
key_file: '{{ letsencrypt_acme_sh_certificates_install_path }}/privkey'
|
|
fullchain_file: '{{ letsencrypt_acme_sh_certificates_install_path }}/fullchain'
|