ISTI-ansible-roles
/
ansible-role-letsencrypt-acme-sh-client
5
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
ansible-role-letsencrypt-ac.../tasks/main.yml

221 lines
8.6 KiB
YAML
Raw Blame History

---
- name: Import the deb tasks
ansible.builtin.import_tasks: acmetool_deb.yml
when: ansible_distribution_file_variety == "Debian"
- name: Import the RH and derivatives
ansible.builtin.import_tasks: acmetool_rh.yml
when: ansible_distribution_file_variety == "RedHat"
- name: Prepare the acme.sh environment
when: letsencrypt_acme_install
tags: ['letsencrypt', 'letsencrypt_acme_sh']
block:
- name: Create the letsencrypt acme user
ansible.builtin.user:
name: "{{ letsencrypt_acme_sh_user }}"
home: "{{ letsencrypt_acme_sh_user_home }}"
createhome: false
shell: /usr/sbin/nologin
system: true
tags: ['letsencrypt', 'letsencrypt_user']
- name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there.
ansible.builtin.file:
dest: "{{ letsencrypt_acme_sh_user_home }}"
owner: "{{ letsencrypt_acme_sh_user }}"
group: "{{ letsencrypt_acme_sh_user }}"
state: directory
mode: 0755
recurse: true
- name: Create a directory where to put the cron job and hooks logs
ansible.builtin.file:
dest: "{{ letsencrypt_acme_sh_log_dir }}"
state: directory
owner: "{{ letsencrypt_acme_sh_user }}"
group: "{{ letsencrypt_acme_sh_user }}"
mode: 0750
- name: Install the acme.sh environment variables file
ansible.builtin.template:
src: acme_sh_request_env.j2
dest: /etc/default/acme_sh_request_env
owner: root
group: root
mode: 0444
register: acme_sh_issue
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_env', 'letsencrypt_req_cert']
- name: Install the script that initializes the acme.sh environment
ansible.builtin.copy:
src: acme-sh-install
dest: /usr/local/bin/acme-sh-install
owner: root
group: "{{ letsencrypt_acme_user }}"
mode: 0750
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
- name: Install a script that issues the certificates
ansible.builtin.template:
src: acme-sh-request-cert.sh.j2
dest: /usr/local/bin/acme-sh-request-cert
owner: root
group: "{{ letsencrypt_acme_user }}"
mode: 0750
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
- name: Install a script that installs the issued certificates
ansible.builtin.copy:
src: acme-sh-install-certs
dest: /usr/local/bin/acme-sh-install-certs
owner: root
group: "{{ letsencrypt_acme_user }}"
mode: 0750
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
- name: Install the script that will run the services hooks when a certificate is installed
ansible.builtin.template:
src: acme-services-hook.j2
dest: /usr/local/bin/acme-services-hook
owner: root
group: "{{ letsencrypt_acme_user }}"
mode: 0750
- name: Install the scripts that will be run as a cron job
ansible.builtin.template:
src: '{{ item }}.sh.j2'
dest: '/usr/local/bin/{{ item }}'
owner: root
group: acme
mode: 0750
loop:
- acme-sh-cron-script
- acme-sh-cron-command
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
- name: Remove the cron job under spool if it exists
ansible.builtin.cron:
name: "Letsencrypt certificate renewal"
day: '{{ letsencrypt_acme_cron_day_of_month }}'
hour: '{{ letsencrypt_acme_cron_hour }}'
minute: '{{ letsencrypt_acme_cron_minute }}'
job: "/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1"
state: absent
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
- name: Install a daily cron job to renew the certificates when needed. It runs as root
ansible.builtin.cron:
name: "Letsencrypt certificate renewal"
cron_file: letsencrypt_renew_certificates
user: root
day: '{{ letsencrypt_acme_cron_day_of_month }}'
hour: '{{ letsencrypt_acme_cron_hour }}'
minute: '{{ letsencrypt_acme_cron_minute }}'
job: "/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1"
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
- name: Acme.sh distribution
when: letsencrypt_acme_install
tags: ['letsencrypt', 'letsencrypt_acme_sh']
block:
- name: Download the acme.sh distribution
become: true
become_user: "{{ letsencrypt_acme_user }}"
ansible.builtin.git:
repo: "{{ letsencrypt_acme_sh_git_url }}"
dest: "{{ letsencrypt_acme_git_dest_dir }}"
recursive: true
update: false
force: true
- name: Force the upgrade of the acme.sh distribution
become: true
become_user: "{{ letsencrypt_acme_user }}"
ansible.builtin.git:
repo: "{{ letsencrypt_acme_sh_git_url }}"
dest: "{{ letsencrypt_acme_git_dest_dir }}"
recursive: true
update: true
force: true
when: letsencrypt_update_acme_distribution
- name: Create the letsencrypt acme.sh directory tree
ansible.builtin.file:
dest: "{{ item }}"
state: directory
owner: "{{ letsencrypt_acme_user }}"
group: "{{ letsencrypt_acme_user }}"
mode: 0755
with_items: '{{ letsencrypt_acme_sh_dirs }}'
- name: Run the installation command for acme.sh
ansible.builtin.command: /usr/local/bin/acme-sh-install
args:
creates: '{{ letsencrypt_acme_sh_user_home }}/bin/acme.sh'
- name: Create the letsencrypt acme.sh account configuration
ansible.builtin.template:
src: account.conf.j2
dest: "{{ letsencrypt_acme_sh_base_data_dir }}/data/account.conf"
owner: "{{ letsencrypt_acme_user }}"
group: "{{ letsencrypt_acme_user }}"
mode: 0440
tags: ['letsencrypt', 'letsencrypt_account_conf', 'letsencrypt_acme_sh']
- name: Certificates management
when: letsencrypt_acme_install
tags: ['letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_req_cert']
block:
- name: Remove the ok_certificate_issued file when the env file has been changed so that we can force a new request
ansible.builtin.file:
dest: "{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued"
state: absent
when: (acme_sh_issue is changed) or letsencrypt_force_cert_request
- name: Request the certificates.
ansible.builtin.command: /usr/local/bin/acme-sh-request-cert
args:
creates: '{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued'
register: acme_sh_certificate_issued
- name: Print the install path
ansible.builtin.debug:
msg: "Certificates install path: {{ letsencrypt_acme_sh_certificates_install_path }}"
- name: Check if the certificates install path is a link
ansible.builtin.stat:
path: "{{ letsencrypt_acme_sh_certificates_install_path }}"
register: cert_install_path
- name: Remove the certificates install path if it is a link
ansible.builtin.file:
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
state: absent
when: cert_install_path.stat.islink is defined and cert_install_path.stat.islink
- name: Create the certificates installation directory
ansible.builtin.file:
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
state: directory
owner: root
group: root
mode: 0755
- name: Install the certificates
ansible.builtin.command: /usr/local/bin/acme-sh-install-certs
when:
- letsencrypt_acme_sh_explicitly_install_certs | bool
- acme_sh_certificate_issued is defined
- acme_sh_certificate_issued is changed
- name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server
ansible.builtin.lineinfile:
path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf'
create: false
state: present
regexp: "^Le_HTTPPort="
line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'"
when: not letsencrypt_acme_sh_use_dns_provider | bool
tags: ['letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port', 'letsencrypt_req_cert']
View Git Blame Copy Permalink