204 lines
8.0 KiB
YAML
204 lines
8.0 KiB
YAML
---
|
|
- name: Import the deb tasks
|
|
ansible.builtin.import_tasks: acmetool_deb.yml
|
|
when: ansible_distribution_file_variety == "Debian"
|
|
|
|
- name: Import the RH and derivatives
|
|
ansible.builtin.import_tasks: acmetool_rh.yml
|
|
when: ansible_distribution_file_variety == "RedHat"
|
|
|
|
- name: Prepare the acme.sh environment
|
|
when: letsencrypt_acme_sh_install | bool
|
|
tags: ['letsencrypt', 'letsencrypt_acme_sh']
|
|
block:
|
|
- name: Create the letsencrypt acme user
|
|
ansible.builtin.user:
|
|
name: "{{ letsencrypt_acme_sh_user }}"
|
|
home: "{{ letsencrypt_acme_sh_user_home }}"
|
|
createhome: false
|
|
shell: /usr/sbin/nologin
|
|
system: true
|
|
tags: ['letsencrypt', 'letsencrypt_user']
|
|
|
|
- name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there.
|
|
ansible.builtin.file:
|
|
dest: "{{ letsencrypt_acme_sh_user_home }}"
|
|
owner: "{{ letsencrypt_acme_sh_user }}"
|
|
group: "{{ letsencrypt_acme_sh_user }}"
|
|
state: directory
|
|
mode: 0755
|
|
recurse: true
|
|
|
|
- name: Create a directory where to put the cron job and hooks logs
|
|
ansible.builtin.file:
|
|
dest: "{{ letsencrypt_acme_sh_log_dir }}"
|
|
state: directory
|
|
owner: "{{ letsencrypt_acme_sh_user }}"
|
|
group: "{{ letsencrypt_acme_sh_user }}"
|
|
mode: 0750
|
|
|
|
- name: Install the acme.sh environment variables file
|
|
ansible.builtin.template:
|
|
src: acme_sh_request_env.j2
|
|
dest: /etc/default/acme_sh_request_env
|
|
owner: root
|
|
group: root
|
|
mode: 0444
|
|
register: acme_sh_issue
|
|
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_env', 'letsencrypt_req_cert']
|
|
|
|
- name: Install the script that initializes the acme.sh environment
|
|
ansible.builtin.copy:
|
|
src: acme-sh-install
|
|
dest: /usr/local/bin/acme-sh-install
|
|
owner: root
|
|
group: "{{ letsencrypt_acme_user }}"
|
|
mode: 0750
|
|
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
|
|
|
|
- name: Install a script that issues the certificates
|
|
ansible.builtin.template:
|
|
src: acme-sh-request-cert.sh.j2
|
|
dest: /usr/local/bin/acme-sh-request-cert
|
|
owner: root
|
|
group: "{{ letsencrypt_acme_user }}"
|
|
mode: 0750
|
|
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
|
|
|
|
- name: Install a script that installs the issued certificates
|
|
ansible.builtin.copy:
|
|
src: acme-sh-install-certs
|
|
dest: /usr/local/bin/acme-sh-install-certs
|
|
owner: root
|
|
group: "{{ letsencrypt_acme_user }}"
|
|
mode: 0750
|
|
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
|
|
|
|
- name: Install the script that will run the services hooks when a certificate is installed
|
|
ansible.builtin.template:
|
|
src: acme-services-hook.j2
|
|
dest: /usr/local/bin/acme-services-hook
|
|
owner: root
|
|
group: "{{ letsencrypt_acme_user }}"
|
|
mode: 0750
|
|
|
|
- name: Install the scripts that will be run as a cron job
|
|
ansible.builtin.template:
|
|
src: '{{ item }}.sh.j2'
|
|
dest: '/usr/local/bin/{{ item }}'
|
|
owner: root
|
|
group: acme
|
|
mode: 0750
|
|
loop:
|
|
- acme-sh-cron-script
|
|
- acme-sh-cron-command
|
|
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
|
|
|
|
- name: Remove the cron job under spool if it exists
|
|
ansible.builtin.cron:
|
|
name: "Letsencrypt certificate renewal"
|
|
day: '{{ letsencrypt_acme_cron_day_of_month }}'
|
|
hour: '{{ letsencrypt_acme_cron_hour }}'
|
|
minute: '{{ letsencrypt_acme_cron_minute }}'
|
|
job: "/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1"
|
|
state: absent
|
|
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
|
|
|
|
- name: Install a daily cron job to renew the certificates when needed. It runs as root
|
|
ansible.builtin.cron:
|
|
name: "Letsencrypt certificate renewal"
|
|
cron_file: letsencrypt_renew_certificates
|
|
user: root
|
|
day: '{{ letsencrypt_acme_cron_day_of_month }}'
|
|
hour: '{{ letsencrypt_acme_cron_hour }}'
|
|
minute: '{{ letsencrypt_acme_cron_minute }}'
|
|
job: "/usr/local/bin/acme-sh-cron-script > {{ letsencrypt_acme_sh_log_dir }}/acme-cron.log 2>&1"
|
|
tags: ['letsencrypt', 'letsencrypt_cron', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_scripts']
|
|
|
|
- name: Acme.sh distribution
|
|
become: true
|
|
become_user: '{{ letsencrypt_acme_sh_user }}'
|
|
when: letsencrypt_acme_sh_install | bool
|
|
tags: ['letsencrypt', 'letsencrypt_acme_sh']
|
|
block:
|
|
- name: Download the acme.sh distribution
|
|
ansible.builtin.git:
|
|
repo: "{{ letsencrypt_acme_sh_git_url }}"
|
|
dest: "{{ letsencrypt_acme_git_dest_dir }}"
|
|
recursive: true
|
|
update: true
|
|
when: letsencrypt_update_acme_distribution
|
|
|
|
- name: Create the letsencrypt acme.sh directory tree
|
|
ansible.builtin.file:
|
|
dest: "{{ item }}"
|
|
state: directory
|
|
mode: 0755
|
|
with_items: '{{ letsencrypt_acme_sh_dirs }}'
|
|
|
|
- name: Run the installation command for acme.sh
|
|
ansible.builtin.command: /usr/local/bin/acme-sh-install
|
|
args:
|
|
creates: '{{ letsencrypt_acme_sh_user_home }}/bin/acme.sh'
|
|
|
|
- name: Create the letsencrypt acme.sh account configuration
|
|
ansible.builtin.template:
|
|
src: account.conf.j2
|
|
dest: "{{ letsencrypt_acme_sh_base_data_dir }}/data/account.conf"
|
|
owner: root
|
|
group: "{{ letsencrypt_acme_user }}"
|
|
mode: 0640
|
|
tags: ['letsencrypt', 'letsencrypt_account_conf', 'letsencrypt_acme_sh']
|
|
|
|
- name: Certificates management
|
|
when: letsencrypt_acme_sh_install | bool
|
|
tags: ['letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_req_cert']
|
|
block:
|
|
- name: Remove the ok_certificate_issued file when the env file has been changed so that we can force a new request
|
|
ansible.builtin.file:
|
|
dest: "{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued"
|
|
state: absent
|
|
when: (acme_sh_issue is changed) or letsencrypt_force_cert_request
|
|
|
|
- name: Request the certificates.
|
|
ansible.builtin.command: /usr/local/bin/acme-sh-request-cert
|
|
args:
|
|
creates: '{{ letsencrypt_acme_sh_base_data_dir }}/data/ok_certificate_issued'
|
|
register: acme_sh_certificate_issued
|
|
|
|
- name: Check if the certificates install path is a link
|
|
ansible.builtin.stat:
|
|
path: "{{ letsencrypt_acme_sh_certificates_install_path }}"
|
|
register: cert_install_path
|
|
|
|
- name: Remove the certificates install path if it is a link
|
|
ansible.builtin.file:
|
|
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
|
|
state: absent
|
|
when: cert_install_path.stat.islink is defined and cert_install_path.stat.islink
|
|
|
|
- name: Create the certificates installation directory
|
|
ansible.builtin.file:
|
|
dest: "{{ letsencrypt_acme_sh_certificates_install_path }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
|
|
- name: Install the certificates
|
|
ansible.builtin.command: /usr/local/bin/acme-sh-install-certs
|
|
when:
|
|
- letsencrypt_acme_sh_explicitly_install_certs | bool
|
|
- acme_sh_certificate_issued is defined
|
|
- acme_sh_certificate_issued is changed
|
|
|
|
- name: Fix the http port in the configuration. Needed when we renew using the http protocol and we are behind a web server
|
|
ansible.builtin.lineinfile:
|
|
path: '{{ letsencrypt_acme_sh_certs_data_path }}/{{ letsencrypt_acme_sh_certs_data_prefix }}.conf'
|
|
create: false
|
|
state: present
|
|
regexp: "^Le_HTTPPort="
|
|
line: "Le_HTTPPort='{{ letsencrypt_acme_standalone_port }}'"
|
|
when: not letsencrypt_acme_sh_use_dns_provider | bool
|
|
tags: ['letsencrypt', 'letsencrypt_acme_sh', 'letsencrypt_acme_sh_http_port', 'letsencrypt_req_cert']
|