2016-04-14 19:08:33 +02:00
|
|
|
---
|
|
|
|
- name: Install the letsencrypt acmetool repo on ubuntu
|
|
|
|
apt_repository: repo={{ letsencrypt_acme_ppa_repo }} state=present update_cache=yes
|
|
|
|
when:
|
|
|
|
- letsencrypt_acme_install
|
|
|
|
- is_ubuntu
|
2016-05-28 15:04:01 +02:00
|
|
|
- letsencrypt_pkg_install
|
2016-04-16 18:48:54 +02:00
|
|
|
notify: Initialize letsencrypt acmetool
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Install the letsencrypt acmetool repo key on debian
|
|
|
|
apt_key: keyserver=keyserver.ubuntu.com id={{ letsencrypt_acme_debian_repo_key }}
|
|
|
|
when:
|
|
|
|
- letsencrypt_acme_install
|
|
|
|
- is_debian
|
2016-05-28 15:04:01 +02:00
|
|
|
- letsencrypt_pkg_install
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Install the letsencrypt acmetool repo on debian
|
|
|
|
apt_repository: repo={{ letsencrypt_acme_debian_repo }} state=present update_cache=yes
|
|
|
|
when:
|
|
|
|
- letsencrypt_acme_install
|
|
|
|
- is_debian
|
2016-05-28 15:04:01 +02:00
|
|
|
- letsencrypt_pkg_install
|
2016-04-16 18:48:54 +02:00
|
|
|
notify: Initialize letsencrypt acmetool
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|
2016-09-05 16:40:57 +02:00
|
|
|
- name: Create the letsencrypt acme user
|
2017-10-20 15:55:17 +02:00
|
|
|
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes
|
2016-04-20 15:21:19 +02:00
|
|
|
when: letsencrypt_acme_install
|
2017-11-17 13:11:48 +01:00
|
|
|
tags: [ 'letsencrypt', 'letsencrypt_user' ]
|
2016-04-20 15:21:19 +02:00
|
|
|
|
2016-09-05 16:40:57 +02:00
|
|
|
- name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there.
|
2016-04-20 15:21:19 +02:00
|
|
|
file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes
|
2016-04-14 19:08:33 +02:00
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
|
|
|
|
2016-10-03 22:56:27 +02:00
|
|
|
- name: Install the letsencrypt acmetool package and some deps
|
2016-11-02 16:24:47 +01:00
|
|
|
apt: pkg={{ item }} state={{ letsencrypt_acme_pkg_state }} update_cache=yes cache_valid_time=3600
|
2016-10-03 22:56:27 +02:00
|
|
|
with_items: '{{ letsencrypt_acme_pkgs }}'
|
2016-05-28 15:04:01 +02:00
|
|
|
when:
|
|
|
|
- letsencrypt_acme_install
|
|
|
|
- letsencrypt_pkg_install
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Create the letsencrypt acme config directory
|
|
|
|
become: True
|
|
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
|
|
file: dest={{ letsencrypt_acme_config_dir }} state=directory mode=0755
|
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Create the letsencrypt acme desired domains directory
|
|
|
|
become: True
|
|
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
|
|
file: dest={{ letsencrypt_acme_certsconf_dir }} state=directory mode=0755
|
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Create the letsencrypt acme hooks directory
|
|
|
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root mode=0755
|
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Install a default file that shell scripts can include
|
|
|
|
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
|
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Install the letsencrypt acme responses file
|
|
|
|
become: True
|
|
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
|
|
template: src=responses.j2 dest={{ letsencrypt_acme_config_dir }}/responses mode=0644
|
|
|
|
when: letsencrypt_acme_install
|
2016-09-09 13:39:03 +02:00
|
|
|
tags: [ 'letsencrypt', 'letsencrypt_responses' ]
|
2016-04-14 19:08:33 +02:00
|
|
|
|
|
|
|
- name: Install the letsencrypt acme certs config file
|
|
|
|
become: True
|
|
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
|
|
template: src=cert-requirements.j2 dest={{ letsencrypt_acme_certsconf_dir }}/{{ ansible_fqdn }} mode=0644
|
|
|
|
when: letsencrypt_acme_install
|
2017-10-24 16:44:03 +02:00
|
|
|
register: letsencrypt_new_desired_file
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Set the cap_net_bind_service capability to the acmetool binary when we use it in listener mode
|
|
|
|
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
|
|
|
|
when:
|
|
|
|
- letsencrypt_acme_install
|
2017-10-20 15:55:17 +02:00
|
|
|
- letsencrypt_acme_authenticator == 'listener'
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
|
|
|
|
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=absent
|
|
|
|
when:
|
|
|
|
- letsencrypt_acme_install
|
2017-11-20 19:28:25 +01:00
|
|
|
- letsencrypt_acme_authenticator != 'listener'
|
2016-05-28 16:31:52 +02:00
|
|
|
ignore_errors: True
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|
2016-04-16 18:48:54 +02:00
|
|
|
- name: Install the sudoers config needed to run the acmetool hooks
|
|
|
|
template: src=acme-sudoers.j2 dest=/etc/sudoers.d/letsencrypt-acme owner=root group=root mode=0440
|
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
|
|
|
|
2016-04-18 17:01:05 +02:00
|
|
|
- name: Create a directory where to put the cron job and hooks logs
|
|
|
|
file: dest={{ letsencrypt_acme_log_dir }} state=directory owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} mode=0750
|
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
2016-05-06 13:22:34 +02:00
|
|
|
|
|
|
|
- name: Install a script that requests the certificates and manage the self signed certificate
|
|
|
|
template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755
|
2016-04-16 18:48:54 +02:00
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
2017-10-20 15:55:17 +02:00
|
|
|
|
|
|
|
- name: Set certificates as to be revoked
|
|
|
|
become: True
|
|
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
|
|
file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke
|
|
|
|
with_items: '{{ letsencrypt_certs_revoke_list }}'
|
|
|
|
when:
|
|
|
|
- letsencrypt_acme_install
|
|
|
|
- letsencrypt_certs_revoke_list is defined
|
|
|
|
tags: letsencrypt
|
2016-05-06 13:22:34 +02:00
|
|
|
|
|
|
|
- name: Install a daily cron job to renew the certificates when needed
|
2016-10-18 19:31:19 +02:00
|
|
|
become: True
|
|
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
2017-11-21 16:43:01 +01:00
|
|
|
cron: name="Letsencrypt certificate renewal" special_time=daily job="SLEEP_SECONDS=$(echo $[($RANDOM %1200)]) ; sleep ${SLEEP_SECONDS} ; /usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1"
|
2016-04-14 19:08:33 +02:00
|
|
|
when: letsencrypt_acme_install
|
|
|
|
tags: letsencrypt
|
|
|
|
|
|
|
|
- name: letsencrypt acmetool request the first certificate
|
|
|
|
become: True
|
|
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
2017-11-07 15:34:27 +01:00
|
|
|
command: '/usr/local/bin/acme-cert-request'
|
2017-10-24 16:44:03 +02:00
|
|
|
when: ( letsencrypt_new_desired_file | changed )
|
2016-04-16 18:48:54 +02:00
|
|
|
ignore_errors: True
|
2016-04-14 19:08:33 +02:00
|
|
|
tags: letsencrypt
|
|
|
|
|