--- - name: Install the letsencrypt acmetool repo on ubuntu apt_repository: repo={{ letsencrypt_acme_ppa_repo }} state=present update_cache=yes when: - letsencrypt_acme_install - is_ubuntu - letsencrypt_pkg_install notify: Initialize letsencrypt acmetool tags: letsencrypt - name: Install the letsencrypt acmetool repo key on debian apt_key: keyserver=keyserver.ubuntu.com id={{ letsencrypt_acme_debian_repo_key }} when: - letsencrypt_acme_install - is_debian - letsencrypt_pkg_install tags: letsencrypt - name: Install the letsencrypt acmetool repo on debian apt_repository: repo={{ letsencrypt_acme_debian_repo }} state=present update_cache=yes when: - letsencrypt_acme_install - is_debian - letsencrypt_pkg_install notify: Initialize letsencrypt acmetool tags: letsencrypt - name: Create the letsencrypt acme user user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=no shell=/usr/sbin/nologin system=yes when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_user' ] - name: Create the letsencrypt acme home, if it does not exist already. In a separate step because it could be already there. file: dest={{ letsencrypt_acme_user_home }} owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} state=directory recurse=yes when: letsencrypt_acme_install tags: letsencrypt - name: Install the letsencrypt acmetool package and some deps apt: pkg={{ item }} state={{ letsencrypt_acme_pkg_state }} update_cache=yes cache_valid_time=3600 with_items: '{{ letsencrypt_acme_pkgs }}' when: - letsencrypt_acme_install - letsencrypt_pkg_install tags: letsencrypt - name: Create the letsencrypt acme config directory become: True become_user: '{{ letsencrypt_acme_user }}' file: dest={{ letsencrypt_acme_config_dir }} state=directory mode=0755 when: letsencrypt_acme_install tags: letsencrypt - name: Create the letsencrypt acme desired domains directory become: True become_user: '{{ letsencrypt_acme_user }}' file: dest={{ letsencrypt_acme_certsconf_dir }} state=directory mode=0755 when: letsencrypt_acme_install tags: letsencrypt - name: Create the letsencrypt acme hooks directory file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root mode=0755 when: letsencrypt_acme_install tags: letsencrypt - name: Install a default file that shell scripts can include template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644 when: letsencrypt_acme_install tags: letsencrypt - name: Install the letsencrypt acme responses file become: True become_user: '{{ letsencrypt_acme_user }}' template: src=responses.j2 dest={{ letsencrypt_acme_config_dir }}/responses mode=0644 when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_responses' ] - name: Install the letsencrypt acme certs config file become: True become_user: '{{ letsencrypt_acme_user }}' template: src=cert-requirements.j2 dest={{ letsencrypt_acme_certsconf_dir }}/{{ ansible_fqdn }} mode=0644 when: letsencrypt_acme_install register: letsencrypt_new_desired_file tags: letsencrypt - name: Set the cap_net_bind_service capability to the acmetool binary when we use it in listener mode capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present when: - letsencrypt_acme_install - letsencrypt_acme_authenticator == 'listener' tags: letsencrypt - name: Remove the cap_net_bind_service capability to the acmetool binary if not needed capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=absent when: - letsencrypt_acme_install - letsencrypt_acme_authenticator != 'listener' ignore_errors: True tags: letsencrypt - name: Install the sudoers config needed to run the acmetool hooks template: src=acme-sudoers.j2 dest=/etc/sudoers.d/letsencrypt-acme owner=root group=root mode=0440 when: letsencrypt_acme_install tags: letsencrypt - name: Create a directory where to put the cron job and hooks logs file: dest={{ letsencrypt_acme_log_dir }} state=directory owner={{ letsencrypt_acme_user }} group={{ letsencrypt_acme_user }} mode=0750 when: letsencrypt_acme_install tags: letsencrypt - name: Install a script that requests the certificates and manage the self signed certificate template: src=acme-cert-request.sh.j2 dest=/usr/local/bin/acme-cert-request owner=root group=root mode=0755 when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_cron' ] - name: Set certificates as to be revoked become: True become_user: '{{ letsencrypt_acme_user }}' file: dest={{ letsencrypt_acme_user_home }}certs/{{ item.cert_name }}/revoke with_items: '{{ letsencrypt_certs_revoke_list }}' when: - letsencrypt_acme_install - letsencrypt_certs_revoke_list is defined tags: letsencrypt - name: Remove the old cron script file: dest=/usr/local/bin/cron-acme-cert-request state=absent when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_cron' ] - name: Install a daily cron job to renew the certificates when needed become: True become_user: '{{ letsencrypt_acme_user }}' cron: name="Letsencrypt certificate renewal" day={{ letsencrypt_acme_cron_day_of_month }} hour={{ letsencrypt_acme_cron_hour }} minute={{ letsencrypt_acme_cron_minute }} job="/usr/local/bin/acme-cert-request > {{ letsencrypt_acme_log_dir }}/acme-cron.log 2>&1" when: letsencrypt_acme_install tags: [ 'letsencrypt', 'letsencrypt_cron' ] - name: letsencrypt acmetool request the first certificate become: True become_user: '{{ letsencrypt_acme_user }}' command: '/usr/local/bin/acme-cert-request' when: letsencrypt_new_desired_file is changed ignore_errors: True tags: letsencrypt