forked from ISTI-ansible-roles/ansible-roles
113 lines
4.1 KiB
YAML
113 lines
4.1 KiB
YAML
---
|
|
- name: Install the letsencrypt acmetool repo on ubuntu
|
|
apt_repository: repo={{ letsencrypt_acme_ppa_repo }} state=present update_cache=yes
|
|
when:
|
|
- letsencrypt_acme_install
|
|
- is_ubuntu
|
|
tags: letsencrypt
|
|
|
|
- name: Install the letsencrypt acmetool repo key on debian
|
|
apt_key: keyserver=keyserver.ubuntu.com id={{ letsencrypt_acme_debian_repo_key }}
|
|
when:
|
|
- letsencrypt_acme_install
|
|
- is_debian
|
|
tags: letsencrypt
|
|
|
|
- name: Install the letsencrypt acmetool repo on debian
|
|
apt_repository: repo={{ letsencrypt_acme_debian_repo }} state=present update_cache=yes
|
|
when:
|
|
- letsencrypt_acme_install
|
|
- is_debian
|
|
tags: letsencrypt
|
|
|
|
- name: Create the letsencrytp acme user
|
|
user: name={{ letsencrypt_acme_user }} home={{ letsencrypt_acme_user_home }} createhome=yes shell=/bin/bash
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Install the letsencrypt acmetool package
|
|
apt: pkg=acmetool state=installed
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Create the letsencrypt acme config directory
|
|
become: True
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
file: dest={{ letsencrypt_acme_config_dir }} state=directory mode=0755
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Create the letsencrypt acme desired domains directory
|
|
become: True
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
file: dest={{ letsencrypt_acme_certsconf_dir }} state=directory mode=0755
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Create the letsencrypt acme hooks directory
|
|
file: dest={{ letsencrypt_acme_services_scripts_dir }} state=directory owner=root group=root mode=0755
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Install a default file that shell scripts can include
|
|
template: src=letsencrypt-default.j2 dest=/etc/default/letsencrypt owner=root group=root mode=0644
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Install the letsencrypt acme responses file
|
|
become: True
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
template: src=responses.j2 dest={{ letsencrypt_acme_config_dir }}/responses mode=0644
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Install the letsencrypt acme certs config file
|
|
become: True
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
template: src=cert-requirements.j2 dest={{ letsencrypt_acme_certsconf_dir }}/{{ ansible_fqdn }} mode=0644
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Set the cap_net_bind_service capability to the acmetool binary when we use it in listener mode
|
|
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=present
|
|
when:
|
|
- letsencrypt_acme_install
|
|
- "'{{ letsencrypt_acme_authenticator }}' == 'listener'"
|
|
tags: letsencrypt
|
|
|
|
- name: Remove the cap_net_bind_service capability to the acmetool binary if not needed
|
|
capabilities: path=/usr/bin/acmetool capability=cap_net_bind_service+ep state=absent
|
|
when:
|
|
- letsencrypt_acme_install
|
|
- "'{{ letsencrypt_acme_authenticator }}' != 'listener'"
|
|
tags: letsencrypt
|
|
|
|
- name: letsencrypt acmetool initializaztion
|
|
become: True
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
command: '{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} quickstart'
|
|
args:
|
|
creates: '{{ letsencrypt_acme_user_home }}/accounts'
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: letsencrypt acmetool request the first certificate
|
|
become: True
|
|
become_user: '{{ letsencrypt_acme_user }}'
|
|
command: '{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile'
|
|
args:
|
|
creates: '{{ letsencrypt_acme_certs_dir }}/cert'
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Install the sudoers config needed to run the acmetool hooks
|
|
template: src=acme-sudoers.j2 dest=/etc/sudoers.d/letsencrypt-acme owner=root group=root mode=0440
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|
|
- name: Install a daily cron job to renew the certificates when needed
|
|
cron: name="Letsencrypt certificate renewal" special_time=daily job="{{ letsencrypt_acme_command }} {{ letsencrypt_acme_command_opts }} reconcile" user={{ letsencrypt_acme_user }}
|
|
when: letsencrypt_acme_install
|
|
tags: letsencrypt
|
|
|