infra/playbooks/roles/certbot/tasks/main.yml

---

- name: Install certbot deps
  ansible.builtin.apt:
    name:
      - python3-certbot
      - python3-certbot-dns-cloudflare
    state: present

- name: Install
  ansible.builtin.template:
    src: cloudflare-credentials.ini.j2
    dest: "{{ cloudflare_credentials_destination }}"
    mode: 0700

- name: Ensure existance of {{ certbot_post_hook_dir }}
  ansible.builtin.file:
    path: "{{ certbot_post_hook_dir }}"
    state: directory
    mode: o=rw,g=r,a+x

- name: Add renewal_post_upgrade hook
  ansible.builtin.copy:
    src: renewal_post_upgrade.sh
    dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh"
    mode: a+x
    owner: root
    group: root

- name: Check for existence of certificates
  ansible.builtin.stat:
    path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem"
  loop: "{{ host_domains[inventory_hostname] }}"
  register: cert_check
- name: Construct domains needing ACME requests list
  ansible.builtin.set_fact:
    domain_request_list: >
      {% for domain in host_domains[inventory_hostname] %}
      {% set domain_index = loop.index0 %}
      {% if not cert_check.results[domain_index].stat.exists %}
      {{ domain }}
      {% endif %}
      {% endfor %}

- name: Request acmedns challenges if there are such domains that need certs
  ansible.builtin.shell: >
    certbot certonly --dns-cloudflare \
      --dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \
      --non-interactive \
      --manual-public-ip-logging-ok \
      --agree-tos -m {{ certbot_email }} \
      --preferred-challenges dns --debug-challenges \
      --dns-cloudflare-propagation-seconds 20 \
      -d {{ item }}
  loop: "{{ domain_request_list.split() }}"
  changed_when: domain_request_list | trim != ''

- name: Certbot daily renewal cron job
  ansible.builtin.cron:
    name: "letsencrypt_daily_renewal"
    special_time: "daily"
    job: "certbot renew --non-interactive"
    cron_file: "certbot_renewal"
    user: root
add certbot 2024-03-17 19:24:23 -04:00			`---`

			`- name: Install certbot deps`
			`ansible.builtin.apt:`
			`name:`
			`- python3-certbot`
			`- python3-certbot-dns-cloudflare`
			`state: present`

			`- name: Install`
			`ansible.builtin.template:`
			`src: cloudflare-credentials.ini.j2`
			`dest: "{{ cloudflare_credentials_destination }}"`
add certbot 2024-03-18 17:36:03 -04:00			`mode: 0700`
add certbot 2024-03-17 19:24:23 -04:00
			`- name: Ensure existance of {{ certbot_post_hook_dir }}`
			`ansible.builtin.file:`
			`path: "{{ certbot_post_hook_dir }}"`
			`state: directory`
			`mode: o=rw,g=r,a+x`

			`- name: Add renewal_post_upgrade hook`
			`ansible.builtin.copy:`
			`src: renewal_post_upgrade.sh`
			`dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh"`
			`mode: a+x`
			`owner: root`
			`group: root`

			`- name: Check for existence of certificates`
			`ansible.builtin.stat:`
			`path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem"`
			`loop: "{{ host_domains[inventory_hostname] }}"`
			`register: cert_check`
			`- name: Construct domains needing ACME requests list`
			`ansible.builtin.set_fact:`
			`domain_request_list: >`
			`{% for domain in host_domains[inventory_hostname] %}`
			`{% set domain_index = loop.index0 %}`
			`{% if not cert_check.results[domain_index].stat.exists %}`
			`{{ domain }}`
			`{% endif %}`
			`{% endfor %}`

			`- name: Request acmedns challenges if there are such domains that need certs`
			`ansible.builtin.shell: >`
			`certbot certonly --dns-cloudflare \`
			`--dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \`
			`--non-interactive \`
			`--manual-public-ip-logging-ok \`
			`--agree-tos -m {{ certbot_email }} \`
			`--preferred-challenges dns --debug-challenges \`
			`--dns-cloudflare-propagation-seconds 20 \`
			`-d {{ item }}`
			`loop: "{{ domain_request_list.split() }}"`
			`changed_when: domain_request_list \| trim != ''`

			`- name: Certbot daily renewal cron job`
			`ansible.builtin.cron:`
			`name: "letsencrypt_daily_renewal"`
			`special_time: "daily"`
			`job: "certbot renew --non-interactive"`
			`cron_file: "certbot_renewal"`
			`user: root`