infra/playbooks/roles/certbot/tasks/main.yml

65 lines
1.9 KiB
YAML

---
- name: Install certbot deps
ansible.builtin.apt:
name:
- python3-certbot
- python3-certbot-dns-cloudflare
state: present
- name: Install
ansible.builtin.template:
src: cloudflare-credentials.ini.j2
dest: "{{ cloudflare_credentials_destination }}"
mode: o=rw
- name: Ensure existance of {{ certbot_post_hook_dir }}
ansible.builtin.file:
path: "{{ certbot_post_hook_dir }}"
state: directory
mode: o=rw,g=r,a+x
- name: Add renewal_post_upgrade hook
ansible.builtin.copy:
src: renewal_post_upgrade.sh
dest: "{{ certbot_post_hook_dir }}/renewal_post_upgrade.sh"
mode: a+x
owner: root
group: root
- name: Check for existence of certificates
ansible.builtin.stat:
path: "{{ certbot_live_dir }}/{{ item }}/fullchain.pem"
loop: "{{ host_domains[inventory_hostname] }}"
register: cert_check
- name: Construct domains needing ACME requests list
ansible.builtin.set_fact:
domain_request_list: >
{% for domain in host_domains[inventory_hostname] %}
{% set domain_index = loop.index0 %}
{% if not cert_check.results[domain_index].stat.exists %}
{{ domain }}
{% endif %}
{% endfor %}
- name: Request acmedns challenges if there are such domains that need certs
ansible.builtin.shell: >
certbot certonly --dns-cloudflare \
--dns-cloudflare-credentials {{ cloudflare_credentials_destination }} \
--non-interactive \
--manual-public-ip-logging-ok \
--agree-tos -m {{ certbot_email }} \
--preferred-challenges dns --debug-challenges \
--dns-cloudflare-propagation-seconds 20 \
-d {{ item }}
loop: "{{ domain_request_list.split() }}"
changed_when: domain_request_list | trim != ''
- name: Certbot daily renewal cron job
ansible.builtin.cron:
name: "letsencrypt_daily_renewal"
special_time: "daily"
job: "certbot renew --non-interactive"
cron_file: "certbot_renewal"
user: root