commit aa9e1b2346d68347eb2b3192a1c31b6cd183e1f8 Author: Philip (a-0) <@ph:a-0.me> Date: Fri Jul 22 00:41:16 2022 +0200 Initial commit diff --git a/defaults/main.yml b/defaults/main.yml new file mode 100644 index 0000000..59bc784 --- /dev/null +++ b/defaults/main.yml @@ -0,0 +1,3 @@ +--- +certbot_os_supported: False + diff --git a/example_playbook.yml b/example_playbook.yml new file mode 100644 index 0000000..5bcf0b5 --- /dev/null +++ b/example_playbook.yml @@ -0,0 +1,10 @@ +- hosts: certbot.machine.tld + roles: + - certbot + vars: + certbot_mail_address: mail@example.com + certbot_domains: + - primary.my.tld + - another.my.tld + certbot_post_renewal_script: | + scp /etc/letsencrypt/live/primary.my.tld/fullchain.pem remote:/etc/certdest \ No newline at end of file diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..ed97d53 --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1 @@ +--- diff --git a/meta/main.yml b/meta/main.yml new file mode 100644 index 0000000..2002130 --- /dev/null +++ b/meta/main.yml @@ -0,0 +1,2 @@ +--- +galaxy_info: \ No newline at end of file diff --git a/tasks/main.yml b/tasks/main.yml new file mode 100644 index 0000000..0f10097 --- /dev/null +++ b/tasks/main.yml @@ -0,0 +1,62 @@ +--- +- name: Set OS dependent variables + ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" + vars: + params: + files: + - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml" + - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml" + - "{{ ansible_distribution | lower }}.yml" + - "{{ ansible_os_family | lower }}.yml" + - "{{ ansible_system | lower }}.yml" + paths: + - '{{ role_path }}/vars' + ignore_errors: True + +- name: OS is supported + ansible.builtin.assert: + that: __os_supported + quiet: True + vars: + __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}" + +- name: Install certbot + apt: + state: latest + pkg: + - certbot + update_cache: yes + +- name: Set renewal script if desired + copy: + content: "{{ certbot_post_renewal_script }}" + dest: "{{ certbot_renewal_scripts_path }}{{ certbot_domains[0] }}.sh" + mode: 0700 + when: certbot_post_renewal_script is defined + +- name: Set certbot systemd service + template: + src: certbot.service.j2 + dest: "{{ certbot_service_path }}" + mode: 0600 + +- name: Ensure certbot systemd service is enabled + systemd: + name: certbot.service + state: started + enabled: yes + +- name: Ensure certbot systemd timer is enabled + systemd: + name: certbot.timer + state: started + enabled: yes + +- name: Check whether the cert already exists + stat: + path: "{{ certbot_live_certs_path }}{{ certbot_domains[0] }}/fullchain.pem" + register: live_cert + +- name: Obtain certificate + shell: certbot certonly --standalone --rsa-key-size 4096 {% for domain in certbot_domains %}-d {{ domain }} {% endfor %}-m {{ certbot_mail_address }} --agree-tos + when: live_cert.stat.exists == False \ No newline at end of file diff --git a/templates/certbot.service.j2 b/templates/certbot.service.j2 new file mode 100644 index 0000000..8e6a696 --- /dev/null +++ b/templates/certbot.service.j2 @@ -0,0 +1,8 @@ +[Unit] +Description=Certbot +Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html +Documentation=https://letsencrypt.readthedocs.io/en/latest/ +[Service] +Type=oneshot +ExecStart=/usr/bin/certbot -q renew; find {{ certbot_renewal_scripts_path }} -name "*.sh" -exec {} \; +PrivateTmp=true \ No newline at end of file diff --git a/vars/debian.yml b/vars/debian.yml new file mode 100644 index 0000000..95b46f7 --- /dev/null +++ b/vars/debian.yml @@ -0,0 +1,5 @@ +--- +certbot_os_supported: True + +certbot_renewal_scripts_path: /etc/certbot/renewal_scripts/ +certbot_live_certs_path: /etc/letsencrypt/live/ \ No newline at end of file