Initial commit

2022-07-22 00:41:16 +02:00 · 2022-07-22 00:41:16 +02:00 · aa9e1b2346
commit aa9e1b2346
7 changed files with 91 additions and 0 deletions
--- a/defaults/main.yml
+++ b/defaults/main.yml
@ -0,0 +1,3 @@
+---
+certbot_os_supported: False
+
--- a/example_playbook.yml
+++ b/example_playbook.yml
@ -0,0 +1,10 @@
+- hosts: certbot.machine.tld
+  roles:
+    - certbot
+  vars:
+    certbot_mail_address: mail@example.com
+    certbot_domains:
+      - primary.my.tld
+      - another.my.tld
+    certbot_post_renewal_script: |
+      scp /etc/letsencrypt/live/primary.my.tld/fullchain.pem remote:/etc/certdest
--- a/handlers/main.yml
+++ b/handlers/main.yml
@ -0,0 +1 @@
+---
--- a/meta/main.yml
+++ b/meta/main.yml
@ -0,0 +1,2 @@
+---
+galaxy_info:
--- a/tasks/main.yml
+++ b/tasks/main.yml
@ -0,0 +1,62 @@
+---
+- name: Set OS dependent variables
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml"
+        - "{{ ansible_distribution | lower }}.yml"
+        - "{{ ansible_os_family | lower }}.yml"
+        - "{{ ansible_system | lower }}.yml"
+      paths:
+        - '{{ role_path }}/vars'
+  ignore_errors: True
+
+- name: OS is supported
+  ansible.builtin.assert:
+    that: __os_supported
+    quiet: True
+  vars:
+    __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}"
+
+- name: Install certbot
+  apt:
+    state: latest
+    pkg:
+      - certbot
+    update_cache: yes
+
+- name: Set renewal script if desired
+  copy:
+    content: "{{ certbot_post_renewal_script }}"
+    dest: "{{ certbot_renewal_scripts_path }}{{ certbot_domains[0] }}.sh"
+    mode: 0700
+  when: certbot_post_renewal_script is defined
+
+- name: Set certbot systemd service
+  template:
+    src: certbot.service.j2
+    dest: "{{ certbot_service_path }}"
+    mode: 0600
+
+- name: Ensure certbot systemd service is enabled
+  systemd:
+    name: certbot.service
+    state: started
+    enabled: yes
+
+- name: Ensure certbot systemd timer is enabled
+  systemd:
+    name: certbot.timer
+    state: started
+    enabled: yes
+
+- name: Check whether the cert already exists
+  stat:
+    path: "{{ certbot_live_certs_path }}{{ certbot_domains[0] }}/fullchain.pem"
+  register: live_cert
+
+- name: Obtain certificate
+  shell: certbot certonly --standalone --rsa-key-size 4096 {% for domain in certbot_domains %}-d {{ domain }} {% endfor %}-m {{ certbot_mail_address }} --agree-tos
+  when: live_cert.stat.exists == False
--- a/templates/certbot.service.j2
+++ b/templates/certbot.service.j2
@ -0,0 +1,8 @@
+[Unit]
+Description=Certbot
+Documentation=file:///usr/share/doc/python-certbot-doc/html/index.html
+Documentation=https://letsencrypt.readthedocs.io/en/latest/
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/certbot -q renew; find {{ certbot_renewal_scripts_path }} -name "*.sh" -exec {} \;
+PrivateTmp=true
--- a/vars/debian.yml
+++ b/vars/debian.yml
@ -0,0 +1,5 @@
+---
+certbot_os_supported: True
+
+certbot_renewal_scripts_path: /etc/certbot/renewal_scripts/
+certbot_live_certs_path: /etc/letsencrypt/live/