--- - name: Set OS dependent variables ansible.builtin.include_vars: "{{ lookup('first_found', params) }}" vars: params: files: - "{{ ansible_distribution | lower }}_{{ ansible_distribution_version | lower }}.yml" - "{{ ansible_distribution | lower }}_{{ ansible_distribution_major_version | lower }}.yml" - "{{ ansible_distribution | lower }}.yml" - "{{ ansible_os_family | lower }}.yml" - "{{ ansible_system | lower }}.yml" paths: - '{{ role_path }}/vars' ignore_errors: True - name: OS is supported ansible.builtin.assert: that: __os_supported quiet: True vars: __os_supported: "{{ lookup('vars', '{}_os_supported'.format(role_name)) | bool }}" - name: Install certbot apt: state: latest pkg: - certbot update_cache: yes - name: Ensure certbot dir exists file: path: "{{ certbot_renewal_scripts_path }}" state: directory - name: Set renewal script if desired copy: content: "{{ certbot_post_renewal_script }}" dest: "{{ certbot_renewal_scripts_path }}{{ certbot_domains[0] }}.sh" mode: 0700 when: certbot_post_renewal_script is defined - name: Set certbot systemd service template: src: certbot.service.j2 dest: "{{ certbot_service_path }}" mode: 0600 - name: Ensure certbot systemd service is enabled systemd: name: certbot.service enabled: yes daemon_reload: yes - name: Ensure certbot systemd timer is enabled systemd: name: certbot.timer enabled: yes daemon_reload: yes - name: Check whether the cert already exists stat: path: "{{ certbot_live_certs_path }}{{ certbot_domains[0] }}/fullchain.pem" register: live_cert - name: Obtain certificate shell: certbot {% if not certbot_install_cert %}certonly{% endif %} --nginx --rsa-key-size 4096 {% for domain in certbot_domains %}-d {{ domain }} {% endfor %}-m {{ certbot_mail_address }} --agree-tos when: live_cert.stat.exists == False - name: Execute post-renewal script if desired shell: "{{ certbot_renewal_scripts_path }}{{ certbot_domains[0] }}.sh" when: certbot_immediately_execute_script