103 lines
2.3 KiB
YAML
103 lines
2.3 KiB
YAML
- name: ensure certbot is installed
|
|
package:
|
|
name=certbot
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure certbot group exists
|
|
group:
|
|
name=certbot
|
|
system=yes
|
|
tags:
|
|
- group
|
|
- user
|
|
- name: ensure certbot user exists
|
|
user:
|
|
name=certbot
|
|
group=certbot
|
|
system=yes
|
|
home=/var/lib/letsencrypt
|
|
createhome=no
|
|
state=present
|
|
tags:
|
|
- user
|
|
|
|
- name: ensure certbot data directory exists
|
|
file:
|
|
path=/var/lib/letsencrypt
|
|
mode=0755
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
- name: ensure certbot accounts directory exists
|
|
file:
|
|
path=/var/lib/letsencrypt/accounts
|
|
mode=0700
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
- name: ensure certbot log directory exists
|
|
file:
|
|
path=/var/log/letsencrypt
|
|
mode=0755
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
|
|
- name: ensure certbot webroot directory exits
|
|
file:
|
|
path=/var/www/certbot
|
|
mode=0755
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
- name: ensure apache is configured for certbot
|
|
copy:
|
|
src=certbot.httpd.conf
|
|
dest=/etc/httpd/conf.d/certbot.conf
|
|
mode=0644
|
|
notify: reload httpd
|
|
- meta: flush_handlers
|
|
|
|
- name: ensure letsencrypt account data are installed
|
|
become: true
|
|
become_user: certbot
|
|
unarchive:
|
|
src={{ item }}
|
|
dest=/var/lib/letsencrypt/accounts/
|
|
with_fileglob: accounts/{{ inventory_hostname }}.tar.xz
|
|
- name: ensure letsencrypt account is registered
|
|
become: true
|
|
become_user: certbot
|
|
command:
|
|
certbot register --config-dir /var/lib/letsencrypt
|
|
--agree-tos --email {{ certbot_account_email }}
|
|
creates=/var/lib/letsencrypt/accounts/acme-v01.api.letsencrypt.org
|
|
|
|
- name: ensure certbot certificate exists
|
|
become: true
|
|
become_user: certbot
|
|
command:
|
|
certbot certonly --config-dir /var/lib/letsencrypt
|
|
--webroot --webroot-path /var/www/certbot
|
|
{% for domain in certbot_domains %}
|
|
-d {{ domain }}
|
|
{% endfor %}
|
|
creates=/var/lib/letsencrypt/live/{{ certbot_domains[0] }}/fullchain.pem
|
|
|
|
- name: ensure certbot service is configured
|
|
template:
|
|
src=certbot.sysconfig.j2
|
|
dest=/etc/sysconfig/certbot
|
|
mode=0644
|
|
|
|
- name: ensure certbot timer is enabled
|
|
service:
|
|
name=certbot-renew.timer
|
|
enabled=yes
|
|
- name: ensure certbot timer is started
|
|
service:
|
|
name=certbot-renew.timer
|
|
state=started
|