ansible-personal/roles/nginx/tasks/letsencrypt.yml

---
# Use acme.sh instead of certbot because they only support installation via
# snap now.
- block:
    - name: Remove certbot
      ansible.builtin.apt:
        name: certbot
        state: absent

    - name: Remove old certbot post and pre hooks for nginx
      ansible.builtin.file:
        dest: "{{ item }}"
        state: absent
      with_items:
        - /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
        - /etc/letsencrypt/renewal-hooks/post/start-nginx.sh

    - name: Check if acme.sh is installed
      ansible.builtin.stat:
        path: "{{ letsencrypt_acme_home }}"
      register: acme_home

    - name: Download acme.sh
      ansible.builtin.get_url:
        url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
        dest: "{{ letsencrypt_acme_script_temp }}"
        mode: "0700"
      register: acme_download
      when: not acme_home.stat.exists

    # Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
    # have to chdir to the /root directory where the script exists or else it
    # fails. Ansible runs it, but the script can't find itself...).
    - name: Install acme.sh
      ansible.builtin.command:
        cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
        creates: "{{ letsencrypt_acme_home }}/acme.sh"
        chdir: /root
      register: acme_install
      when: acme_download is changed

    - name: Remove temporary acme.sh script
      ansible.builtin.file:
        dest: "{{ letsencrypt_acme_script_temp }}"
        state: absent
      when:
        - acme_install.rc is defined
        - acme_install.rc == 0

    - name: Set default certificate authority for acme.sh
      ansible.builtin.command:
        cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"

    - name: Prepare Let's Encrypt well-known directory
      ansible.builtin.file:
        state: directory
        path: /var/lib/letsencrypt/.well-known
        owner: root
        group: nginx
        mode: g+s

    - name: Copy systemd service to renew Let's Encrypt certs
      ansible.builtin.template:
        src: renew-letsencrypt.service.j2
        dest: /etc/systemd/system/renew-letsencrypt.service
        mode: "0644"
        owner: root
        group: root

    - name: Copy systemd timer to renew Let's Encrypt certs
      ansible.builtin.copy:
        src: renew-letsencrypt.timer
        dest: /etc/systemd/system/renew-letsencrypt.timer
        mode: "0644"
        owner: root
        group: root

    # always issues daemon-reload just in case the service/timer changed
    - name: Start and enable systemd timer to renew Let's Encrypt certs
      ansible.builtin.systemd:
        name: renew-letsencrypt.timer
        state: started
        enabled: true
        daemon_reload: true

  when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version
    is version('11', '>='))
  tags: letsencrypt

# vim: set ts=2 sw=2:
roles/nginx: Rework Let's Encrypt stuff Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt. 2016-06-27 22:52:39 +02:00			`---`
roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 22:39:30 +01:00			`# Use acme.sh instead of certbot because they only support installation via`
			`# snap now.`
roles/nginx: Use dynamic includes for Let's Encrypt As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed to introduce the notion of static imports and dynamic includes. If the tasks doing the import is using variable interpolation or conditionals then the task should be dynamic. This results in quicker playbook runs due to less importing of unneccessary tasks. One side effect of this is that child tasks of dynamic includes do not inherit their parents' tags so you must tag them explicitly or a block. Also, I had to move the letsencrypt tasks to the main task file so the tags were available (due to dynamic tasks not inheriting tags). 2018-04-26 10:00:47 +02:00			`- block:`
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Remove certbot`
			`ansible.builtin.apt:`
			`name: certbot`
			`state: absent`
roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 22:39:30 +01:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Remove old certbot post and pre hooks for nginx`
			`ansible.builtin.file:`
			`dest: "{{ item }}"`
			`state: absent`
			`with_items:`
			`- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh`
			`- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh`
roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 22:39:30 +01:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Check if acme.sh is installed`
			`ansible.builtin.stat:`
			`path: "{{ letsencrypt_acme_home }}"`
			`register: acme_home`
roles/nginx: minor rework of acme.sh tasks After the inital acme.sh script is downloaded and bootstrapped we can remove it. If a host already has been bootstrapped then there is no need to download it and do it over again. 2021-09-27 12:40:17 +02:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Download acme.sh`
			`ansible.builtin.get_url:`
			`url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh`
			`dest: "{{ letsencrypt_acme_script_temp }}"`
			`mode: "0700"`
			`register: acme_download`
			`when: not acme_home.stat.exists`
roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 22:39:30 +01:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I`
			`# have to chdir to the /root directory where the script exists or else it`
			`# fails. Ansible runs it, but the script can't find itself...).`
			`- name: Install acme.sh`
			`ansible.builtin.command:`
			`cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"`
			`creates: "{{ letsencrypt_acme_home }}/acme.sh"`
			`chdir: /root`
			`register: acme_install`
			`when: acme_download is changed`
roles/nginx: minor rework of acme.sh tasks After the inital acme.sh script is downloaded and bootstrapped we can remove it. If a host already has been bootstrapped then there is no need to download it and do it over again. 2021-09-27 12:40:17 +02:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Remove temporary acme.sh script`
			`ansible.builtin.file:`
			`dest: "{{ letsencrypt_acme_script_temp }}"`
			`state: absent`
			`when:`
			`- acme_install.rc is defined`
			`- acme_install.rc == 0`
roles/nginx: install acme.sh after downloading This is basically just bootstrapping it. I used to do this by hand before requesting the certs. 2021-09-27 10:28:02 +02:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Set default certificate authority for acme.sh`
			`ansible.builtin.command:`
			`cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"`
roles/nginx: install acme.sh after downloading This is basically just bootstrapping it. I used to do this by hand before requesting the certs. 2021-09-27 10:28:02 +02:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Prepare Let's Encrypt well-known directory`
			`ansible.builtin.file:`
			`state: directory`
			`path: /var/lib/letsencrypt/.well-known`
			`owner: root`
			`group: nginx`
			`mode: g+s`
roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 22:39:30 +01:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Copy systemd service to renew Let's Encrypt certs`
			`ansible.builtin.template:`
			`src: renew-letsencrypt.service.j2`
			`dest: /etc/systemd/system/renew-letsencrypt.service`
			`mode: "0644"`
			`owner: root`
			`group: root`
roles/nginx: Use dynamic includes for Let's Encrypt As of Ansible 2.4 and 2.5 the behavior for importing tasks has changed to introduce the notion of static imports and dynamic includes. If the tasks doing the import is using variable interpolation or conditionals then the task should be dynamic. This results in quicker playbook runs due to less importing of unneccessary tasks. One side effect of this is that child tasks of dynamic includes do not inherit their parents' tags so you must tag them explicitly or a block. Also, I had to move the letsencrypt tasks to the main task file so the tags were available (due to dynamic tasks not inheriting tags). 2018-04-26 10:00:47 +02:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`- name: Copy systemd timer to renew Let's Encrypt certs`
			`ansible.builtin.copy:`
			`src: renew-letsencrypt.timer`
			`dest: /etc/systemd/system/renew-letsencrypt.timer`
			`mode: "0644"`
			`owner: root`
			`group: root`
roles/nginx: Switch to acme.sh for Let's Encrypt The certbot-auto client that I've been using for a long time is now only supported if you install it using snap. I don't use snap on my systems so I decided to switch to the acme.sh client, which is imp- lemented in POSIX shell with no dependencies. One bonus of this is that I can start using ECC certificates. This also configures the .well-known directory so we can use webroot when installing and renewing certificates. I have yet to understand how the renewal works with regards to webroot, though. I may have to update the systemd timers to point to /var/lib/letsencrypt/.well-known. 2021-03-19 22:39:30 +01:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`# always issues daemon-reload just in case the service/timer changed`
			`- name: Start and enable systemd timer to renew Let's Encrypt certs`
			`ansible.builtin.systemd:`
			`name: renew-letsencrypt.timer`
			`state: started`
			`enabled: true`
			`daemon_reload: true`
roles/nginx: Add pre and post hooks for Let's Encrypt on Ubuntu 20.04 Certbot will run any executables in the pre and post directories during certificate renewal. 2020-06-06 19:38:08 +02:00
roles: run ansible-lint --write 2023-08-23 21:22:51 +02:00			`when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '==')) or (ansible_distribution == 'Debian' and ansible_distribution_version`
			`is version('11', '>='))`
roles/nginx: Use dynamic include_tasks for Let's Encrypt Use dynamic includes instead of static imports when you are running tasks conditionally or using variable interpolation. The down side is that you need to then tag the parent task as well as all child tasks, as tags only apply to children of statically imported tasks. 2018-04-25 19:03:32 +02:00			`tags: letsencrypt`
roles/nginx: Rework Let's Encrypt stuff Take an opinionated stance on HTTPS and assume that hosts are using HTTPS for all vhosts. This can either be via custom TLS cert/key pairs defined in the host's variables (could even be self-signed certificates on dev boxes) or via Let's Encrypt. 2016-06-27 22:52:39 +02:00
			`# vim: set ts=2 sw=2:`