90 lines
2.7 KiB
YAML
90 lines
2.7 KiB
YAML
---
|
|
|
|
# Use acme.sh instead of certbot because they only support installation via
|
|
# snap now.
|
|
- block:
|
|
- name: Remove certbot
|
|
apt:
|
|
name: certbot
|
|
state: absent
|
|
|
|
- name: Remove old certbot post and pre hooks for nginx
|
|
file:
|
|
dest: "{{ item }}"
|
|
state: absent
|
|
with_items:
|
|
- /etc/letsencrypt/renewal-hooks/pre/stop-nginx.sh
|
|
- /etc/letsencrypt/renewal-hooks/post/start-nginx.sh
|
|
|
|
- name: Check if acme.sh is installed
|
|
stat:
|
|
path: "{{ letsencrypt_acme_home }}"
|
|
register: acme_home
|
|
|
|
- name: Download acme.sh
|
|
get_url:
|
|
url: https://raw.githubusercontent.com/acmesh-official/acme.sh/master/acme.sh
|
|
dest: "{{ letsencrypt_acme_script_temp }}"
|
|
mode: 0700
|
|
register: acme_download
|
|
when: not acme_home.stat.exists
|
|
|
|
# Run the "install" for acme.sh so it creates the .acme.sh dir (currently I
|
|
# have to chdir to the /root directory where the script exists or else it
|
|
# fails. Ansible runs it, but the script can't find itself...).
|
|
- name: Install acme.sh
|
|
ansible.builtin.command:
|
|
cmd: "{{ letsencrypt_acme_script_temp }} --install --no-profile --no-cron"
|
|
creates: "{{ letsencrypt_acme_home }}/acme.sh"
|
|
chdir: /root
|
|
register: acme_install
|
|
when: acme_download is changed
|
|
|
|
- name: Remove temporary acme.sh script
|
|
file:
|
|
dest: "{{ letsencrypt_acme_script_temp }}"
|
|
state: absent
|
|
when: acme_install.rc is defined and acme_install.rc == 0
|
|
|
|
- name: Set default certificate authority for acme.sh
|
|
ansible.builtin.command:
|
|
cmd: "{{ letsencrypt_acme_home }}/acme.sh --set-default-ca --server letsencrypt"
|
|
|
|
- name: Prepare Let's Encrypt well-known directory
|
|
file:
|
|
state: directory
|
|
path: /var/lib/letsencrypt/.well-known
|
|
owner: root
|
|
group: nginx
|
|
mode: g+s
|
|
|
|
- name: Copy systemd service to renew Let's Encrypt certs
|
|
template:
|
|
src: renew-letsencrypt.service.j2
|
|
dest: /etc/systemd/system/renew-letsencrypt.service
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
|
|
- name: Copy systemd timer to renew Let's Encrypt certs
|
|
copy:
|
|
src: renew-letsencrypt.timer
|
|
dest: /etc/systemd/system/renew-letsencrypt.timer
|
|
mode: 0644
|
|
owner: root
|
|
group: root
|
|
|
|
# always issues daemon-reload just in case the service/timer changed
|
|
- name: Start and enable systemd timer to renew Let's Encrypt certs
|
|
systemd:
|
|
name: renew-letsencrypt.timer
|
|
state: started
|
|
enabled: yes
|
|
daemon_reload: yes
|
|
|
|
when: (ansible_distribution == 'Ubuntu' and ansible_distribution_version is version('20.04', '=='))
|
|
or (ansible_distribution == 'Debian' and ansible_distribution_version is version('11', '=='))
|
|
tags: letsencrypt
|
|
|
|
# vim: set ts=2 sw=2:
|