roles/server/letsencrypt-bot/tasks/main.yml

   1 #####################################
   2 ### someone's ansible provisioner ###
   3 #####################################
   4 # Part of: https://git.somenet.org/root/pub/somesible.git
   5 # 2017-2024 by someone <someone@somenet.org>
   6 #
   7 ---
   8 - name: install letsencrypt-bot
   9   apt:
  10     pkg:
  11     - ssl-cert
  12     - dehydrated
  13     state: present
  14     policy_rc_d: 101
  15   tags: "online"
  16   ignore_errors: "{{ignore_online_errors | bool}}"
  17
  18
  19 - name: create letsencrypt user
  20   user:
  21     name: "letsencrypt"
  22     home: "/var/lib/letsencrypt"
  23     shell: "/bin/bash"
  24     createhome: no
  25     system: yes
  26     state: present
  27
  28
  29 - name: create letsencrypt user's homedir
  30   file:
  31     path: "/var/lib/letsencrypt"
  32     state: directory
  33     mode: 0750
  34     owner: "letsencrypt"
  35     group: "letsencrypt"
  36
  37
  38 - name: create letsencrypt challenge dir
  39   file:
  40     path: "/var/www/html/dehydrated"
  41     state: directory
  42     mode: 0750
  43     owner: "letsencrypt"
  44     group: "www-data"
  45
  46
  47 - name: create letsencrypt cert dir
  48   file:
  49     path: "/etc/ssl/letsencrypt"
  50     state: directory
  51     mode: 0750
  52     owner: "letsencrypt"
  53     group: "ssl-cert"
  54
  55
  56 - name: fix dehydrated dir permissions
  57   file:
  58     path: "/etc/dehydrated"
  59     state: directory
  60     mode: 0750
  61     owner: "letsencrypt"
  62     group: "letsencrypt"
  63
  64
  65 - name: copy config.sh
  66   copy:
  67     src: "{{item}}"
  68     dest: "/etc/dehydrated/conf.d/config.sh"
  69     mode: 0640
  70     owner: "letsencrypt"
  71     group: "letsencrypt"
  72   with_first_found:
  73     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/config.sh"
  74     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/config.sh"
  75     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/config.sh"
  76     - "default/config.sh"
  77
  78
  79 - name: copy hook.sh
  80   copy:
  81     src: "{{item}}"
  82     dest: "/etc/dehydrated/hook.sh"
  83     mode: 0750
  84     owner: "letsencrypt"
  85     group: "letsencrypt"
  86   with_first_found:
  87     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/hook.sh"
  88     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/hook.sh"
  89     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/hook.sh"
  90     - "default/hook.sh"
  91
  92
  93 - name: copy domains.txt header
  94   copy:
  95     src: "{{item}}"
  96     dest: "/etc/dehydrated/domains.txt"
  97     mode: 0640
  98     owner: "root"
  99     group: "letsencrypt"
 100   with_first_found:
 101     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/domains.txt"
 102     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/domains.txt"
 103     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/domains.txt"
 104     - "default/domains.txt"
 105   changed_when: False
 106
 107
 108 - name: register with letsencrypt
 109   command: "/usr/bin/dehydrated --register --accept-terms"
 110   args:
 111     creates: "/var/lib/letsencrypt/accounts/"
 112   become: true
 113   become_user: "letsencrypt"
 114   tags: "online"
 115
 116
 117 - name: copy crontab entry
 118   copy:
 119     src: "{{item}}"
 120     dest: "/etc/cron.d/letsencrypt-dehydrated"
 121     mode: 0644
 122     owner: "root"
 123     group: "root"
 124   with_first_found:
 125     - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/letsencrypt-dehydrated.cron"
 126     - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/letsencrypt-dehydrated.cron"
 127     - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/letsencrypt-dehydrated.cron"
 128     - "default/letsencrypt-dehydrated.cron"