roles/server/letsencrypt-bot/files

[root/pub/somesible.git] / roles / server / letsencrypt-bot / tasks / main.yml

#####################################
### someone's ansible provisioner ###
#####################################
# Part of: https://git.somenet.org/root/pub/somesible.git
# 2017-2024 by someone <someone@somenet.org>
#
---
- name: install letsencrypt-bot
  apt:
    pkg:
    - ssl-cert
    - dehydrated
    state: present
    policy_rc_d: 101
  tags: "online"
  ignore_errors: "{{ignore_online_errors | bool}}"


- name: create letsencrypt user
  user:
    name: "letsencrypt"
    home: "/var/lib/letsencrypt"
    shell: "/bin/bash"
    createhome: no
    system: yes
    state: present


- name: create letsencrypt user's homedir
  file:
    path: "/var/lib/letsencrypt"
    state: directory
    mode: 0750
    owner: "letsencrypt"
    group: "letsencrypt"


- name: create letsencrypt challenge dir
  file:
    path: "/var/www/html/dehydrated"
    state: directory
    mode: 0750
    owner: "letsencrypt"
    group: "www-data"


- name: create letsencrypt cert dir
  file:
    path: "/etc/ssl/letsencrypt"
    state: directory
    mode: 0750
    owner: "letsencrypt"
    group: "ssl-cert"


- name: create letsencrypt cert-rsa dir
  file:
    path: "/etc/ssl/letsencrypt-rsa"
    state: directory
    mode: 0750
    owner: "letsencrypt"
    group: "ssl-cert"


- name: fix dehydrated dir permissions
  file:
    path: "/etc/dehydrated"
    state: directory
    mode: 0750
    owner: "letsencrypt"
    group: "letsencrypt"


- name: copy config
  copy:
    src: "{{item}}"
    dest: "/etc/dehydrated/config"
    mode: 0640
    owner: "letsencrypt"
    group: "letsencrypt"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/config"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/config"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/config"
    - "default/config"


- name: copy config-rsa
  copy:
    src: "{{item}}"
    dest: "/etc/dehydrated/config-rsa"
    mode: 0640
    owner: "letsencrypt"
    group: "letsencrypt"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/config-rsa"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/config-rsa"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/config-rsa"
    - "default/config-rsa"


- name: copy hook.sh
  copy:
    src: "{{item}}"
    dest: "/etc/dehydrated/hook.sh"
    mode: 0750
    owner: "letsencrypt"
    group: "letsencrypt"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/hook.sh"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/hook.sh"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/hook.sh"
    - "default/hook.sh"


- name: copy domains.txt header
  copy:
    src: "{{item}}"
    dest: "/etc/dehydrated/domains.txt"
    mode: 0640
    owner: "root"
    group: "letsencrypt"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/domains.txt"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/domains.txt"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/domains.txt"
    - "default/domains.txt"
  changed_when: False


- name: register with letsencrypt
  command: "/usr/bin/dehydrated --register --accept-terms"
  args:
    creates: "/var/lib/letsencrypt/accounts/"
  become: true
  become_user: "letsencrypt"
  tags: "online"


- name: copy crontab entry
  copy:
    src: "{{item}}"
    dest: "/etc/cron.d/letsencrypt-dehydrated"
    mode: 0644
    owner: "root"
    group: "root"
  with_first_found:
    - "{{lookup('env','PWD')}}/host_files/{{inventory_hostname}}/{{role_name}}/letsencrypt-dehydrated.cron"
    - "{{lookup('env','PWD')}}/group_files/{{group_files_group}}/{{role_name}}/letsencrypt-dehydrated.cron"
    - "{{lookup('env','PWD')}}/group_files/all/{{role_name}}/letsencrypt-dehydrated.cron"
    - "default/letsencrypt-dehydrated.cron"