infra/ansible/roles/lego/tasks/main.yml

---
- name: ensure lego group
  group:
    name: lego
    state: present
    system: True

- name: ensure lego user
  user:
    name: lego
    state: present
    group: lego
    system: True
    home: /etc/lego
    shell: /bin/bash

- name: check lego version
  shell:
    cmd: "/usr/local/bin/lego --version | cut -d ' ' -f3"
  args:
    executable: /bin/bash
  changed_when: False
  register: installed_lego_version
  check_mode: False

- name: get lego
  unarchive:
    src: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz"
    dest: /usr/local/bin/
    mode: 0755
    owner: root
    group: root
    remote_src: True
  when: installed_lego_version.stdout != lego_version
  register: installed_lego

- name: remove LICENSE/CHANGELOG
  file:
    path: "{{ item }}"
    state: absent
  loop:
    - /usr/local/bin/CHANGELOG.md
    - /usr/local/bin/LICENSE
  changed_when: False
  when: installed_lego.changed

- name: ensure lego account directory exists
  file:
    path: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/
    state: directory
    owner: lego
    group: lego
    mode: 0700

- name: ensure account.json exists
  template:
    src: templates/account.json.j2
    dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/account.json
    owner: lego
    group: lego
    mode: 0600

- name: ensure account private key exists
  template:
    src: templates/{{ lego_email_address }}.key.j2
    dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/{{ lego_email_address }}.key
    owner: lego
    group: lego
    mode: 0600

- name: ensure namecheap api info exists
  template:
    src: templates/defaults
    dest: /etc/default/lego
    owner: lego
    group: lego
    mode: 0400

- name: check if certs exist
  stat:
    path: /etc/lego/certificates/{{ item.name }}.pem
  loop: "{{ lego_certs }}"
  register: statted

- name: create new certs
  shell:
    cmd: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.item.dns }} --domains "{{ item.item.domain }}" run'
  args:
    executable: /bin/bash
  when: item.stat.exists == False
  loop: "{{ statted.results }}"
  check_mode: False

- name: create reload hook for domain
  template:
    src: templates/lego_reload.sh.j2
    dest: /usr/local/bin/lego_reload_{{ item.name }}.sh
    owner: lego
    group: lego
    mode: 0700
  loop: "{{ lego_certs }}"

- name: create renewal crontabs
  cron:
    name: "{{ item.name }} renewal"
    hour: "4"
    user: lego
    job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 30'
  loop: "{{ lego_certs }}"

- name: create haproxy reload crontab
  cron:
    name: "{{ item.name }} haproxy reload"
    hour: "5"
    user: root
    job: '/usr/local/bin/lego_reload_{{ item.name }}.sh'
  loop: "{{ lego_certs }}"
Fix up lnd, add haproxy + lego for certs 2021-01-13 01:12:49 +00:00			`---`
			`- name: ensure lego group`
			`group:`
			`name: lego`
			`state: present`
			`system: True`

			`- name: ensure lego user`
			`user:`
			`name: lego`
			`state: present`
			`group: lego`
			`system: True`
			`home: /etc/lego`
			`shell: /bin/bash`

			`- name: check lego version`
			`shell:`
			`cmd: "/usr/local/bin/lego --version \| cut -d ' ' -f3"`
			`args:`
			`executable: /bin/bash`
			`changed_when: False`
			`register: installed_lego_version`
			`check_mode: False`

			`- name: get lego`
			`unarchive:`
			`src: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz"`
			`dest: /usr/local/bin/`
			`mode: 0755`
			`owner: root`
			`group: root`
			`remote_src: True`
			`when: installed_lego_version.stdout != lego_version`
			`register: installed_lego`

			`- name: remove LICENSE/CHANGELOG`
			`file:`
			`path: "{{ item }}"`
			`state: absent`
			`loop:`
			`- /usr/local/bin/CHANGELOG.md`
			`- /usr/local/bin/LICENSE`
			`changed_when: False`
			`when: installed_lego.changed`

			`- name: ensure lego account directory exists`
			`file:`
			`path: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/`
			`state: directory`
			`owner: lego`
			`group: lego`
			`mode: 0700`

			`- name: ensure account.json exists`
			`template:`
			`src: templates/account.json.j2`
			`dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/account.json`
			`owner: lego`
			`group: lego`
			`mode: 0600`

			`- name: ensure account private key exists`
			`template:`
			`src: templates/{{ lego_email_address }}.key.j2`
			`dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/{{ lego_email_address }}.key`
			`owner: lego`
			`group: lego`
			`mode: 0600`

			`- name: ensure namecheap api info exists`
			`template:`
			`src: templates/defaults`
			`dest: /etc/default/lego`
			`owner: lego`
			`group: lego`
			`mode: 0400`

			`- name: check if certs exist`
			`stat:`
			`path: /etc/lego/certificates/{{ item.name }}.pem`
			`loop: "{{ lego_certs }}"`
			`register: statted`

			`- name: create new certs`
			`shell:`
			`cmd: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.item.dns }} --domains "{{ item.item.domain }}" run'`
			`args:`
			`executable: /bin/bash`
			`when: item.stat.exists == False`
			`loop: "{{ statted.results }}"`
			`check_mode: False`

			`- name: create reload hook for domain`
			`template:`
			`src: templates/lego_reload.sh.j2`
			`dest: /usr/local/bin/lego_reload_{{ item.name }}.sh`
			`owner: lego`
			`group: lego`
			`mode: 0700`
			`loop: "{{ lego_certs }}"`

			`- name: create renewal crontabs`
			`cron:`
			`name: "{{ item.name }} renewal"`
			`hour: "4"`
			`user: lego`
			`job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 30'`
			`loop: "{{ lego_certs }}"`

			`- name: create haproxy reload crontab`
			`cron:`
			`name: "{{ item.name }} haproxy reload"`
			`hour: "5"`
			`user: root`
			`job: '/usr/local/bin/lego_reload_{{ item.name }}.sh'`
			`loop: "{{ lego_certs }}"`