118 lines
3 KiB
YAML
118 lines
3 KiB
YAML
---
|
|
- name: ensure lego group
|
|
group:
|
|
name: lego
|
|
state: present
|
|
system: True
|
|
|
|
- name: ensure lego user
|
|
user:
|
|
name: lego
|
|
state: present
|
|
group: lego
|
|
system: True
|
|
home: /etc/lego
|
|
shell: /bin/bash
|
|
|
|
- name: check lego version
|
|
shell:
|
|
cmd: "/usr/local/bin/lego --version | cut -d ' ' -f3"
|
|
args:
|
|
executable: /bin/bash
|
|
changed_when: False
|
|
register: installed_lego_version
|
|
check_mode: False
|
|
|
|
- name: get lego
|
|
unarchive:
|
|
src: "https://github.com/go-acme/lego/releases/download/v{{ lego_version }}/lego_v{{ lego_version }}_linux_amd64.tar.gz"
|
|
dest: /usr/local/bin/
|
|
mode: 0755
|
|
owner: root
|
|
group: root
|
|
remote_src: True
|
|
when: installed_lego_version.stdout != lego_version
|
|
register: installed_lego
|
|
|
|
- name: remove LICENSE/CHANGELOG
|
|
file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- /usr/local/bin/CHANGELOG.md
|
|
- /usr/local/bin/LICENSE
|
|
changed_when: False
|
|
when: installed_lego.changed
|
|
|
|
- name: ensure lego account directory exists
|
|
file:
|
|
path: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/
|
|
state: directory
|
|
owner: lego
|
|
group: lego
|
|
mode: 0700
|
|
|
|
- name: ensure account.json exists
|
|
template:
|
|
src: templates/account.json.j2
|
|
dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/account.json
|
|
owner: lego
|
|
group: lego
|
|
mode: 0600
|
|
|
|
- name: ensure account private key exists
|
|
template:
|
|
src: templates/{{ lego_email_address }}.key.j2
|
|
dest: /etc/lego/accounts/acme-v02.api.letsencrypt.org/{{ lego_email_address }}/keys/{{ lego_email_address }}.key
|
|
owner: lego
|
|
group: lego
|
|
mode: 0600
|
|
|
|
- name: ensure namecheap api info exists
|
|
template:
|
|
src: templates/defaults
|
|
dest: /etc/default/lego
|
|
owner: lego
|
|
group: lego
|
|
mode: 0400
|
|
|
|
- name: check if certs exist
|
|
stat:
|
|
path: /etc/lego/certificates/{{ item.name }}.pem
|
|
loop: "{{ lego_certs }}"
|
|
register: statted
|
|
|
|
- name: create new certs
|
|
shell:
|
|
cmd: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.item.dns }} --domains "{{ item.item.domain }}" run'
|
|
args:
|
|
executable: /bin/bash
|
|
when: item.stat.exists == False
|
|
loop: "{{ statted.results }}"
|
|
check_mode: False
|
|
|
|
- name: create reload hook for domain
|
|
template:
|
|
src: templates/lego_reload.sh.j2
|
|
dest: /usr/local/bin/lego_reload_{{ item.name }}.sh
|
|
owner: lego
|
|
group: lego
|
|
mode: 0700
|
|
loop: "{{ lego_certs }}"
|
|
|
|
- name: create renewal crontabs
|
|
cron:
|
|
name: "{{ item.name }} renewal"
|
|
hour: "4"
|
|
user: lego
|
|
job: 'source /etc/default/lego && /usr/local/bin/lego --pem --path {{ lego_path }} --email {{ lego_email_address }} --dns {{ item.dns }} --domains "{{ item.domain }}" renew --days 30'
|
|
loop: "{{ lego_certs }}"
|
|
|
|
- name: create haproxy reload crontab
|
|
cron:
|
|
name: "{{ item.name }} haproxy reload"
|
|
hour: "5"
|
|
user: root
|
|
job: '/usr/local/bin/lego_reload_{{ item.name }}.sh'
|
|
loop: "{{ lego_certs }}"
|