roles/certbot: Set up Let's Encrypt certificates
The *certbot* role installs and configures the `certbot` ACME client. It adjusts the default configuration to allow the tool to run as an unprivileged user, and then configures Apache to work with the *webroot* plugin. It registers for an account and requests a certificate for the domains specified by the `certbot_domains` Ansible variable. Finally, it enables the *certbot-renew.timer* systemd unit to schedule automatic renewal of all Let's Encrypt certificates.
This commit is contained in:
80
roles/certbot/tasks/main.yml
Normal file
80
roles/certbot/tasks/main.yml
Normal file
@@ -0,0 +1,80 @@
|
||||
- name: ensure certbot is installed
|
||||
package:
|
||||
name=certbot
|
||||
state=present
|
||||
|
||||
- name: ensure certbot group exists
|
||||
group:
|
||||
name=certbot
|
||||
system=yes
|
||||
- name: ensure certbot user exists
|
||||
user:
|
||||
name=certbot
|
||||
group=certbot
|
||||
system=yes
|
||||
home=/var/lib/letsencrypt
|
||||
createhome=no
|
||||
state=present
|
||||
|
||||
- name: ensure certbot data directory exists
|
||||
file:
|
||||
path=/var/lib/letsencrypt
|
||||
mode=0755
|
||||
owner=certbot
|
||||
group=certbot
|
||||
state=directory
|
||||
- name: ensure certbot log directory exists
|
||||
file:
|
||||
path=/var/log/letsencrypt
|
||||
mode=0755
|
||||
owner=certbot
|
||||
group=certbot
|
||||
state=directory
|
||||
|
||||
- name: ensure certbot webroot directory exits
|
||||
file:
|
||||
path=/var/www/certbot
|
||||
mode=0755
|
||||
owner=certbot
|
||||
group=certbot
|
||||
state=directory
|
||||
- name: ensure apache is configured for certbot
|
||||
copy:
|
||||
src=certbot.httpd.conf
|
||||
dest=/etc/httpd/conf.d/certbot.conf
|
||||
mode=0644
|
||||
notify: reload httpd
|
||||
|
||||
- name: ensure certbot account is registered
|
||||
become: true
|
||||
become_user: certbot
|
||||
command:
|
||||
certbot register --config-dir /var/lib/letsencrypt
|
||||
--agree-tos --email {{ certbot_account_email }}
|
||||
creates=/var/lib/letsencrypt/accounts/acme-v01.api.letsencrypt.org
|
||||
|
||||
- name: ensure certbot certificate exists
|
||||
become: true
|
||||
become_user: certbot
|
||||
command:
|
||||
certbot certonly --config-dir /var/lib/letsencrypt
|
||||
--webroot --webroot-path /var/www/certbot
|
||||
{% for domain in certbot_domains %}
|
||||
-d {{ domain }}
|
||||
{% endfor %}
|
||||
creates=/var/lib/letsencrypt/live/{{ certbot_domains[0] }}/fullchain.pem
|
||||
|
||||
- name: ensure certbot service is configured
|
||||
template:
|
||||
src=certbot.sysconfig.j2
|
||||
dest=/etc/sysconfig/certbot
|
||||
mode=0644
|
||||
|
||||
- name: ensure certbot timer is enabled
|
||||
service:
|
||||
name=certbot-renew.timer
|
||||
enabled=yes
|
||||
- name: ensure certbot timer is started
|
||||
service:
|
||||
name=certbot-renew.timer
|
||||
state=started
|
||||
Reference in New Issue
Block a user