roles/certbot: Set up Let's Encrypt certificates

The *certbot* role installs and configures the `certbot` ACME client. It
adjusts the default configuration to allow the tool to run as an
unprivileged user, and then configures Apache to work with the *webroot*
plugin. It registers for an account and requests a certificate for the
domains specified by the `certbot_domains` Ansible variable. Finally, it
enables the *certbot-renew.timer* systemd unit to schedule automatic
renewal of all Let's Encrypt certificates.

roles/certbot/files/certbot.httpd.conf

@@ -0,0 +1,9 @@
+Alias /.well-known/acme-challenge /var/www/certbot/.well-known/acme-challenge
+
+<IfModule mod_proxy.c>
+	ProxyPass /.well-known/acme-challenge !
+</IfModule>
+
+<Directory /var/www/certbot>
+	Require all granted
+</Directory>

roles/certbot/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: reload httpd
+  service:
+    name=httpd
+    state=reloaded

roles/certbot/tasks/main.yml

@@ -0,0 +1,80 @@
+- name: ensure certbot is installed
+  package:
+    name=certbot
+    state=present
+
+- name: ensure certbot group exists
+  group:
+    name=certbot
+    system=yes
+- name: ensure certbot user exists
+  user:
+    name=certbot
+    group=certbot
+    system=yes
+    home=/var/lib/letsencrypt
+    createhome=no
+    state=present
+
+- name: ensure certbot data directory exists
+  file:
+    path=/var/lib/letsencrypt
+    mode=0755
+    owner=certbot
+    group=certbot
+    state=directory
+- name: ensure certbot log directory exists
+  file:
+    path=/var/log/letsencrypt
+    mode=0755
+    owner=certbot
+    group=certbot
+    state=directory
+
+- name: ensure certbot webroot directory exits
+  file:
+    path=/var/www/certbot
+    mode=0755
+    owner=certbot
+    group=certbot
+    state=directory
+- name: ensure apache is configured for certbot
+  copy:
+    src=certbot.httpd.conf
+    dest=/etc/httpd/conf.d/certbot.conf
+    mode=0644
+  notify: reload httpd
+
+- name: ensure certbot account is registered
+  become: true
+  become_user: certbot
+  command:
+    certbot register --config-dir /var/lib/letsencrypt
+    --agree-tos --email {{ certbot_account_email }}
+    creates=/var/lib/letsencrypt/accounts/acme-v01.api.letsencrypt.org
+
+- name: ensure certbot certificate exists
+  become: true
+  become_user: certbot
+  command:
+    certbot certonly --config-dir /var/lib/letsencrypt
+    --webroot --webroot-path /var/www/certbot
+    {% for domain in certbot_domains %}
+    -d {{ domain }}
+    {% endfor %}
+    creates=/var/lib/letsencrypt/live/{{ certbot_domains[0] }}/fullchain.pem
+
+- name: ensure certbot service is configured
+  template:
+    src=certbot.sysconfig.j2
+    dest=/etc/sysconfig/certbot
+    mode=0644
+
+- name: ensure certbot timer is enabled
+  service:
+    name=certbot-renew.timer
+    enabled=yes
+- name: ensure certbot timer is started
+  service:
+    name=certbot-renew.timer
+    state=started

roles/certbot/templates/certbot.sysconfig.j2

@@ -0,0 +1,49 @@
+
+## NOTE ##
+# If a hook is set here then it will be used for all
+# certificates and will override any per certificate
+# hook configuration in place.
+
+# Command to be run in a shell before obtaining any
+# certificates. Intended primarily for renewal, where it
+# can be used to temporarily shut down a webserver that
+# might conflict with the standalone plugin. This will
+# only be called if a certificate is actually to be
+# obtained/renewed. When renewing several certificates
+# that have identical pre-hooks, only the first will be
+# executed.
+#
+# An example to stop the MTA before updating certs would be
+# PRE_HOOK="--pre-hook 'systemctl stop postfix'"
+PRE_HOOK=""
+
+# Command to be run in a shell after attempting to
+# obtain/renew certificates. Can be used to deploy
+# renewed certificates, or to restart any servers that
+# were stopped by --pre-hook. This is only run if an
+# attempt was made to obtain/renew a certificate. If
+# multiple renewed certificates have identical post-
+# hooks, only one will be run.
+#
+# An example to restart httpd would be:
+# POST_HOOK="--post-hook 'systemctl restart httpd'"
+POST_HOOK=""
+
+# Command to be run in a shell once for each
+# successfully renewed certificate. For this command,
+# the shell variable $RENEWED_LINEAGE will point to the
+# config live subdirectory containing the new certs and
+# keys; the shell variable $RENEWED_DOMAINS will contain
+# a space-delimited list of renewed cert domains
+#
+# An example to run a script to alert each cert would be:
+# RENEW_HOOK="--renew-hook /usr/local/bin/cert-notifier.sh"
+RENEW_HOOK=""
+
+# Any other misc arguments for the renewal
+# See certbot -h renew for full list
+#
+# An example to force renewal for certificates not due yet
+# CERTBOT_ARGS="--force-renewal"
+CERTBOT_ARGS="--config-dir /var/lib/letsencrypt"
+