- name: ensure packages are installed package: name: - bind-utils - certbot tags: - install - name: ensure certbot nsupdate scripts are installed copy: src: '{{ item }}' dest: /etc/letsencrypt/{{ item }} owner: root group: root mode: u=rwx,go=rx loop: - nsupdate-auth.sh - nsupdate-cleanup.sh tags: - scripts - name: ensure minio server certificate exists command: certbot certonly -n --manual --manual-auth-hook /etc/letsencrypt/nsupdate-auth.sh --manual-cleanup-hook /etc/letsencrypt/nsupdate-cleanup.sh --preferred-challenges dns {% for domain in minio_cert_domains %} -d {{ domain }} {% endfor %} --server {{ minio_cert_acme_server }} --agree-tos --email {{ minio_cert_acme_email }} args: creates: /etc/letsencrypt/live/{{ minio_cert_main_domain }}/fullchain.pem tags: - cert - name: ensure certbot deploy renewal hook script is installed copy: src: deploy-hook.sh dest: /etc/letsencrypt/renewal-hooks/deploy/nginx.sh owner: root group: root mode: u=rwx,go=rx tags: - deploy-hook - name: ensure certbot renewal period is configured for minio server cert lineinfile: line: renew_before_expiry = 8 hours regexp: '^#?\s*renew_before_expiry\s*=' path: /etc/letsencrypt/renewal/{{ minio_cert_main_domain }}.conf state: present tags: - config - name: ensure certbot-renew timer unit drop-in directory exists file: path: /etc/systemd/system/certbot-renew.timer.d owner: root group: root mode: u=rwx,go=rx state: directory tags: - systemd - name: ensure certbot-renew timer schedule is configured template: src: certbot-renew.timer.j2 dest: /etc/systemd/system/certbot-renew.timer.d/schedule.conf owner: root group: root mode: u=rw,go=r notify: - reload systemd - restart certbot-renew timer tags: - systemd - name: ensure certbot-renew timer unit is enabled systemd: name: certbot-renew.timer enabled: true tags: - service - name: ensure certbot-renew timer is running systemd: name: certbot-renew.timer state: started tags: - service