Dustin C. Hatch
c95a4b7379
The *certbot* role now supports copying the data for an existing Let's Encrypt account to the managed node using an archive. If an archive named for the inventory hostname (typically the FQDN) of the managed node is found in the `accounts` directory under the `files` directory of the *certbot* role, it will be copied to the managed node and extracted at `/var/lib/letsencrypt/accounts`. This takes the place of running `certbot register` to sign up for a new account.
102 lines
2.3 KiB
YAML
102 lines
2.3 KiB
YAML
- name: ensure certbot is installed
|
|
package:
|
|
name=certbot
|
|
state=present
|
|
tags:
|
|
- install
|
|
|
|
- name: ensure certbot group exists
|
|
group:
|
|
name=certbot
|
|
system=yes
|
|
tags:
|
|
- group
|
|
- user
|
|
- name: ensure certbot user exists
|
|
user:
|
|
name=certbot
|
|
group=certbot
|
|
system=yes
|
|
home=/var/lib/letsencrypt
|
|
createhome=no
|
|
state=present
|
|
tags:
|
|
- user
|
|
|
|
- name: ensure certbot data directory exists
|
|
file:
|
|
path=/var/lib/letsencrypt
|
|
mode=0755
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
- name: ensure certbot accounts directory exists
|
|
file:
|
|
path=/var/lib/letsencrypt/accounts
|
|
mode=0700
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
- name: ensure certbot log directory exists
|
|
file:
|
|
path=/var/log/letsencrypt
|
|
mode=0755
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
|
|
- name: ensure certbot webroot directory exits
|
|
file:
|
|
path=/var/www/certbot
|
|
mode=0755
|
|
owner=certbot
|
|
group=certbot
|
|
state=directory
|
|
- name: ensure apache is configured for certbot
|
|
copy:
|
|
src=certbot.httpd.conf
|
|
dest=/etc/httpd/conf.d/certbot.conf
|
|
mode=0644
|
|
notify: reload httpd
|
|
|
|
- name: ensure letsencrypt account data are installed
|
|
become: true
|
|
become_user: certbot
|
|
unarchive:
|
|
src={{ item }}
|
|
dest=/var/lib/letsencrypt/accounts/
|
|
with_fileglob: accounts/{{ inventory_hostname }}.tar.xz
|
|
- name: ensure letsencrypt account is registered
|
|
become: true
|
|
become_user: certbot
|
|
command:
|
|
certbot register --config-dir /var/lib/letsencrypt
|
|
--agree-tos --email {{ certbot_account_email }}
|
|
creates=/var/lib/letsencrypt/accounts/acme-v01.api.letsencrypt.org
|
|
|
|
- name: ensure certbot certificate exists
|
|
become: true
|
|
become_user: certbot
|
|
command:
|
|
certbot certonly --config-dir /var/lib/letsencrypt
|
|
--webroot --webroot-path /var/www/certbot
|
|
{% for domain in certbot_domains %}
|
|
-d {{ domain }}
|
|
{% endfor %}
|
|
creates=/var/lib/letsencrypt/live/{{ certbot_domains[0] }}/fullchain.pem
|
|
|
|
- name: ensure certbot service is configured
|
|
template:
|
|
src=certbot.sysconfig.j2
|
|
dest=/etc/sysconfig/certbot
|
|
mode=0644
|
|
|
|
- name: ensure certbot timer is enabled
|
|
service:
|
|
name=certbot-renew.timer
|
|
enabled=yes
|
|
- name: ensure certbot timer is started
|
|
service:
|
|
name=certbot-renew.timer
|
|
state=started
|