Infrastructure/ansible
1
0
Fork 0
Code Issues Pull requests 6 Projects Releases Packages Wiki Activity Actions
ansible/roles/copr/certbot/tasks/letsencrypt.yml
Ryan Lerch 3c41882bb0 ansiblelint fixes - fqcn[action-core] - shell to ansible.builtin.shell 
Replaces references to shell: with ansible.builtin.shell

Signed-off-by: Ryan Lerch <rlerch@redhat.com>
2025-01-15 11:29:10 +10:00

150 lines
4.2 KiB
YAML
Raw Blame History

---
- set_fact:
le_source_path: /etc/letsencrypt
# https://pagure.io/fedora-infrastructure/issue/10524
le_backup_path: /srv/certbot-certs
tags:
- certbot
- name: Install certbot package
ansible.builtin.package: name=certbot state=present
tags:
- certbot
- name: Install certbot config
template: src=certbot.j2 dest=/etc/sysconfig/certbot
mode=0644
tags:
- certbot
- name: Install certbot deploy script
template: src={{ letsencrypt.predefined_deploy_script }}
dest=/usr/libexec/auto-certbot-deploy
mode=0755
when: letsencrypt.predefined_deploy_script is defined
tags:
- certbot
- name: Check whether we need to initialize letsencrypt first
stat: path="/etc/letsencrypt/live/{{ item.key }}"
register: le_stat_checks
with_dict: "{{ letsencrypt.certificates }}"
tags:
- certbot
- name: Check if we already have the backup
delegate_to: localhost
stat:
path: "{{ le_backup_path }}/{{ (letsencrypt.certificates|dictsort)[0][0] }}"
register: le_stat_backup_dir
tags:
- certbot
- name: Restore the certificates from backup (backed up on batcave)
synchronize:
src: "{{ le_backup_path }}/{{ (letsencrypt.certificates|dictsort)[0][0] }}/"
dest: "{{ le_source_path }}"
mode: push
tags:
- certbot
when:
- not le_stat_checks.results[0].stat.exists
- le_stat_backup_dir.stat.exists
register: some_cert_restored
- name: Initialize certbot configuration
ansible.builtin.shell: |
certbot certonly --standalone \
-w {{ item.item.value.challenge_dir }} \
-d {{ item.item.value.domains | join(' -d ') }} \
--cert-name {{ item.item.key }} \
-m {{ item.item.value.mail }} \
--agree-tos \
-n >> /tmp/call
when:
- not item.stat.exists
- not some_cert_restored.changed
with_items: "{{ le_stat_checks.results }}"
tags:
- certbot
- name: Configure certbot to use webroot next time
ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
section=renewalparams
option=authenticator
value=webroot
with_items: "{{ le_stat_checks.results }}"
tags:
- certbot
- name: Configure certbot to use webroot next time
ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
section=renewalparams
option=webroot_path
value="{{ item.item.value.challenge_dir }}"
with_items: "{{ le_stat_checks.results }}"
tags:
- certbot
- name: Post init script
ansible.builtin.shell: |
/usr/libexec/auto-certbot-deploy \
--init {{ item.item.key }}
when:
- letsencrypt.predefined_deploy_script is defined
- not item.stat.exists
with_items: "{{ le_stat_checks.results }}"
tags:
- certbot
- name: Automatize cert renewal
service:
name: certbot-renew.timer
state: started
enabled: yes
tags:
- certbot
# When we do 'systemctl restart', lighttpd is initially started as "root"
# process (when the config is loaded) and later it does setuid(lighttpd).
# So "restart" is just fine. Though we also do 'killall -HUP lighttpd' in
# several occasions and then 'lighttpd' user needs to have the access. See the
# following issues:
# https://pagure.io/copr/copr/issue/2001 Resolves:
# https://pagure.io/fedora-infrastructure/issue/10391
- name: Allow lighttpd to step into certbots directories
acl:
path: "{{ item }}"
entity: lighttpd
etype: user
permissions: --x
state: present
with_items:
- /etc/letsencrypt/archive
- /etc/letsencrypt/live
when:
- letsencrypt.predefined_deploy_script is defined
- letsencrypt.predefined_deploy_script == 'lighttpd'
tags:
- certbot
- name: Prepare the certbot backup directory on batcave
delegate_to: localhost
ansible.builtin.file:
path: "{{ le_backup_path }}"
# nobody, except for root, can step into this directory (on batcave)
mode: "0700"
owner: root
group: root
state: directory
tags:
certbot
- name: Backup the letsencrypt certs to batcave directory
synchronize:
src: "{{ le_source_path }}/"
dest: "{{ le_backup_path }}/{{ item.key }}"
mode: pull
with_dict: "{{ letsencrypt.certificates }}"
tags:
- certbot
Reference in a new issue View git blame Copy permalink