status-im/infra-role-certbot
2
0
Fork 0
mirror of https://github.com/status-im/infra-role-certbot.git synced 2025-02-18 13:57:07 +00:00
Code Issues Projects Releases Wiki Activity

refactor to drop non-ubuntu OSes, use systemd timer

Browse Source 
Signed-off-by: Jakub Sokołowski <jakub@status.im>
This commit is contained in:
Jakub Sokołowski 2021-05-13 13:14:58 +02:00
parent fdba1c4352
commit 3d76806282
No known key found for this signature in database
GPG Key ID: 4EF064D0E6D63020
28 changed files with 79 additions and 768 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
.ansible-lint
View File

@ -1,3 +0,0 @@
skip_list:
- 'yaml'
- 'role-name'

4
.github/FUNDING.yml vendored
View File

@ -1,4 +0,0 @@
# These are supported funding model platforms
---
github: geerlingguy
patreon: geerlingguy

56
.github/stale.yml vendored
View File

@ -1,56 +0,0 @@
# Configuration for probot-stale - https://github.com/probot/stale
# Number of days of inactivity before an Issue or Pull Request becomes stale
daysUntilStale: 90
# Number of days of inactivity before an Issue or Pull Request with the stale label is closed.
# Set to false to disable. If disabled, issues still need to be closed manually, but will remain marked as stale.
daysUntilClose: 30
# Only issues or pull requests with all of these labels are check if stale. Defaults to `[]` (disabled)
onlyLabels: []
# Issues or Pull Requests with these labels will never be considered stale. Set to `[]` to disable
exemptLabels:
- pinned
- security
- planned
# Set to true to ignore issues in a project (defaults to false)
exemptProjects: false
# Set to true to ignore issues in a milestone (defaults to false)
exemptMilestones: false
# Set to true to ignore issues with an assignee (defaults to false)
exemptAssignees: false
# Label to use when marking as stale
staleLabel: stale
# Limit the number of actions per hour, from 1-30. Default is 30
limitPerRun: 30
pulls:
markComment: |-
This pull request has been marked 'stale' due to lack of recent activity. If there is no further activity, the PR will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark pull requests as stale.
unmarkComment: >-
This pull request is no longer marked for closure.
closeComment: >-
This pull request has been closed due to inactivity. If you feel this is in error, please reopen the pull request or file a new PR with the relevant details.
issues:
markComment: |-
This issue has been marked 'stale' due to lack of recent activity. If there is no further activity, the issue will be closed in another 30 days. Thank you for your contribution!
Please read [this blog post](https://www.jeffgeerling.com/blog/2020/enabling-stale-issue-bot-on-my-github-repositories) to see the reasons why I mark issues as stale.
unmarkComment: >-
This issue is no longer marked for closure.
closeComment: >-
This issue has been closed due to inactivity. If you feel this is in error, please reopen the issue or file a new issue with the relevant details.

85
.github/workflows/ci.yml vendored
View File

@ -1,85 +0,0 @@
---
name: CI
'on':
pull_request:
push:
branches:
- master
schedule:
- cron: "30 2 * * 0"
defaults:
run:
working-directory: 'geerlingguy.certbot'
jobs:
lint:
name: Lint
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.certbot'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install yamllint
- name: Lint code.
run: |
yamllint .
molecule:
name: Molecule
runs-on: ubuntu-latest
strategy:
matrix:
include:
- distro: centos8
playbook: converge.yml
experimental: false
- distro: centos7
playbook: converge.yml
experimental: false
- distro: ubuntu1804
playbook: converge.yml
experimental: false
- distro: debian10
playbook: converge.yml
experimental: false
- distro: centos7
playbook: playbook-source-install.yml
experimental: false
- distro: centos7
playbook: playbook-snap-install.yml
experimental: true
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.certbot'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install test dependencies.
run: pip3 install ansible molecule[docker] docker
- name: Run Molecule tests.
run: molecule test
continue-on-error: ${{ matrix.experimental }}
env:
PY_COLORS: '1'
ANSIBLE_FORCE_COLOR: '1'
MOLECULE_DISTRO: ${{ matrix.distro }}
MOLECULE_PLAYBOOK: ${{ matrix.playbook }}

38
.github/workflows/release.yml vendored
View File

@ -1,38 +0,0 @@
---
# This workflow requires a GALAXY_API_KEY secret present in the GitHub
# repository or organization.
#
# See: https://github.com/marketplace/actions/publish-ansible-role-to-galaxy
# See: https://github.com/ansible/galaxy/issues/46
name: Release
'on':
push:
tags:
- '*'
defaults:
run:
working-directory: 'geerlingguy.certbot'
jobs:
release:
name: Release
runs-on: ubuntu-latest
steps:
- name: Check out the codebase.
uses: actions/checkout@v2
with:
path: 'geerlingguy.certbot'
- name: Set up Python 3.
uses: actions/setup-python@v2
with:
python-version: '3.x'
- name: Install Ansible.
run: pip3 install ansible-base
- name: Trigger a new import on Galaxy.
run: ansible-galaxy role import --api-key ${{ secrets.GALAXY_API_KEY }} $(echo ${{ github.repository }} | cut -d/ -f1) $(echo ${{ github.repository }} | cut -d/ -f2)

10
.yamllint
View File

@ -1,10 +0,0 @@
---
extends: default
rules:
line-length:
max: 120
level: warning
ignore: |
.github/stale.yml

144
README.md
View File

@ -1,143 +1,45 @@
# Ansible Role: Certbot (for Let's Encrypt)
[![CI](https://github.com/geerlingguy/ansible-role-certbot/workflows/CI/badge.svg?event=push)](https://github.com/geerlingguy/ansible-role-certbot/actions?query=workflow%3ACI)
# Description
Installs and configures Certbot (for Let's Encrypt).
## Requirements
# Requirements
If installing from source, Git is required. You can install Git using the `geerlingguy.git` role.
Generally, installing from source (see section `Source Installation from Git`) leads to a better experience using Certbot and Let's Encrypt, especially if you're using an older OS release.
## Role Variables
certbot_install_method: package
# Configuration
Controls how Certbot is installed. Available options are 'package', 'snap', and 'source'.
certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet --no-self-upgrade"
By default, this role configures a cron job to run under the provided user account at the given hour and minute, every day. The defaults run `certbot renew` (or `certbot-auto renew`) via cron every day at 03:30:00 by the user you use in your Ansible playbook. It's preferred that you set a custom user/hour/minute so the renewal is during a low-traffic period and done by a non-root user account.
### Automatic Certificate Generation
Currently there is one built-in method for generating new certificates using this role: `standalone`. Other methods (e.g. using nginx or apache and a webroot) may be added in the future.
**For a complete example**: see the fully functional test playbook in [molecule/default/playbook-standalone-nginx-aws.yml](molecule/default/playbook-standalone-nginx-aws.yml).
certbot_create_if_missing: false
certbot_create_method: standalone
Set `certbot_create_if_missing` to `yes` or `True` to let this role generate certs. Set the method used for generating certs with the `certbot_create_method` variable—current allowed values include: `standalone`.
certbot_admin_email: email@example.com
```yaml
certbot_admin_email: 'admin@example.org'
certbot_auto_renew: true
certbot_auto_renew_user: 'www-data'
certbot_auto_renew_frequency: 'daily'
certbot_auto_renew_options: "--quiet --no-self-upgrade"
certbot_certs:
- domains: 'something.example.org'
```
The email address used to agree to Let's Encrypt's TOS and subscribe to cert-related notifications. This should be customized and set to an email address that you or your organization regularly monitors.
certbot_certs: []
# - email: janedoe@example.com
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
By default, this role configures a systemd timer to run under the provided user every day. The defaults run `certbot renew` (or `certbot-auto renew`). The account used should be a non-root account.
A list of domains (and other data) for which certs should be generated. You can add an `email` key to any list item to override the `certbot_admin_email`.
certbot_create_command: "{{ certbot_script }} certonly --standalone --noninteractive --agree-tos --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }}"
The `certbot_create_command` defines the command used to generate the cert.
#### Standalone Certificate Generation
certbot_create_standalone_stop_services:
- nginx
Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. If you're running Apache, set this to `apache2` (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something else on port 80 (e.g. Varnish, a Java app, or something else), add it to the list so it is stopped when the certificate is generated.
# Standalone Certificate Generation
Services that should be stopped while `certbot` runs it's own standalone server on ports 80 and 443. Other valid values might be `apache2`, or any other serivce that might use these ports.
```yaml
certbot_create_standalone_stop_services:
- nginx
```
These services will only be stopped the first time a new cert is generated.
### Snap Installation
Beginning in December 2020, the Certbot maintainers decided to recommend installing Certbot from Snap rather than maintain scripts like `certbot-auto`.
Setting `certbot_install_method: snap` configures this role to install Certbot via Snap.
This install method is currently experimental and may or may not work across all Linux distributions.
### Source Installation from Git
You can install Certbot from it's Git source repository if desired with `certbot_install_method: source`. This might be useful in several cases, but especially when older distributions don't have Certbot packages available (e.g. CentOS < 7, Ubuntu < 16.10 and Debian < 8).
certbot_repo: https://github.com/certbot/certbot.git
certbot_version: master
certbot_keep_updated: true
Certbot Git repository options. If installing from source, the configured `certbot_repo` is cloned, respecting the `certbot_version` setting. If `certbot_keep_updated` is set to `yes`, the repository is updated every time this role runs.
certbot_dir: /opt/certbot
The directory inside which Certbot will be cloned.
### Wildcard Certificates
Let's Encrypt supports [generating wildcard certificates](https://community.letsencrypt.org/t/acme-v2-and-wildcard-certificate-support-is-live/55579), but the process for generating and using them is slightly more involved. See comments in [this pull request](https://github.com/geerlingguy/ansible-role-certbot/pull/60#issuecomment-423919284) for an example of how to use this role to maintain wildcard certs.
Michael Porter also has a walkthrough of [Creating A Lets Encrypt Wildcard Cert With Ansible](https://www.michaelpporter.com/2018/09/creating-a-wildcard-cert-with-ansible/), specifically with Cloudflare.
## Dependencies
None.
## Example Playbook
- hosts: servers
vars:
certbot_auto_renew_user: your_username_here
certbot_auto_renew_minute: "20"
certbot_auto_renew_hour: "5"
roles:
- geerlingguy.certbot
See other examples in the `tests/` directory.
### Manually creating certificates with certbot
_Note: You can have this role automatically generate certificates; see the "Automatic Certificate Generation" documentation above._
You can manually create certificates using the `certbot` (or `certbot-auto`) script (use `letsencrypt` on Ubuntu 16.04, or use `/opt/certbot/certbot-auto` if installing from source/Git. Here are some example commands to configure certificates with Certbot:
# Automatically add certs for all Apache virtualhosts (use with caution!).
certbot --apache
# Generate certs, but don't modify Apache configuration (safer).
certbot --apache certonly
If you want to fully automate the process of adding a new certificate, but don't want to use this role's built in functionality, you can do so using the command line options to register, accept the terms of service, and then generate a cert using the standalone server:
1. Make sure any services listening on ports 80 and 443 (Apache, Nginx, Varnish, etc.) are stopped.
2. Register with something like `certbot register --agree-tos --email [your-email@example.com]`
- Note: You won't need to do this step in the future, when generating additional certs on the same server.
3. Generate a cert for a domain whose DNS points to this server: `certbot certonly --noninteractive --standalone -d example.com -d www.example.com`
4. Re-start whatever was listening on ports 80 and 443 before.
5. Update your webserver's virtualhost TLS configuration to point at the new certificate (`fullchain.pem`) and private key (`privkey.pem`) Certbot just generated for the domain you passed in the `certbot` command.
6. Reload or restart your webserver so it uses the new HTTPS virtualhost configuration.
### Certbot certificate auto-renewal
By default, this role adds a cron job that will renew all installed certificates once per day at the hour and minute of your choosing.
# Certbot certificate auto-renewal
You can test the auto-renewal (without actually renewing the cert) with the command:
/opt/certbot/certbot-auto renew --dry-run
```sh
/opt/certbot/certbot renew --dry-run
```
See full documentation and options on the [Certbot website](https://certbot.eff.org/).
## License

29
defaults/main.yml
View File

@ -1,39 +1,28 @@
---
# Certbot auto-renew cron job configuration (for certificate renewals).
certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet --no-self-upgrade"
certbot_auto_renew_user: 'www-data'
certbot_auto_renew_frequency: 'daily'
certbot_auto_renew_timeout_sec: 120
certbot_auto_renew_options: '--quiet --no-self-upgrade'
# Parameters used when creating new Certbot certs.
certbot_create_if_missing: false
certbot_create_method: standalone
certbot_admin_email: email@example.com
certbot_admin_email: 'email@example.com'
certbot_certs: []
# - email: janedoe@example.com
# domains:
# - domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
certbot_create_command: >-
{{ certbot_script }} certonly --standalone --noninteractive --agree-tos
--email {{ cert_item.email | default(certbot_admin_email) }}
certbot certonly --standalone --noninteractive --agree-tos
--email {{ certbot_admin_email }}
-d {{ cert_item.domains | join(',') }}
certbot_create_standalone_stop_services:
- nginx
# - apache
# - varnish
# Available options: 'package', 'snap', 'source'.
certbot_install_method: 'package'
# Source install configuration.
certbot_repo: https://github.com/certbot/certbot.git
certbot_version: master
certbot_keep_updated: true
# Where to put Certbot when installing from source.
certbot_dir: /opt/certbot

11
meta/main.yml
View File

@ -9,19 +9,16 @@ galaxy_info:
license: "license (BSD, MIT)"
min_ansible_version: 2.4
platforms:
- name: EL
versions:
- 7
- 8
- name: Fedora
versions:
- all
- name: Ubuntu
versions:
- all
- name: Debian
versions:
- all
dependencies:
- name: systemd-timer
src: git+git@github.com:status-im/infra-role-systemd-timer.git
scm: git
galaxy_tags:
- networking
- system

28
molecule/default/converge.yml
View File

@ -1,28 +0,0 @@
---
- name: Converge
hosts: all
become: true
vars:
certbot_auto_renew_user: root
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum:
name:
- cronie
- epel-release
state: present
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- geerlingguy.certbot

17
molecule/default/molecule.yml
View File

@ -1,17 +0,0 @@
---
dependency:
name: galaxy
driver:
name: docker
platforms:
- name: instance
image: "geerlingguy/docker-${MOLECULE_DISTRO:-centos7}-ansible:latest"
command: ${MOLECULE_DOCKER_COMMAND:-""}
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup:ro
privileged: true
pre_build_image: true
provisioner:
name: ansible
playbooks:
converge: ${MOLECULE_PLAYBOOK:-converge.yml}

26
molecule/default/playbook-snap-install.yml
View File

@ -1,26 +0,0 @@
---
- name: Converge
hosts: all
become: true
vars:
certbot_install_method: 'snap'
certbot_auto_renew_user: root
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install cron (RedHat).
yum: name=cronie state=present
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- geerlingguy.git
- geerlingguy.certbot

26
molecule/default/playbook-source-install.yml
View File

@ -1,26 +0,0 @@
---
- name: Converge
hosts: all
become: true
vars:
certbot_install_method: 'source'
certbot_auto_renew_user: root
pre_tasks:
- name: Update apt cache.
apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install cron (RedHat).
yum: name=cronie state=present
when: ansible_os_family == 'RedHat'
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- geerlingguy.git
- geerlingguy.certbot

180
molecule/default/playbook-standalone-nginx-aws.yml
View File

@ -1,180 +0,0 @@
---
# To run:
# 1. Ensure Ansible and Boto are installed (pip install ansible boto).
# 2. Ensure you have AWS credentials stored where Boto can find them, and they
# are under the profile 'mm'.
# 3. Ensure you have a pubkey available at ~/.ssh/id_rsa.pub.
# 3. Run the playbook: ansible-playbook test-standalone-nginx-aws.yml
# Play 1: Provision EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: false
tasks:
- name: Configure EC2 Security Group.
ec2_group:
profile: mm
name: certbot_test_http
description: HTTP security group for Certbot testing.
region: "us-east-1"
state: present
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 443
to_port: 443
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
rules_egress: []
- name: Add EC2 Key Pair.
ec2_key:
profile: mm
region: "us-east-1"
name: certbot_test
key_material: "{{ item }}"
with_file:
- ~/.ssh/id_rsa.pub
- name: Provision EC2 instance.
ec2:
profile: mm
key_name: certbot_test
instance_tags:
Name: "certbot-standalone-nginx-test"
group: ['default', 'certbot_test_http']
instance_type: t2.micro
# CentOS Linux 7 x86_64 HVM EBS
image: ami-02e98f78
region: "us-east-1"
wait: true
wait_timeout: 500
exact_count: 1
count_tag:
Name: "certbot-standalone-nginx-test"
register: created_instance
- name: Add A record for the new EC2 instance IP in Route53.
route53:
profile: mm
command: create
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300
value: "{{ created_instance.tagged_instances.0.public_ip }}"
wait: true
overwrite: true
- name: Add EC2 instance to inventory groups.
add_host:
name: "certbot-test.servercheck.in"
groups: "aws,aws_nginx"
ansible_ssh_user: centos
host_key_checking: false
when: created_instance.tagged_instances.0.id is defined
# Play 2: Configure EC2 instance with Certbot and Nginx.
- hosts: aws_nginx
gather_facts: true
become: true
vars:
certbot_admin_email: https@servercheck.in
certbot_create_if_missing: true
certbot_create_standalone_stop_services: []
certbot_certs:
- domains:
- certbot-test.servercheck.in
nginx_vhosts:
- listen: "443 ssl http2"
server_name: "certbot-test.servercheck.in"
root: "/usr/share/nginx/html"
index: "index.html index.htm"
state: "present"
template: "{{ nginx_vhost_template }}"
filename: "certbot_test.conf"
extra_parameters: |
ssl_certificate /etc/letsencrypt/live/certbot-test.servercheck.in/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/certbot-test.servercheck.in/privkey.pem;
ssl_protocols TLSv1.1 TLSv1.2;
ssl_ciphers HIGH:!aNULL:!MD5;
pre_tasks:
- name: Update apt cache.
apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian'
changed_when: false
- name: Install dependencies (RedHat).
yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat'
with_items:
- cronie
- epel-release
- name: Install cron (Debian).
apt: name=cron state=present
when: ansible_os_family == 'Debian'
roles:
- geerlingguy.certbot
- geerlingguy.nginx
tasks:
- name: Flush handlers in case any configs have changed.
meta: flush_handlers
- name: Test secure connection to SSL domain.
uri:
url: https://certbot-test.servercheck.in/
status_code: 200
delegate_to: localhost
become: false
# Play 3: Tear down EC2 instance and A record.
- hosts: localhost
connection: local
gather_facts: false
tasks:
- name: Destroy EC2 instance.
ec2:
profile: mm
instance_ids: ["{{ created_instance.tagged_instances.0.id }}"]
region: "us-east-1"
state: absent
wait: true
wait_timeout: 500
- name: Delete Security Group.
ec2_group:
profile: mm
name: certbot_test_http
region: "us-east-1"
state: absent
- name: Delete Key Pair.
ec2_key:
profile: mm
name: certbot_test
region: "us-east-1"
state: absent
- name: Delete Route53 record.
route53:
profile: mm
state: delete
zone: servercheck.in
record: certbot-test.servercheck.in
type: A
ttl: 300
# See: https://github.com/ansible/ansible/pull/32297
value: []

3
molecule/default/requirements.yml
View File

@ -1,3 +0,0 @@
---
- src: geerlingguy.git
- src: geerlingguy.nginx

23
tasks/create-cert-standalone.yml
View File

@ -1,23 +0,0 @@
---
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem
register: letsencrypt_cert
- name: Stop services to allow certbot to generate a cert.
service:
name: "{{ item }}"
state: stopped
when: not letsencrypt_cert.stat.exists
with_items: "{{ certbot_create_standalone_stop_services }}"
- name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists
- name: Start services after cert has been generated.
service:
name: "{{ item }}"
state: started
when: not letsencrypt_cert.stat.exists
with_items: "{{ certbot_create_standalone_stop_services }}"

22
tasks/create.yml Normal file
View File

@ -0,0 +1,22 @@
---
- name: Check if certificate already exists.
stat:
path: '/etc/letsencrypt/live/{{ cert_item.domains | first | replace("*.", "") }}/cert.pem'
register: letsencrypt_cert
- when: not letsencrypt_cert.stat.exists
block:
- name: Stop services to allow certbot to generate a cert.
service:
name: '{{ item }}'
state: stopped
with_items: "{{ certbot_create_standalone_stop_services }}"
- name: Generate new certificate if one doesn't exist.
command: '{{ certbot_create_command }}'
- name: Start services after cert has been generated.
service:
name: '{{ item }}'
state: started
with_items: '{{ certbot_create_standalone_stop_services }}'

8
tasks/include-vars.yml
View File

@ -1,8 +0,0 @@
---
- name: Load a variable file based on the OS type, or a default if not found.
include_vars: "{{ item }}"
with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml"
- "{{ ansible_distribution }}.yml"
- "{{ ansible_os_family }}.yml"
- "default.yml"

17
tasks/install-from-source.yml
View File

@ -1,17 +0,0 @@
---
- name: Clone Certbot into configured directory.
git:
repo: "{{ certbot_repo }}"
dest: "{{ certbot_dir }}"
version: "{{ certbot_version }}"
update: "{{ certbot_keep_updated }}"
force: true
- name: Set Certbot script variable.
set_fact:
certbot_script: "{{ certbot_dir }}/certbot-auto"
- name: Ensure certbot-auto is executable.
file:
path: "{{ certbot_script }}"
mode: 0755

7
tasks/install-with-package.yml
View File

@ -1,7 +0,0 @@
---
- name: Install Certbot.
package: "name={{ certbot_package }} state=present"
- name: Set Certbot script variable.
set_fact:
certbot_script: "{{ certbot_package }}"

38
tasks/install-with-snap.yml
View File

@ -1,38 +0,0 @@
---
- name: Ensure snapd is installed.
package:
name: snapd
state: present
register: snapd_install
- name: Ensure snapd is enabled.
systemd:
name: snapd.socket
enabled: true
- name: Enable classic snap support.
file:
src: /var/lib/snapd/snap
dest: /snap
state: link
- name: Update snap after install.
shell: snap install core; snap refresh core
changed_when: true
failed_when: false
when: snapd_install is changed
- name: Install certbot via snap.
snap:
name: certbot
classic: true
- name: Symlink certbot into place.
file:
src: /snap/bin/certbot
dest: /usr/bin/certbot
state: link
- name: Set Certbot script variable.
set_fact:
certbot_script: /usr/bin/certbot

4
tasks/install.yml Normal file
View File

@ -0,0 +1,4 @@
---
- name: Install Certbot.
package:
name: certbot

23
tasks/main.yml
View File

@ -1,25 +1,10 @@
---
- import_tasks: include-vars.yml
- import_tasks: install.yml
- import_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat'
- import_tasks: install-with-package.yml
when: certbot_install_method == 'package'
- import_tasks: install-with-snap.yml
when: certbot_install_method == 'snap'
- import_tasks: install-from-source.yml
when: certbot_install_method == 'source'
- include_tasks: create-cert-standalone.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'standalone'
- include_tasks: create.yml
with_items: '{{ certbot_certs }}'
loop_control:
loop_var: cert_item
- import_tasks: renew-cron.yml
- import_tasks: renew.yml
when: certbot_auto_renew

8
tasks/renew-cron.yml
View File

@ -1,8 +0,0 @@
---
- name: Add cron job for certbot renewal (if configured).
cron:
name: Certbot automatic renewal.
job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}"
minute: "{{ certbot_auto_renew_minute }}"
hour: "{{ certbot_auto_renew_hour }}"
user: "{{ certbot_auto_renew_user }}"

13
tasks/renew.yml Normal file
View File

@ -0,0 +1,13 @@
---
- name: Create certbot renewal timer
include_role: name=systemd-timer
vars:
systemd_timer_name: 'certbot-renew'
systemd_timer_description: 'LetsEncrypt certificate renewal via certbot.'
systemd_timer_user: '{{ certbot_auto_renew_user }}'
systemd_timer_work_dir: '{{ certbot_dir }}'
systemd_timer_frequency: '{{ certbot_auto_renew_frequency }}'
systemd_timer_timeout_sec: '{{ certbot_auto_renew_timeout_sec }}'
systemd_timer_start_on_creation: false
systemd_timer_script_path: '/usr/bin/certbot'
systemd_timer_script_args: 'renew {{ certbot_auto_renew_options }}'

20
tasks/setup-RedHat.yml
View File

@ -1,20 +0,0 @@
---
# See: https://github.com/geerlingguy/ansible-role-certbot/issues/107
- block:
- name: Ensure dnf-plugins are installed on CentOS 8+.
yum:
name: dnf-plugins-core
state: present
- name: Enable DNF module for CentOS 8+.
shell: |
dnf config-manager --set-enabled powertools
args:
warn: false
register: dnf_module_enable
changed_when: false
when:
- ansible_distribution == 'CentOS'
- ansible_distribution_major_version | int >= 8

2
vars/Ubuntu-16.04.yml
View File

@ -1,2 +0,0 @@
---
certbot_package: letsencrypt

2
vars/default.yml
View File

@ -1,2 +0,0 @@
---
certbot_package: certbot