113 lines
3.1 KiB
YAML
113 lines
3.1 KiB
YAML
---
|
|
- name: Install dependencies
|
|
become: yes
|
|
apt:
|
|
pkg:
|
|
- oathtool
|
|
|
|
- name: Determine if acme.sh is installed
|
|
become: yes
|
|
stat:
|
|
path: "~/.acme.sh/acme.sh"
|
|
register: is_acme_sh_installed
|
|
|
|
- name: Get acme.sh Installer
|
|
become: yes
|
|
get_url:
|
|
url: https://get.acme.sh
|
|
dest: /tmp/acme.sh
|
|
mode: "0700"
|
|
when: not is_acme_sh_installed.stat.exists
|
|
|
|
- name: Install acme.sh
|
|
become: yes
|
|
command: "sh /tmp/acme.sh email={{ acme_email }}"
|
|
when: not is_acme_sh_installed.stat.exists
|
|
|
|
- name: Upgrade acme.sh
|
|
become: yes
|
|
command:
|
|
cmd: ./acme.sh --upgrade
|
|
chdir: ~/.acme.sh
|
|
when: is_acme_sh_installed.stat.exists
|
|
register: upgrade_result
|
|
changed_when: upgrade_result.rc == 0 and "Upgrade success" in upgrade_result.stdout and not "Already uptodate" in upgrade_result.stdout
|
|
|
|
- name: Hash config file
|
|
become: yes
|
|
command:
|
|
chdir: ~/.acme.sh
|
|
cmd: sha1sum account.conf
|
|
register: _account_conf_hash_before
|
|
changed_when: false
|
|
|
|
- name: Enable acme.sh logs
|
|
become: yes
|
|
shell:
|
|
cmd: ./acme.sh --update-account --log /root/.acme.sh/acme.sh.log && sha1sum account.conf
|
|
chdir: ~/.acme.sh
|
|
register: _account_conf_update
|
|
changed_when: '_account_conf_hash_before.stdout not in _account_conf_update.stdout'
|
|
|
|
- name: Issue certificates
|
|
become: yes
|
|
command:
|
|
cmd: ./acme.sh --issue -d {{ item.name }} -d '*.{{ item.name }}' --dns dns_{{ item.dns_provider }}
|
|
chdir: ~/.acme.sh
|
|
environment:
|
|
INWX_User: "{{ inwx_user }}"
|
|
INWX_Password: "{{ inwx_pass }}"
|
|
GANDI_LIVEDNS_KEY: "{{ gandi_livedns_key }}"
|
|
loop: "{{ domains }}"
|
|
register: cert_result
|
|
changed_when: cert_result.rc == 0 and "Cert success." in cert_result.stdout
|
|
failed_when:
|
|
- "'Domains not changed' not in cert_result.stdout"
|
|
- "'Cert success.' not in cert_result.stdout"
|
|
|
|
- name: Make sure certs dir exists
|
|
become: yes
|
|
file:
|
|
path: "{{ certs_dir }}/{{ item.name }}"
|
|
state: directory
|
|
mode: "0755"
|
|
loop: "{{ domains }}"
|
|
|
|
- name: Place nginx reload command to cert reload script
|
|
become: yes
|
|
lineinfile:
|
|
path: "/usr/local/bin/cert_reload_{{ item.name }}.sh"
|
|
line: "systemctl reload nginx"
|
|
create: yes
|
|
owner: root
|
|
group: root
|
|
mode: 0700
|
|
loop: "{{ domains }}"
|
|
|
|
- name: Install certificates
|
|
become: yes
|
|
command:
|
|
cmd: ./acme.sh --install-cert -d "{{ item.name }}" --key-file "{{ certs_dir }}/{{ item.name }}/key.pem" --fullchain-file "{{ certs_dir }}/{{ item.name }}/cert.pem" --reloadcmd "/usr/local/bin/cert_reload_{{ item.name }}.sh"
|
|
chdir: ~/.acme.sh
|
|
loop: "{{ domains }}"
|
|
loop_control:
|
|
index_var: domains_index
|
|
register: install_cert_result
|
|
changed_when: cert_result.results[domains_index].changed
|
|
failed_when: install_cert_result.rc != 0 and "Reload error for" not in install_cert_result.stderr
|
|
|
|
- name: Place monitoring script
|
|
become: yes
|
|
copy:
|
|
src: files/certificate-validity.sh
|
|
dest: /root/.acme.sh/certificate-validity.sh
|
|
mode: 0700
|
|
|
|
- name: Ensure monitoring data is updated
|
|
become: yes
|
|
cron:
|
|
name: "Update monitoring data each minute"
|
|
minute: "*/10"
|
|
hour: "*"
|
|
job: "/root/.acme.sh/certificate-validity.sh"
|