cerbot role

README.md

@@ -0,0 +1,53 @@
+# Certbot ansible role
+
+Install certbot for debian and request certificats.
+
+This role is part of my ansible roles. It is made to interact with other roles that are listed here, and require some variables.
+
+In particular, the `nginx` role allows to proxy the request from a machine cut from the internet to the LE server.
+
+## Role required:
+
+- `nginx`: https://gitea.auro.re/Pains-Perdus/nginx.git
+
+## Variable required:
+
+```
+ip_LE_proxy: str, optionnal, the IP of the proxy to LE
+certbot_certs:
+  `domaine_name`:
+    links: str[], list of links pointing to the certificate/key (the keychain link will be suffixed by `.crt`, the key by `.key`)
+    hooks: str[], optional, list of commands to run after renewing the certificat
+```
+
+`certbot_certs` is a dictionnary, where the keys are the domaine names for the certificates.
+
+## Optionnal variables
+
+```
+http_sites: dictionnary of sites, used by the nginx role
+```
+
+## Add role to you ansible playbook:
+
+To add this role to your project, you can use git submodules: 
+
+```
+git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/certbot.git roles/certbot
+git submodule init
+```
+
+## Http Sites
+
+The variable `http_sites` is a dictionnary of the http site managed by nginx. The additionnal (and optionnal) field `use_certbot` can be added to the variable of a site so that certbot generat its certificate.
+
+```
+http_sites:
+  `server_name`:
+    ...
+    use_certbot: bool, optionnal (default false), if set to true, add an entry to `certbot_certs` automagically.
+```
+
+## Copyright
+
+Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>

meta/main.yml

@@ -0,0 +1,2 @@
+dependencies:
+  - role: nginx

tasks/main.yml

@@ -0,0 +1,49 @@
+---
+- name: Install certbot
+  apt:
+    update_cache: true
+    name: certbot
+    state: latest
+
+- name: Add LE proxy to /etc/host
+  lineinfile:
+    path: /etc/hosts
+    line: "{{ ip_LE_proxy }}    {{ item }}"
+    insertafter: "# Ansible managed:"
+    search_string: "{{ item }}"
+  when: ip_LE_proxy is defined
+  loop:
+    - "acme-v02.api.letsencrypt.org"
+    - "r3.o.lencr.org"
+
+- name: Collect certificate
+  set_fact:
+    all_certbot_certs: "{{ certbot_certs | default({}) }}"
+
+- name: Collect certificate for nginx website
+  set_fact:
+    all_certbot_certs: "{{ all_certbot_certs | combine({item: {'links': ['/etc/nginx/certs/'+item],'hooks': ['systemctl reload nginx']}}) }}"
+  loop: "{{ http_sites | default({}) | dict2items | selectattr('value.use_cerbot', 'defined') | selectattr('value.use_cerbot', '==', True) | map(attribute='key')}}"
+
+- name: Create certificate links
+  file:
+    src: "/etc/letsencrypt/live/{{ item.0.key }}/fullchain.pem"
+    dest: "{{ item.1 }}.crt"
+    state: link
+    force: yes
+  loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}"
+
+- name: Create key links
+  file:
+    src: "/etc/letsencrypt/live/{{ item.0.key }}/privkey.pem"
+    dest: "{{ item.1 }}.key"
+    state: link
+    force: yes
+  loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}"
+
+- name: Generate Certificate for Domains
+  shell: "certbot certonly --agree-tos --register-unsafely-without-email --domain {{ item.key }} --non-interactive --webroot --webroot-path /var/www/well-known/acme-challenge {% if item.value.hooks is defined %}--post-hook '{{ item.value.hooks | join('; ') }}'{% endif %}"
+  args:
+    creates: "/etc/letsencrypt/live/{{ item.key }}/cert.pem"
+  loop: "{{ all_certbot_certs | dict2items }}"
+