cerbot role

This commit is contained in:
histausse 2022-08-07 18:39:24 +02:00
commit d43588eecf
Signed by: histausse
GPG key ID: 67486F107F62E9E9
3 changed files with 104 additions and 0 deletions

53
README.md Normal file
View file

@ -0,0 +1,53 @@
# Certbot ansible role
Install certbot for debian and request certificats.
This role is part of my ansible roles. It is made to interact with other roles that are listed here, and require some variables.
In particular, the `nginx` role allows to proxy the request from a machine cut from the internet to the LE server.
## Role required:
- `nginx`: https://gitea.auro.re/Pains-Perdus/nginx.git
## Variable required:
```
ip_LE_proxy: str, optionnal, the IP of the proxy to LE
certbot_certs:
`domaine_name`:
links: str[], list of links pointing to the certificate/key (the keychain link will be suffixed by `.crt`, the key by `.key`)
hooks: str[], optional, list of commands to run after renewing the certificat
```
`certbot_certs` is a dictionnary, where the keys are the domaine names for the certificates.
## Optionnal variables
```
http_sites: dictionnary of sites, used by the nginx role
```
## Add role to you ansible playbook:
To add this role to your project, you can use git submodules:
```
git submodule add ssh://git@gitea.auro.re:2222/Pains-Perdus/certbot.git roles/certbot
git submodule init
```
## Http Sites
The variable `http_sites` is a dictionnary of the http site managed by nginx. The additionnal (and optionnal) field `use_certbot` can be added to the variable of a site so that certbot generat its certificate.
```
http_sites:
`server_name`:
...
use_certbot: bool, optionnal (default false), if set to true, add an entry to `certbot_certs` automagically.
```
## Copyright
Copyright 2021 Jean-Marie Mineau <histausse@protonmail.com>

2
meta/main.yml Normal file
View file

@ -0,0 +1,2 @@
dependencies:
- role: nginx

49
tasks/main.yml Normal file
View file

@ -0,0 +1,49 @@
---
- name: Install certbot
apt:
update_cache: true
name: certbot
state: latest
- name: Add LE proxy to /etc/host
lineinfile:
path: /etc/hosts
line: "{{ ip_LE_proxy }} {{ item }}"
insertafter: "# Ansible managed:"
search_string: "{{ item }}"
when: ip_LE_proxy is defined
loop:
- "acme-v02.api.letsencrypt.org"
- "r3.o.lencr.org"
- name: Collect certificate
set_fact:
all_certbot_certs: "{{ certbot_certs | default({}) }}"
- name: Collect certificate for nginx website
set_fact:
all_certbot_certs: "{{ all_certbot_certs | combine({item: {'links': ['/etc/nginx/certs/'+item],'hooks': ['systemctl reload nginx']}}) }}"
loop: "{{ http_sites | default({}) | dict2items | selectattr('value.use_cerbot', 'defined') | selectattr('value.use_cerbot', '==', True) | map(attribute='key')}}"
- name: Create certificate links
file:
src: "/etc/letsencrypt/live/{{ item.0.key }}/fullchain.pem"
dest: "{{ item.1 }}.crt"
state: link
force: yes
loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}"
- name: Create key links
file:
src: "/etc/letsencrypt/live/{{ item.0.key }}/privkey.pem"
dest: "{{ item.1 }}.key"
state: link
force: yes
loop: "{{ all_certbot_certs | dict2items | subelements('value.links', skip_missing=True) }}"
- name: Generate Certificate for Domains
shell: "certbot certonly --agree-tos --register-unsafely-without-email --domain {{ item.key }} --non-interactive --webroot --webroot-path /var/www/well-known/acme-challenge {% if item.value.hooks is defined %}--post-hook '{{ item.value.hooks | join('; ') }}'{% endif %}"
args:
creates: "/etc/letsencrypt/live/{{ item.key }}/cert.pem"
loop: "{{ all_certbot_certs | dict2items }}"