Externalize role

defaults/main.yml

@@ -0,0 +1,5 @@
+---
+certbot_authtype: http
+certbot_authservice: httpd
+certbot_certname: '{{ ansible_fqdn }}'
+

files/etc/letsencrypt/lexicon-gandi.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+. /etc/letsencrypt/gandi-api-keys
+
+if [ "$1" != "list" ]; then
+    NAME_VALUE="_acme-challenge.${CERTBOT_DOMAIN}"
+    CONTENT_VALUE="${CERTBOT_VALIDATION}"
+else
+    NAME_VALUE=""
+    CONTENT_VALUE=""
+fi
+
+/usr/bin/lexicon gandi \
+                       --auth-token="${AUTH_TOKEN}" \
+                       --name "${NAME_VALUE}" \
+                       --content "${CONTENT_VALUE}" \
+                       "$1" "${CERTBOT_DOMAIN}" TXT \
+    || exit 255
+
+if [ "$1" == "create" ]; then
+  sleep 1500
+fi

files/etc/letsencrypt/lexicon-ovh.sh

@@ -0,0 +1,25 @@
+#!/bin/bash
+
+. /etc/letsencrypt/ovh-api-keys
+
+if [ "$1" != "list" ]; then
+    NAME_VALUE="_acme-challenge.${CERTBOT_DOMAIN}"
+    CONTENT_VALUE="${CERTBOT_VALIDATION}"
+else
+    NAME_VALUE=""
+    CONTENT_VALUE=""
+fi
+
+/usr/bin/lexicon ovh \
+                       --auth-entrypoint "${AUTH_ENTRYPOINT}" \
+                       --auth-application-key "${AUTH_APPLICATION_KEY}" \
+                       --auth-application-secret "${AUTH_APPLICATION_SECRET}" \
+                       --auth-consumer-key "${AUTH_CONSUMER_KEY}" \
+                       --name "${NAME_VALUE}" \
+                       --content "${CONTENT_VALUE}" \
+                       "$1" "${CERTBOT_DOMAIN}" TXT \
+        || exit 255
+
+if [ "$1" == "create" ]; then
+  sleep 120
+fi

files/httpd_letsencrypt.conf

@@ -0,0 +1,8 @@
+Alias /.well-known /var/www/.well-known
+
+<Directory /var/www/.well-known/>
+	Options +FollowSymLinks
+	AllowOverride All
+	order allow,deny
+	allow from all
+</Directory>

files/nginx_letsencrypt.conf

@@ -0,0 +1,15 @@
+server {
+
+   listen 80 default;
+   server_name _;
+   location /.well-known {
+       alias /var/www/.well-known/;
+   }
+   #return 301 https://$host$request_uri;
+   location / {
+       if ($scheme = "http") {
+           rewrite ^ https://$http_host$request_uri? permanent;
+       }
+   }
+}
+

files/test.html

@@ -0,0 +1 @@
+<html>Ok</html>

handlers/main.yml

@@ -0,0 +1,7 @@
+---
+- name: Restart nginx
+  service: name=nginx state=restarted
+
+- name: Restart httpd
+  service: name=httpd state=restarted
+

tasks/main.yml

@@ -0,0 +1,126 @@
+---
+- name: Include vars for {{ ansible_os_family }}
+  include_vars: "{{ ansible_os_family }}.yml"
+
+- name: install packages
+  package: name="{{ certbot_packages }}" state=latest update_cache=yes
+
+- name: Install httpd
+  include_role:
+    name: httpd
+  vars:
+    httpd_cerbot: false
+#    httpd_hostname: 
+  notify: Restart httpd
+  when:
+    - certbot_authtype == "http"
+    - certbot_authservice == "httpd"
+  
+#- name: install web service packages
+#  package: name="{{ certbot_webpackages }}" state=latest update_cache=yes
+#  notify: Restart httpd
+#  when:
+#    - certbot_authtype == "http"
+#    - certbot_authservice == "httpd"
+
+- name: Make the necessary directory
+  file: path="{{ item }}" state=directory owner={{ certbot_webuser }} group={{ certbot_webuser }} mode=0755
+  with_items:
+    - /var/www/.well-known
+    - /var/www/.well-known/acme-challenge
+  when:
+    - certbot_authtype == "http"
+
+- name: Installation du fichier de verroux
+  copy: src={{ item }} dest=/var/www/.well-known/acme-challenge/{{ item }} owner=root group=root mode=0644
+  with_items:
+    - test.html
+  when:
+    - certbot_authtype == "http"
+
+- name: Installation de la configuration de la conf httpd
+  copy: src=httpd_letsencrypt.conf dest=/etc/httpd/conf.d/letsencrypt.conf owner=root group=root mode=0644
+  register: need_reload_httpd
+  when:
+    - certbot_authtype == "http"
+    - certbot_authservice == "httpd"
+
+- name: Check if httpd is reloaded
+  service: name=httpd state=reloaded
+  when:
+    - certbot_authtype == "http"
+    - certbot_authservice == "httpd"
+    - need_reload_httpd is changed
+
+- name: Installation de la configuration de la conf nginx
+  copy: src=nginx_letsencrypt.conf dest=/etc/nginx/site-enabled/ssl_force.conf owner=root group=root mode=0644
+  register: need_reload_nginx
+  when:
+    - certbot_authtype == "http"
+    - certbot_authservice == "nginx"
+
+- name: Check if nginx is reloaded
+  service: name=nginx state=reloaded
+  when:
+    - certbot_authtype == "http"
+    - certbot_authservice == "nginx"
+    - need_reload_nginx|changed
+
+#- name: Open Firewalld
+#  firewalld:
+#    service: http
+#    permanent: true
+#    state: enabled
+#    immediate: true
+#  when:
+#    - certbot_authtype == "http"
+#    - ansible_os_family == "RedHat"
+
+- name: Installation des script pour le challenge DNS
+  copy: src=etc/letsencrypt/{{ item }} dest=/etc/letsencrypt/{{ item }} owner=root group=root mode=0755
+  with_item:
+    - lexicon-ovh.sh
+    - lexicon-gandi.sh
+  when:
+    - certbot_authtype == "dns"
+
+- name: Installation de la configuration pour le chalenge DNS via OVH
+  template: src=etc/letsencrypt/ovh-api-keys.j2 dest=/etc/letsencrypt/ovh-api-keys owner=root group=root mode=0755
+  when:
+    - certbot_authtype == "dns"
+    - certbot_authdns_provider == "ovh"
+
+- name: Installation de la configuration pour le chalenge DNS via Gandi
+  template: src=etc/letsencrypt/gandi-api-keys.j2 dest=/etc/letsencrypt/gandi-api-keys owner=root group=root mode=0755
+  when:
+    - certbot_authtype == "dns"
+    - certbot_authdns_provider == "gandi"
+
+- name: Check if certificat already exist
+  stat: path=/etc/letsencrypt/live/{{ certbot_certname }}/fullchain.pem
+  register: cert
+
+- name: Install certbot and generate cert
+  command: "certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok --renew-by-default --text  --webroot --webroot-path /var/www/ --email {{ certbot_adminemail }} -d {{ certbot_certname }}"
+  when:
+    - not cert.stat.exists
+    - certbot_authtype == "http"
+
+- name: Install certbot and generate cert
+  command: "certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok --renew-by-default --text --manual --manual-auth-hook "/etc/letsencrypt/lexicon-ovh.sh create" --manual-cleanup-hook "/etc/letsencrypt/lexicon-ovh.sh delete" --preferred-challenges dns --email {{ certbot_adminemail }} -d {{ certbot_certname }}"
+  when:
+    - not cert.stat.exists
+    - certbot_authtype == "dns"
+
+#- name: Ensure a cron job to auto-renew the cert exists
+#  cron: name="daily auto renew cert"
+#        special_time=daily
+#        job="certbot renew --webroot --webroot-path /var/www/ --no-self-upgrade --post-hook \"systemctl reload httpd\" --quiet"
+#        state=present
+##  when: certbot_auto_renew
+- name: Ensure a cron job to auto-renew the cert exists
+  cron: name="daily auto renew cert"
+        special_time=daily
+        job="certbot renew --quiet"
+        state=present
+#  when: certbot_auto_renew

templates/etc/letsencrypt/gandi-api-keys.j2

@@ -0,0 +1 @@
+AUTH_TOKEN="{{ certbot_dns_gandi_authtoken }}"

templates/etc/letsencrypt/ovh-api-keys.j2

@@ -0,0 +1,4 @@
+AUTH_ENTRYPOINT="ovh-eu"
+AUTH_APPLICATION_KEY="{{ certbot_dns_ovh_appkey }}"
+AUTH_APPLICATION_SECRET="{{ certbot_dns_ovh_appsecret }}"
+AUTH_CONSUMER_KEY="{{ certbot_dns_ovh_userkey }}"

vars/RedHat.yml

@@ -0,0 +1,8 @@
+certbot_packages:
+  - certbot
+  - python2-dns-lexicon
+certbot_webpackages:
+#  - {% if certbot_authservice == 'httpd' %}httpd{% elif certbot_authservice == 'nginx' %}nginx{% endif %}
+  - httpd
+certbot_webuser: apache
+