--- - name: Include vars for {{ ansible_os_family }} include_vars: "{{ ansible_os_family }}.yml" - name: install packages package: name="{{ certbot_packages }}" state=latest update_cache=yes - name: Install httpd include_role: name: httpd vars: httpd_cerbot: false # httpd_hostname: notify: Restart httpd when: - certbot_authtype == "http" - certbot_authservice == "httpd" #- name: install web service packages # package: name="{{ certbot_webpackages }}" state=latest update_cache=yes # notify: Restart httpd # when: # - certbot_authtype == "http" # - certbot_authservice == "httpd" - name: Make the necessary directory file: path="{{ item }}" state=directory owner={{ certbot_webuser }} group={{ certbot_webuser }} mode=0755 with_items: - /var/www/.well-known - /var/www/.well-known/acme-challenge when: - certbot_authtype == "http" - name: Installation du fichier de verroux copy: src={{ item }} dest=/var/www/.well-known/acme-challenge/{{ item }} owner=root group=root mode=0644 with_items: - test.html when: - certbot_authtype == "http" - name: Installation de la configuration de la conf httpd copy: src=httpd_letsencrypt.conf dest=/etc/httpd/conf.d/letsencrypt.conf owner=root group=root mode=0644 register: need_reload_httpd when: - certbot_authtype == "http" - certbot_authservice == "httpd" - name: Check if httpd is reloaded service: name=httpd state=reloaded when: - certbot_authtype == "http" - certbot_authservice == "httpd" - need_reload_httpd is changed - name: Installation de la configuration de la conf nginx copy: src=nginx_letsencrypt.conf dest=/etc/nginx/site-enabled/ssl_force.conf owner=root group=root mode=0644 register: need_reload_nginx when: - certbot_authtype == "http" - certbot_authservice == "nginx" - name: Check if nginx is reloaded service: name=nginx state=reloaded when: - certbot_authtype == "http" - certbot_authservice == "nginx" - need_reload_nginx|changed #- name: Open Firewalld # firewalld: # service: http # permanent: true # state: enabled # immediate: true # when: # - certbot_authtype == "http" # - ansible_os_family == "RedHat" - name: Installation des script pour le challenge DNS copy: src=etc/letsencrypt/{{ item }} dest=/etc/letsencrypt/{{ item }} owner=root group=root mode=0755 with_item: - lexicon-ovh.sh - lexicon-gandi.sh when: - certbot_authtype == "dns" - name: Installation de la configuration pour le chalenge DNS via OVH template: src=etc/letsencrypt/ovh-api-keys.j2 dest=/etc/letsencrypt/ovh-api-keys owner=root group=root mode=0755 when: - certbot_authtype == "dns" - certbot_authdns_provider == "ovh" - name: Installation de la configuration pour le chalenge DNS via Gandi template: src=etc/letsencrypt/gandi-api-keys.j2 dest=/etc/letsencrypt/gandi-api-keys owner=root group=root mode=0755 when: - certbot_authtype == "dns" - certbot_authdns_provider == "gandi" - name: Check if certificat already exist stat: path=/etc/letsencrypt/live/{{ certbot_certname }}/fullchain.pem register: cert - name: Install certbot and generate cert command: "certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok --renew-by-default --text --webroot --webroot-path /var/www/ --email {{ certbot_adminemail }} -d {{ certbot_certname }}" when: - not cert.stat.exists - certbot_authtype == "http" - name: Install certbot and generate cert command: "certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok --renew-by-default --text --manual --manual-auth-hook "/etc/letsencrypt/lexicon-ovh.sh create" --manual-cleanup-hook "/etc/letsencrypt/lexicon-ovh.sh delete" --preferred-challenges dns --email {{ certbot_adminemail }} -d {{ certbot_certname }}" when: - not cert.stat.exists - certbot_authtype == "dns" #- name: Ensure a cron job to auto-renew the cert exists # cron: name="daily auto renew cert" # special_time=daily # job="certbot renew --webroot --webroot-path /var/www/ --no-self-upgrade --post-hook \"systemctl reload httpd\" --quiet" # state=present ## when: certbot_auto_renew - name: Ensure a cron job to auto-renew the cert exists cron: name="daily auto renew cert" special_time=daily job="certbot renew --quiet" state=present # when: certbot_auto_renew