Adrien Reslinger
1d6435a4e5
All checks were successful
continuous-integration/drone/push Build is passing
180 lines
4.9 KiB
YAML
180 lines
4.9 KiB
YAML
---
|
|
- name: Include vars for {{ ansible_os_family }}
|
|
ansible.builtin.include_vars: "{{ ansible_os_family }}.yml"
|
|
|
|
- name: install packages
|
|
ansible.builtin.package:
|
|
name: "{{ certbot_packages }}"
|
|
state: present
|
|
update_cache: true
|
|
|
|
- name: Install httpd
|
|
ansible.builtin.include_role:
|
|
name: httpd
|
|
vars:
|
|
httpd_cerbot: false
|
|
# httpd_hostname:
|
|
notify: Restart httpd
|
|
when:
|
|
- certbot_authtype == "http"
|
|
- certbot_authservice == "httpd"
|
|
|
|
# - name: install web service packages
|
|
# ansible.builtin.package:
|
|
# name: "{{ certbot_webpackages }}"
|
|
# state: present
|
|
# update_cache: true
|
|
# notify: Restart httpd
|
|
# when:
|
|
# - certbot_authtype == "http"
|
|
# - certbot_authservice == "httpd"
|
|
|
|
- name: Make the necessary directory
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: directory
|
|
owner: '{{ certbot_webuser }}'
|
|
group: '{{ certbot_webuser }}'
|
|
mode: 0755
|
|
with_items:
|
|
- /var/www/.well-known
|
|
- /var/www/.well-known/acme-challenge
|
|
when:
|
|
- certbot_authtype == "http"
|
|
|
|
- name: Installation du fichier de verroux
|
|
ansible.builtin.copy:
|
|
src: "{{ item }}"
|
|
dest: /var/www/.well-known/acme-challenge/{{ item }}
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
with_items:
|
|
- test.html
|
|
when:
|
|
- certbot_authtype == "http"
|
|
|
|
- name: Installation de la configuration de la conf httpd
|
|
ansible.builtin.copy:
|
|
src: httpd_letsencrypt.conf
|
|
dest: /etc/httpd/conf.d/letsencrypt.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
register: need_reload_httpd
|
|
when:
|
|
- certbot_authtype == "http"
|
|
- certbot_authservice == "httpd"
|
|
|
|
- name: Check if httpd is reloaded
|
|
ansible.builtin.service:
|
|
name: httpd
|
|
state: reloaded
|
|
when:
|
|
- certbot_authtype == "http"
|
|
- certbot_authservice == "httpd"
|
|
- need_reload_httpd is changed
|
|
|
|
- name: Installation de la configuration de la conf nginx
|
|
ansible.builtin.copy:
|
|
src: nginx_letsencrypt.conf
|
|
dest: /etc/nginx/site-enabled/ssl_force.conf
|
|
owner: root
|
|
group: root
|
|
mode: 0644
|
|
register: need_reload_nginx
|
|
when:
|
|
- certbot_authtype == "http"
|
|
- certbot_authservice == "nginx"
|
|
|
|
- name: Check if nginx is reloaded
|
|
ansible.builtin.service:
|
|
name: nginx
|
|
state: reloaded
|
|
when:
|
|
- certbot_authtype == "http"
|
|
- certbot_authservice == "nginx"
|
|
- need_reload_nginx|changed
|
|
|
|
# - name: Open Firewalld
|
|
# ansible.posix.firewalld:
|
|
# service: http
|
|
# permanent: true
|
|
# state: enabled
|
|
# immediate: true
|
|
# when:
|
|
# - certbot_authtype == "http"
|
|
# - ansible_os_family == "RedHat"
|
|
|
|
- name: Installation des script pour le challenge DNS
|
|
ansible.builtin.copy:
|
|
src: etc/letsencrypt/{{ item }}
|
|
dest: /etc/letsencrypt/{{ item }}
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
with_item:
|
|
- lexicon-ovh.sh
|
|
- lexicon-gandi.sh
|
|
when:
|
|
- certbot_authtype == "dns"
|
|
|
|
- name: Installation de la configuration pour le chalenge DNS via OVH
|
|
ansible.builtin.template:
|
|
src: etc/letsencrypt/ovh-api-keys.j2
|
|
dest: /etc/letsencrypt/ovh-api-keys
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
when:
|
|
- certbot_authtype == "dns"
|
|
- certbot_authdns_provider == "ovh"
|
|
|
|
- name: Installation de la configuration pour le chalenge DNS via Gandi
|
|
ansible.builtin.template:
|
|
src: etc/letsencrypt/gandi-api-keys.j2
|
|
dest: /etc/letsencrypt/gandi-api-keys
|
|
owner: root
|
|
group: root
|
|
mode: 0755
|
|
when:
|
|
- certbot_authtype == "dns"
|
|
- certbot_authdns_provider == "gandi"
|
|
|
|
- name: Check if certificat already exist
|
|
ansible.builtin.stat:
|
|
path: /etc/letsencrypt/live/{{ certbot_certname }}/fullchain.pem
|
|
register: cert
|
|
|
|
- name: Install certbot and generate cert
|
|
ansible.builtin.command: >
|
|
certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok
|
|
--renew-by-default --text --webroot --webroot-path /var/www/
|
|
--email {{ certbot_adminemail }} -d {{ certbot_certname }}
|
|
when:
|
|
- not cert.stat.exists
|
|
- certbot_authtype == "http"
|
|
|
|
- name: Install certbot and generate cert
|
|
ansible.builtin.command: >
|
|
certbot certonly --noninteractive --agree-tos --manual-public-ip-logging-ok
|
|
--renew-by-default --text --manual --manual-auth-hook "/etc/letsencrypt/lexicon-ovh.sh create"
|
|
--manual-cleanup-hook "/etc/letsencrypt/lexicon-ovh.sh delete" --preferred-challenges dns
|
|
--email {{ certbot_adminemail }} -d {{ certbot_certname }}
|
|
when:
|
|
- not cert.stat.exists
|
|
- certbot_authtype == "dns"
|
|
|
|
# - name: Ensure a cron job to auto-renew the cert exists
|
|
# ansible.builtin.cron: name="daily auto renew cert"
|
|
# special_time=daily
|
|
# job="certbot renew --webroot --webroot-path /var/www/ --no-self-upgrade --post-hook \"systemctl reload httpd\" --quiet"
|
|
# state=present
|
|
## when: certbot_auto_renew
|
|
- name: Ensure a cron job to auto-renew the cert exists
|
|
ansible.builtin.cron:
|
|
name: "daily auto renew cert"
|
|
special_time: daily
|
|
job: "certbot renew --quiet"
|
|
state: present
|
|
# when: certbot_auto_renew
|