diff options
author | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 12:24:07 +0200 |
---|---|---|
committer | Egor Tensin <Egor.Tensin@gmail.com> | 2023-08-04 12:24:07 +0200 |
commit | 579ab58b48e6356954b1974f66f28abfaba5757c (patch) | |
tree | 0f4be34dbce7ea85a98023a1d06a9ae7889794ac | |
parent | import workspace role (diff) | |
download | infra-ansible-579ab58b48e6356954b1974f66f28abfaba5757c.tar.gz infra-ansible-579ab58b48e6356954b1974f66f28abfaba5757c.zip |
import letsencrypt role
-rw-r--r-- | roles/letsencrypt/defaults/main.yml | 2 | ||||
-rw-r--r-- | roles/letsencrypt/tasks/domain.yml | 21 | ||||
-rw-r--r-- | roles/letsencrypt/tasks/main.yml | 61 | ||||
-rw-r--r-- | roles/letsencrypt/templates/certbot.ini | 1 |
4 files changed, 85 insertions, 0 deletions
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml new file mode 100644 index 0000000..e555534 --- /dev/null +++ b/roles/letsencrypt/defaults/main.yml @@ -0,0 +1,2 @@ +certbot_email: Egor.Tensin@gmail.com +certbot_ini: /root/.certbot.ini diff --git a/roles/letsencrypt/tasks/domain.yml b/roles/letsencrypt/tasks/domain.yml new file mode 100644 index 0000000..0b713cc --- /dev/null +++ b/roles/letsencrypt/tasks/domain.yml @@ -0,0 +1,21 @@ +- name: Set certificate name + ansible.builtin.set_fact: + certificate_name: '{{ item.name | default(item) }}' + +- name: Set certificate domains + ansible.builtin.set_fact: + certificate_domains: "{{ item.domains | default([certificate_name]) | join(',') }}" + +- name: 'Create certificate: {{ certificate_name }}' + become: true + ansible.builtin.command: | + certbot certonly --noninteractive --agree-tos \ + --cert-name '{{ certificate_name }}' \ + --email '{{ certbot_email }}' \ + --domains '{{ certificate_domains }}' \ + --preferred-challenges dns \ + --dns-digitalocean \ + --dns-digitalocean-credentials '{{ certbot_ini }}' \ + --dns-digitalocean-propagation-seconds 30 + args: + creates: '/etc/letsencrypt/live/{{ certificate_name }}' diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml new file mode 100644 index 0000000..814c549 --- /dev/null +++ b/roles/letsencrypt/tasks/main.yml @@ -0,0 +1,61 @@ +- name: Install snapd + become: true + ansible.builtin.apt: + install_recommends: false + name: snapd + +- name: Install Certbot + become: true + community.general.snap: + classic: true + name: certbot + +- name: Confirm plugin containment level + become: true + ansible.builtin.command: snap set certbot trust-plugin-with-root=ok + +- name: Install Certbot DigitalOcean plugin + become: true + community.general.snap: + name: certbot-dns-digitalocean + +- name: Create Certbot symlink in /usr/bin + become: true + ansible.builtin.file: + src: /snap/bin/certbot + dest: /usr/bin/certbot + state: link + +- name: Configure Certbot DigitalOcean plugin + become: true + block: + - name: Prompt for token + ansible.builtin.pause: + prompt: | + Enter your API token: + echo: false + register: digitalocean_token + when: + - lookup('env', 'DIGITALOCEAN_TOKEN') | length <= 0 + + - name: Set the token as a fact + ansible.builtin.set_fact: + digitalocean_token: "{{ digitalocean_.user_input | default(lookup('env', 'DIGITALOCEAN_TOKEN')) }}" + + - name: Configure certbot.ini + ansible.builtin.template: + src: certbot.ini + dest: '{{ certbot_ini }}' + owner: root + group: root + mode: '600' + +- name: Create /etc/letsencrypt + become: true + ansible.builtin.command: certbot certificates + args: + creates: /etc/letsencrypt + +- name: Update certificates + ansible.builtin.include_tasks: domain.yml + loop: '{{ letsencrypt_domains }}' diff --git a/roles/letsencrypt/templates/certbot.ini b/roles/letsencrypt/templates/certbot.ini new file mode 100644 index 0000000..84dc0f8 --- /dev/null +++ b/roles/letsencrypt/templates/certbot.ini @@ -0,0 +1 @@ +dns_digitalocean_token = {{ digitalocean_token }} |