aboutsummaryrefslogtreecommitdiffstatshomepage
diff options
context:
space:
mode:
authorEgor Tensin <Egor.Tensin@gmail.com>2023-08-04 12:24:07 +0200
committerEgor Tensin <Egor.Tensin@gmail.com>2023-08-04 12:24:07 +0200
commit579ab58b48e6356954b1974f66f28abfaba5757c (patch)
tree0f4be34dbce7ea85a98023a1d06a9ae7889794ac
parentimport workspace role (diff)
downloadinfra-ansible-579ab58b48e6356954b1974f66f28abfaba5757c.tar.gz
infra-ansible-579ab58b48e6356954b1974f66f28abfaba5757c.zip
import letsencrypt role
-rw-r--r--roles/letsencrypt/defaults/main.yml2
-rw-r--r--roles/letsencrypt/tasks/domain.yml21
-rw-r--r--roles/letsencrypt/tasks/main.yml61
-rw-r--r--roles/letsencrypt/templates/certbot.ini1
4 files changed, 85 insertions, 0 deletions
diff --git a/roles/letsencrypt/defaults/main.yml b/roles/letsencrypt/defaults/main.yml
new file mode 100644
index 0000000..e555534
--- /dev/null
+++ b/roles/letsencrypt/defaults/main.yml
@@ -0,0 +1,2 @@
+certbot_email: Egor.Tensin@gmail.com
+certbot_ini: /root/.certbot.ini
diff --git a/roles/letsencrypt/tasks/domain.yml b/roles/letsencrypt/tasks/domain.yml
new file mode 100644
index 0000000..0b713cc
--- /dev/null
+++ b/roles/letsencrypt/tasks/domain.yml
@@ -0,0 +1,21 @@
+- name: Set certificate name
+ ansible.builtin.set_fact:
+ certificate_name: '{{ item.name | default(item) }}'
+
+- name: Set certificate domains
+ ansible.builtin.set_fact:
+ certificate_domains: "{{ item.domains | default([certificate_name]) | join(',') }}"
+
+- name: 'Create certificate: {{ certificate_name }}'
+ become: true
+ ansible.builtin.command: |
+ certbot certonly --noninteractive --agree-tos \
+ --cert-name '{{ certificate_name }}' \
+ --email '{{ certbot_email }}' \
+ --domains '{{ certificate_domains }}' \
+ --preferred-challenges dns \
+ --dns-digitalocean \
+ --dns-digitalocean-credentials '{{ certbot_ini }}' \
+ --dns-digitalocean-propagation-seconds 30
+ args:
+ creates: '/etc/letsencrypt/live/{{ certificate_name }}'
diff --git a/roles/letsencrypt/tasks/main.yml b/roles/letsencrypt/tasks/main.yml
new file mode 100644
index 0000000..814c549
--- /dev/null
+++ b/roles/letsencrypt/tasks/main.yml
@@ -0,0 +1,61 @@
+- name: Install snapd
+ become: true
+ ansible.builtin.apt:
+ install_recommends: false
+ name: snapd
+
+- name: Install Certbot
+ become: true
+ community.general.snap:
+ classic: true
+ name: certbot
+
+- name: Confirm plugin containment level
+ become: true
+ ansible.builtin.command: snap set certbot trust-plugin-with-root=ok
+
+- name: Install Certbot DigitalOcean plugin
+ become: true
+ community.general.snap:
+ name: certbot-dns-digitalocean
+
+- name: Create Certbot symlink in /usr/bin
+ become: true
+ ansible.builtin.file:
+ src: /snap/bin/certbot
+ dest: /usr/bin/certbot
+ state: link
+
+- name: Configure Certbot DigitalOcean plugin
+ become: true
+ block:
+ - name: Prompt for token
+ ansible.builtin.pause:
+ prompt: |
+ Enter your API token:
+ echo: false
+ register: digitalocean_token
+ when:
+ - lookup('env', 'DIGITALOCEAN_TOKEN') | length <= 0
+
+ - name: Set the token as a fact
+ ansible.builtin.set_fact:
+ digitalocean_token: "{{ digitalocean_.user_input | default(lookup('env', 'DIGITALOCEAN_TOKEN')) }}"
+
+ - name: Configure certbot.ini
+ ansible.builtin.template:
+ src: certbot.ini
+ dest: '{{ certbot_ini }}'
+ owner: root
+ group: root
+ mode: '600'
+
+- name: Create /etc/letsencrypt
+ become: true
+ ansible.builtin.command: certbot certificates
+ args:
+ creates: /etc/letsencrypt
+
+- name: Update certificates
+ ansible.builtin.include_tasks: domain.yml
+ loop: '{{ letsencrypt_domains }}'
diff --git a/roles/letsencrypt/templates/certbot.ini b/roles/letsencrypt/templates/certbot.ini
new file mode 100644
index 0000000..84dc0f8
--- /dev/null
+++ b/roles/letsencrypt/templates/certbot.ini
@@ -0,0 +1 @@
+dns_digitalocean_token = {{ digitalocean_token }}