letsencrypt: update certificates on subdomain changes

2 files changed, 16 insertions, 4 deletions

diff --git a/roles/letsencrypt/tasks/domain.yml b/roles/letsencrypt/tasks/domain.yml
index 0b713cc..13717ef 100644
--- a/roles/letsencrypt/tasks/domain.yml
+++ b/roles/letsencrypt/tasks/domain.yml
@@ -4,7 +4,17 @@
 
 - name: Set certificate domains
   ansible.builtin.set_fact:
-    certificate_domains: "{{ item.domains | default([certificate_name]) | join(',') }}"
+    certificate_domains: "{{ item.domains | default([certificate_name]) | sort | unique }}"
+
+- name: Cache domain list
+  become: true
+  ansible.builtin.template:
+    src: domain_list.txt
+    dest: '/etc/letsencrypt/.domains_{{ certificate_name }}.txt'
+    owner: root
+    group: root
+    mode: '640'
+  register: domain_list
 
 - name: 'Create certificate: {{ certificate_name }}'
   become: true
@@ -12,10 +22,9 @@
     certbot certonly --noninteractive --agree-tos \
         --cert-name '{{ certificate_name }}' \
         --email '{{ certbot_email }}' \
-        --domains '{{ certificate_domains }}' \
+        --domains '{{ certificate_domains | join(',') }}' \
         --preferred-challenges dns \
         --dns-digitalocean \
         --dns-digitalocean-credentials '{{ certbot_ini }}' \
         --dns-digitalocean-propagation-seconds 30
-  args:
-    creates: '/etc/letsencrypt/live/{{ certificate_name }}'
+  when: domain_list.changed
diff --git a/roles/letsencrypt/templates/domain_list.txt b/roles/letsencrypt/templates/domain_list.txt
new file mode 100644
index 0000000..8cd60f8
--- /dev/null
+++ b/roles/letsencrypt/templates/domain_list.txt
@@ -0,0 +1,3 @@
+{% for domain in certificate_domains %}
+{{ domain }}
+{% endfor %}