Add role for deploying certbot and setting up certificate using it

2023-08-02 20:47:22 +02:00 · 2023-08-02 20:47:22 +02:00 · 5341f9dfba
commit 5341f9dfba
parent 1b45e94960
7 changed files with 104 additions and 0 deletions
--- a/playbooks/roles/certbot/tasks/main/cert.yaml
+++ b/playbooks/roles/certbot/tasks/main/cert.yaml
@ -0,0 +1,22 @@
+- name: get expiry date before
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  ignore_errors: true
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_before
+
+- name: obtain the certificate using certbot
+  ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --webroot --webroot-path /webroot-for-acme-challenge -d "{{ item }}"
+  become: true
+  changed_when: false
+
+- name: get expiry date after
+  ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
+  become: true
+  changed_when: false
+  register: certbot__cert_expiry_after
+
+- name: potentially report changed
+  ansible.builtin.debug:
+    msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
+  changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
--- a/playbooks/roles/certbot/tasks/main/certs.yaml
+++ b/playbooks/roles/certbot/tasks/main/certs.yaml
@ -0,0 +1,13 @@
+- name: ensure directory for the webroot exists
+  ansible.builtin.file:
+    path: /webroot-for-acme-challenge/
+    state: directory
+    mode: "0755"
+    owner: root
+    group: root
+  become: true
+
+- name: obtain certificates
+  loop: "{{ certbot__certificate_domains }}"
+  ansible.builtin.include_tasks:
+    file: main/cert.yaml
--- a/playbooks/roles/certbot/tasks/main/install.yaml
+++ b/playbooks/roles/certbot/tasks/main/install.yaml
@ -0,0 +1,19 @@
+- name: make sure the `openssl` package is installed
+  ansible.builtin.apt:
+    name: openssl
+    state: present
+  become: true
+
+- name: make sure the `certbot` package is installed
+  ansible.builtin.apt:
+    name: certbot={{ certbot__version_spec }}*
+    state: present
+    allow_change_held_packages: true
+    update_cache: true
+  become: true
+
+- name: apt-mark hold `certbot`
+  ansible.builtin.dpkg_selections:
+    name: certbot
+    selection: hold
+  become: true