From e08d18f48bdeec463a44f5cc7d283efe60711df3 Mon Sep 17 00:00:00 2001
From: lilly <li@lly.sh>
Date: Thu, 30 Apr 2026 22:56:28 +0200
Subject: [PATCH] add role tag to certbot role

---
 roles/certbot/tasks/main.yaml                  |  9 ++++++---
 roles/certbot/tasks/main/cert.yaml             | 18 ++++++++++++------
 roles/certbot/tasks/main/certs.yaml            |  9 ++++++---
 roles/certbot/tasks/main/http_01_cert.yaml     |  9 ++++++---
 roles/certbot/tasks/main/install.yaml          | 12 ++++++++----
 .../certbot/tasks/main/new_cert_commands.yaml  |  6 ++++--
 roles/certbot/tasks/main/validate_cert.yaml    |  9 ++++++---
 7 files changed, 48 insertions(+), 24 deletions(-)

diff --git a/roles/certbot/tasks/main.yaml b/roles/certbot/tasks/main.yaml
index e4749b4..95bc69e 100644
--- a/roles/certbot/tasks/main.yaml
+++ b/roles/certbot/tasks/main.yaml
@@ -1,11 +1,14 @@
-- name: ensure certbot installation
+- tags: ["certbot"]
+  name: ensure certbot installation
   ansible.builtin.import_tasks:
     file: main/install.yaml
 
-- name: ensure new cert commands
+- tags: ["certbot"]
+  name: ensure new cert commands
   ansible.builtin.import_tasks:
     file: main/new_cert_commands.yaml
 
-- name: ensure certificates
+- tags: ["certbot"]
+  name: ensure certificates
   ansible.builtin.import_tasks:
     file: main/certs.yaml
diff --git a/roles/certbot/tasks/main/cert.yaml b/roles/certbot/tasks/main/cert.yaml
index 61f6d45..0c21300 100644
--- a/roles/certbot/tasks/main/cert.yaml
+++ b/roles/certbot/tasks/main/cert.yaml
@@ -1,11 +1,13 @@
-- name: get expiry date before
+- tags: ["certbot", "certbot-cert"]
+  name: get expiry date before
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
   ignore_errors: true
   become: true
   changed_when: false
   register: certbot__cert_expiry_before
 
-- name: ensure directory for cert configs exists
+- tags: ["certbot", "certbot-cert"]
+  name: ensure directory for cert configs exists
   ansible.builtin.file:
     path: "/etc/ansible_certbot/cert_configs/"
     state: directory
@@ -14,7 +16,8 @@
     mode: "0750"
   become: true
 
-- name: ensure cert config is stored
+- tags: ["certbot", "certbot-cert"]
+  name: ensure cert config is stored
   ansible.builtin.copy:
     content: "{{ cert_config_defaults[item.challengeType] | combine(item, recursive=True) | ansible.builtin.to_nice_json }}"
     dest: "/etc/ansible_certbot/cert_configs/{{ item.commonName }}.json"
@@ -29,18 +32,21 @@
           serverUrl: "https://acmedns.hamburg.ccc.de"
 
 # # https://eff-certbot.readthedocs.io/en/stable/using.html#manual
-- name: obtain the certificate using certbot and the manual auth hook
+- tags: ["certbot", "certbot-cert"]
+  name: obtain the certificate using certbot and the manual auth hook
   ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --manual --preferred-challenge dns --manual-auth-hook "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item.challengeType }}.sh" -d "{{ item.commonName }}"
   become: true
   changed_when: false
 
-- name: get expiry date after
+- tags: ["certbot", "certbot-cert"]
+  name: get expiry date after
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item.commonName }}/fullchain.pem
   become: true
   changed_when: false
   register: certbot__cert_expiry_after
 
-- name: potentially report changed
+- tags: ["certbot", "certbot-cert"]
+  name: potentially report changed
   ansible.builtin.debug:
     msg: "If this reports changed, then the certificate expiry date and therefore the certificate changed."
   changed_when: certbot__cert_expiry_before.stdout != certbot__cert_expiry_after.stdout
diff --git a/roles/certbot/tasks/main/certs.yaml b/roles/certbot/tasks/main/certs.yaml
index 16271b7..ebb0d67 100644
--- a/roles/certbot/tasks/main/certs.yaml
+++ b/roles/certbot/tasks/main/certs.yaml
@@ -1,14 +1,17 @@
-- name: obtain http-01 challenge certificates
+- tags: ["certbot", "certbot-cert"]
+  name: obtain http-01 challenge certificates
   loop: "{{ certbot__certificate_domains }}"
   ansible.builtin.include_tasks:
     file: main/http_01_cert.yaml
 
-- name: validate certs config
+- tags: ["certbot", "certbot-cert"]
+  name: validate certs config
   loop: "{{ certbot__certs }}"
   ansible.builtin.include_tasks:
     file: main/validate_cert.yaml
 
-- name: obtain certs
+- tags: ["certbot", "certbot-cert"]
+  name: obtain certs
   loop: "{{ certbot__certs }}"
   ansible.builtin.include_tasks:
     file: main/cert.yaml
diff --git a/roles/certbot/tasks/main/http_01_cert.yaml b/roles/certbot/tasks/main/http_01_cert.yaml
index d829fb1..bf60062 100644
--- a/roles/certbot/tasks/main/http_01_cert.yaml
+++ b/roles/certbot/tasks/main/http_01_cert.yaml
@@ -1,16 +1,19 @@
-- name: get expiry date before
+- tags: ["certbot", "certbot-http-01-cert"]
+  name: get expiry date before
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
   ignore_errors: true
   become: true
   changed_when: false
   register: certbot__cert_expiry_before
 
-- name: obtain the certificate using certbot
+- tags: ["certbot", "certbot-http-01-cert"]
+  name: obtain the certificate using certbot
   ansible.builtin.command: /usr/bin/certbot certonly --keep-until-expiring --agree-tos --non-interactive --email "{{ certbot__acme_account_email_address }}" --no-eff-email --standalone --http-01-port "{{ certbot__http_01_port }}" -d "{{ item }}"
   become: true
   changed_when: false
 
-- name: get expiry date after
+- tags: ["certbot", "certbot-http-01-cert"]
+  name: get expiry date after
   ansible.builtin.command: /usr/bin/openssl x509 -enddate -noout -in /etc/letsencrypt/live/{{ item }}/fullchain.pem
   become: true
   changed_when: false
diff --git a/roles/certbot/tasks/main/install.yaml b/roles/certbot/tasks/main/install.yaml
index d0fa58d..0dd9fa9 100644
--- a/roles/certbot/tasks/main/install.yaml
+++ b/roles/certbot/tasks/main/install.yaml
@@ -1,4 +1,5 @@
-- name: ensure relevant packages are installed
+- tags: ["certbot", "certbot-install"]
+  name: ensure relevant packages are installed
   ansible.builtin.apt:
     name:
       - openssl
@@ -7,9 +8,11 @@
     state: present
   become: true
 
-- name: ensure manual auth scripts are deployed
+- tags: ["certbot", "certbot-install"]
+  name: ensure manual auth scripts are deployed
   block:
-    - name: ensure manual auth scripts directory exists
+    - tags: ["certbot", "certbot-install"]
+      name: ensure manual auth scripts directory exists
       ansible.builtin.file:
         path: "/usr/local/lib/ansible_certbot/manual_auth_scripts"
         state: directory
@@ -18,7 +21,8 @@
         mode: "0755"
       become: true
 
-    - name: ensure manual auth scripts are deployed
+    - tags: ["certbot", "certbot-install"]
+      name: ensure manual auth scripts are deployed
       ansible.builtin.copy:
         src: "manual_auth_scripts/{{ item }}.sh"
         dest: "/usr/local/lib/ansible_certbot/manual_auth_scripts/{{ item }}.sh"
diff --git a/roles/certbot/tasks/main/new_cert_commands.yaml b/roles/certbot/tasks/main/new_cert_commands.yaml
index 42bc255..cb710c5 100644
--- a/roles/certbot/tasks/main/new_cert_commands.yaml
+++ b/roles/certbot/tasks/main/new_cert_commands.yaml
@@ -1,4 +1,5 @@
-- name: ensure existence of renewal deploy hooks directory
+- tags: ["certbot", "certbot-new_cert_commands"]
+  name: ensure existence of renewal deploy hooks directory
   ansible.builtin.file:
     path: /etc/letsencrypt/renewal-hooks/deploy
     state: directory
@@ -7,7 +8,8 @@
     mode: "0755"
   become: true
 
-- name: ensure renewal deploy hook commands
+- tags: ["certbot", "certbot-new_cert_commands"]
+  name: ensure renewal deploy hook commands
   ansible.builtin.template:
     src: renewal_deploy_hook_commands.sh.j2
     dest: /etc/letsencrypt/renewal-hooks/deploy/ansible_commands.sh
diff --git a/roles/certbot/tasks/main/validate_cert.yaml b/roles/certbot/tasks/main/validate_cert.yaml
index a13b3b9..36b6c4e 100644
--- a/roles/certbot/tasks/main/validate_cert.yaml
+++ b/roles/certbot/tasks/main/validate_cert.yaml
@@ -1,11 +1,14 @@
-- name: validate dns-01-acme-dns challenge type config
+- tags: ["certbot", "certbot-validate_cert"]
+  name: validate dns-01-acme-dns challenge type config
   when: item.challengeType == "dns-01-acme-dns"
   block:
-    - name: assert dns_01_acme_dns config exists
+    - tags: ["certbot", "certbot-validate_cert"]
+      name: assert dns_01_acme_dns config exists
       ansible.builtin.assert:
         that: item.dns_01_acme_dns is defined
 
-    - name: assert dns_01_acme_dns config is valid
+    - tags: ["certbot", "certbot-validate_cert"]
+      name: assert dns_01_acme_dns config is valid
       ansible.builtin.validate_argument_spec:
         argument_spec: "{{ required_data }}"
         provided_arguments: