Add letsrenew role

basics.yml

@@ -1,7 +1,11 @@
 ---
 - hosts: all
   roles:
-    - role: basics
+    - basics
-      tags: basics
+    - ffhh-basics
-    - role: ffhh-basics
+  tags: basics
-      tags: basics
+
+- hosts: letsrenew
+  roles:
+    - letsrenew
+  tags: letsrenew

host_vars/srv04

@@ -1 +1,3 @@
+letsrenew_email: alexander@hamburg.freifunk.net
+letsrenew_webroot: /var/www/mail
 nginx_resolver: 80.252.105.162 80.252.105.194

production

@@ -1,8 +1,13 @@
-[services]
+[ffhh]
+srv01 ansible_host=srv01.hamburg.freifunk.net
 srv03 ansible_host=srv03.hamburg.freifunk.net
 srv04 ansible_host=srv04.hamburg.freifunk.net
 
-[ffhh]
+[letsrenew]
+srv01
+srv04
+
+[services]
 srv03
 srv04
 

roles/letsrenew/defaults/main.yml

@@ -0,0 +1,3 @@
+---
+letsrenew_email: ""
+letsrenew_webroot: /var/www/letsencrypt

roles/letsrenew/tasks/main.yml

@@ -0,0 +1,40 @@
+---
+- name: create /opt/certbot
+  file:
+    path: /opt/certbot
+    mode: 0750
+    state: directory
+
+- name: download certbot
+  get_url:
+    url: https://raw.githubusercontent.com/certbot/certbot/master/certbot-auto
+    dest: /opt/certbot/certbot-auto
+    mode: 0550
+
+- name: create webroot path
+  file:
+    path: "{{ letsrenew_webroot }}"
+    state: directory
+
+- name: create /etc/letsencrypt
+  file:
+    path: /etc/letsencrypt
+    state: directory
+
+- name: template cli.ini
+  template:
+    src: cli.ini.j2
+    dest: /etc/letsencrypt/cli.ini
+
+- name: clone letsrenew
+  git:
+    repo: https://github.com/7adietri/letsrenew.git
+    dest: /opt/letsrenew
+
+- name: create cronjob
+  cron:
+    name: "Let's Encrypt certificate renewal"
+    job: "/opt/letsrenew/letsrenew {{ letsrenew_email }} /opt/certbot/certbot-auto"
+    minute: 0
+    hour: 6
+    weekday: 1

roles/letsrenew/templates/cli.ini.j2

@@ -0,0 +1,27 @@
+agree-tos = True
+non-interactive = True
+renew-by-default = True
+text = True
+
+# All flags used by the client can be configured here. Run Certbot with
+# "--help" to learn more about the available options.
+#
+# Note that these options apply automatically to all use of Certbot for
+# obtaining or renewing certificates, so options specific to a single
+# certificate on a system with several certificates should not be placed
+# here.
+
+# Use a 4096 bit RSA key instead of 2048
+rsa-key-size = 4096
+
+# Uncomment and update to register with the specified e-mail address
+email = backend@hamburg.freifunk.net
+
+# Uncomment to use the standalone authenticator on port 443
+# authenticator = standalone
+# standalone-supported-challenges = tls-sni-01
+
+# Uncomment to use the webroot authenticator. Replace webroot-path with the
+# path to the public_html / webroot folder being served by your web server.
+authenticator = webroot
+webroot-path = {{ letsrenew_webroot }}