diff --git a/defaults/main.yml b/defaults/main.yml index fe1c98f..084f9a9 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -21,7 +21,8 @@ certbot_certs: [] # - example3.com certbot_create_command: >- {{ certbot_script }} certonly --standalone --noninteractive --agree-tos - {% if certbot_cert_name %} --cert-name {{certbot_cert_name}} {%endif%} --email {{ cert_item.email | default(certbot_admin_email) }} + {% if certbot_cert_name %} --cert-name {{certbot_cert_name}} {%endif%} + --email {{ cert_item.email | default(certbot_admin_email) }} -d {{ cert_item.domains | join(',') }} certbot_create_standalone_stop_services: diff --git a/meta/.galaxy_install_info b/meta/.galaxy_install_info new file mode 100644 index 0000000..40ac404 --- /dev/null +++ b/meta/.galaxy_install_info @@ -0,0 +1,2 @@ +install_date: Mon Apr 19 11:35:02 2021 +version: '' diff --git a/meta/main.yml b/meta/main.yml index e9b4a60..d88330f 100644 --- a/meta/main.yml +++ b/meta/main.yml @@ -2,32 +2,9 @@ dependencies: [] galaxy_info: - author: geerlingguy + role_name: certbot + author: vincentdcmps description: "Installs and configures Certbot (for Let's Encrypt)." company: "Midwestern Mac, LLC" license: "license (BSD, MIT)" min_ansible_version: 2.4 - platforms: - - name: EL - versions: - - 6 - - 7 - - name: Fedora - versions: - - all - - name: Ubuntu - versions: - - all - - name: Debian - versions: - - all - galaxy_tags: - - networking - - system - - web - - certbot - - letsencrypt - - encryption - - certificates - - ssl - - https diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 6bf8188..791dff5 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -1,17 +1,44 @@ --- - name: Check if certificate already exists. stat: - path: /etc/letsencrypt/live/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}/cert.pem + path: >- + /etc/letsencrypt/live/{% if certbot_cert_name %}{{ certbot_cert_name }} + {% else %}{{ cert_item.domains | first | replace('*.', '') }} + {% endif %}/cert.pem register: letsencrypt_cert +- name: Ensure pre and post hook folders exist. + file: + path: /etc/letsencrypt/renewal-hooks/{{ item }} + state: directory + mode: 0755 + owner: root + group: root + with_items: + - pre + - post -- name: Stop services to allow certbot to generate a cert. - service: - name: "{{ item }}" - state: stopped - when: not letsencrypt_cert.stat.exists or (certbot_force) - ignore_errors: yes - with_items: "{{ certbot_create_standalone_stop_services }}" +- name: Create pre hook to stop services. + template: + src: stop_services.j2 + dest: /etc/letsencrypt/renewal-hooks/pre/stop_services + owner: root + group: root + mode: 0750 + when: + - certbot_create_standalone_stop_services is defined + - certbot_create_standalone_stop_services + +- name: Create post hook to start services. + template: + src: start_services.j2 + dest: /etc/letsencrypt/renewal-hooks/post/start_services + owner: root + group: root + mode: 0750 + when: + - certbot_create_standalone_stop_services is defined + - certbot_create_standalone_stop_services - name: Generate new certificate if one doesn't exist. command: "{{ certbot_create_command }}" @@ -24,18 +51,17 @@ - name: ensure conf.d exist file: + mode: 0750 path: "{{ certbot_nginx_conf_path }}" state: directory - + - name: create nginx config ssl file template: - dest: "{{ certbot_nginx_conf_path }}/{% if certbot_cert_name %}{{certbot_cert_name}}{% else %}{{ cert_item.domains | first | replace('*.', '') }}{% endif %}.ssl" # required. Location to render the template to on the remote machine. - src: nginx_ssl_config.j2 # required. Path of a Jinja2 formatted template on the Ansible controller. This can be a relative or absolute path. - -- name: Start services after cert has been generated. - service: - name: "{{ item }}" - state: started - when: not letsencrypt_cert.stat.exists or (certbot_force) - ignore_errors: yes - with_items: "{{ certbot_create_standalone_stop_services }}" + mode: 0750 + dest: >- + {{ certbot_nginx_conf_path }}/ + {% if certbot_cert_name %}{{ certbot_cert_name }} + {% else %} + {{ cert_item.domains | first | replace('*.', '') }} + {% endif %}.ssl" + src: nginx_ssl_config.j2 diff --git a/tasks/main.yml b/tasks/main.yml index 0b9a5ac..680aeda 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -17,4 +17,3 @@ - import_tasks: renew-cron.yml when: certbot_auto_renew - diff --git a/templates/start_services.j2 b/templates/start_services.j2 new file mode 100644 index 0000000..ff1a21d --- /dev/null +++ b/templates/start_services.j2 @@ -0,0 +1,15 @@ +#!/bin/bash +# {{ ansible_managed }} + +{% for item in certbot_create_standalone_stop_services %} +echo "starting service {{ item }}" +{% if ansible_service_mgr == 'systemd' %} +systemctl start {{ item }} +{% elif ansible_service_mgr == 'upstart' %} +initctl start {{ item }} +{% elif ansible_service_mgr == 'openrc' %} +rc-service {{ item }} start +{% else %} +service {{ item }} start +{% endif %} +{% endfor %} diff --git a/templates/stop_services.j2 b/templates/stop_services.j2 new file mode 100644 index 0000000..f087768 --- /dev/null +++ b/templates/stop_services.j2 @@ -0,0 +1,15 @@ +#!/bin/bash +# {{ ansible_managed }} + +{% for item in certbot_create_standalone_stop_services %} +echo "stopping service {{ item }}" +{% if ansible_service_mgr == 'systemd' %} +systemctl stop {{ item }} +{% elif ansible_service_mgr == 'upstart' %} +initctl stop {{ item }} +{% elif ansible_service_mgr == 'openrc' %} +rc-service {{ item }} stop +{% else %} +service {{ item }} stop +{% endif %} +{% endfor %}