| |
@@ -0,0 +1,150 @@
|
| |
+ ---
|
| |
+ - set_fact:
|
| |
+ bp_source_path: /etc/letsencrypt
|
| |
+ # https://pagure.io/copr/copr/issue/2250
|
| |
+ bp_backup_path: /srv/certbot-certs
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: install certbot package
|
| |
+ package: name=certbot state=present
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: install certbot config
|
| |
+ template: src=certbot.j2 dest=/etc/sysconfig/certbot
|
| |
+ mode=0644
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: install certbot deploy script
|
| |
+ template: src={{ buypass.predefined_deploy_script }}
|
| |
+ dest=/usr/libexec/auto-certbot-deploy
|
| |
+ mode=0755
|
| |
+ when: buypass.predefined_deploy_script is defined
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: check whether we need to initialize buypass first
|
| |
+ stat: path="/etc/letsencrypt/live/{{ item.key }}"
|
| |
+ register: bp_stat_checks
|
| |
+ with_dict: "{{ buypass.certificates }}"
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: check if we already have the backup
|
| |
+ delegate_to: localhost
|
| |
+ stat:
|
| |
+ path: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}"
|
| |
+ register: bp_stat_backup_dir
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: restore the certificates from backup (backed up on batcave)
|
| |
+ synchronize:
|
| |
+ src: "{{ bp_backup_path }}/{{ (buypass.certificates|dictsort)[0][0] }}/"
|
| |
+ dest: "{{ bp_source_path }}"
|
| |
+ mode: push
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+ when:
|
| |
+ - not bp_stat_checks.results[0].stat.exists
|
| |
+ - bp_stat_backup_dir.stat.exists
|
| |
+ register: some_cert_restored
|
| |
+
|
| |
+ - name: initialize certbot configuration
|
| |
+ shell: |
|
| |
+ certbot certonly --standalone \
|
| |
+ -w {{ item.item.value.challenge_dir }} \
|
| |
+ -d {{ item.item.value.domains | join(' -d ') }} \
|
| |
+ --cert-name {{ item.item.key }} \
|
| |
+ -m {{ item.item.value.mail }} \
|
| |
+ --agree-tos \
|
| |
+ -n >> /tmp/call
|
| |
+ when:
|
| |
+ - not item.stat.exists
|
| |
+ - not some_cert_restored.changed
|
| |
+ with_items: "{{ bp_stat_checks.results }}"
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: configure certbot to use webroot next time
|
| |
+ ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
|
| |
+ section=renewalparams
|
| |
+ option=authenticator
|
| |
+ value=webroot
|
| |
+ with_items: "{{ bp_stat_checks.results }}"
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: configure certbot to use webroot next time
|
| |
+ ini_file: dest="/etc/letsencrypt/renewal/{{ item.item.key }}.conf"
|
| |
+ section=renewalparams
|
| |
+ option=webroot_path
|
| |
+ value="{{ item.item.value.challenge_dir }}"
|
| |
+ with_items: "{{ bp_stat_checks.results }}"
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: post init script
|
| |
+ shell: |
|
| |
+ /usr/libexec/auto-certbot-deploy \
|
| |
+ --init {{ item.item.key }}
|
| |
+ when:
|
| |
+ - buypass.predefined_deploy_script is defined
|
| |
+ - not item.stat.exists
|
| |
+ with_items: "{{ bp_stat_checks.results }}"
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: Automatize cert renewal
|
| |
+ service:
|
| |
+ name: certbot-renew.timer
|
| |
+ state: started
|
| |
+ enabled: yes
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ # When we do 'systemctl restart', lighttpd is initially started as "root"
|
| |
+ # process (when the config is loaded) and later it does setuid(lighttpd).
|
| |
+ # So "restart" is just fine. Though we also do 'killall -HUP lighttpd' in
|
| |
+ # several occasions and then 'lighttpd' user needs to have the access. See the
|
| |
+ # following issues:
|
| |
+ # https://pagure.io/copr/copr/issue/2001 Resolves:
|
| |
+ # https://pagure.io/fedora-infrastructure/issue/10391
|
| |
+ - name: allow lighttpd to step into certbots directories
|
| |
+ acl:
|
| |
+ path: "{{ item }}"
|
| |
+ entity: lighttpd
|
| |
+ etype: user
|
| |
+ permissions: --x
|
| |
+ state: present
|
| |
+ with_items:
|
| |
+ - /etc/letsencrypt/archive
|
| |
+ - /etc/letsencrypt/live
|
| |
+ when:
|
| |
+ - buypass.predefined_deploy_script is defined
|
| |
+ - buypass.predefined_deploy_script == 'lighttpd'
|
| |
+ tags:
|
| |
+ - certbot
|
| |
+
|
| |
+ - name: prepare the certbot backup directory on batcave
|
| |
+ delegate_to: localhost
|
| |
+ file:
|
| |
+ path: "{{ bp_backup_path }}"
|
| |
+ # nobody, except for root, can step into this directory (on batcave)
|
| |
+ mode: 0700
|
| |
+ owner: root
|
| |
+ group: root
|
| |
+ state: directory
|
| |
+ tags:
|
| |
+ certbot
|
| |
+
|
| |
+ - name: backup the buypass certs to batcave directory
|
| |
+ synchronize:
|
| |
+ src: "{{ bp_source_path }}/"
|
| |
+ dest: "{{ bp_backup_path }}/{{ item.key }}"
|
| |
+ mode: pull
|
| |
+ with_dict: "{{ buypass.certificates }}"
|
| |
+ tags:
|
| |
+ - certbot
|
| |