gregandev/ansible-role-certbot
gregandev/ansible-role-certbot
1
0
Fork 0
mirror of https://github.com/geerlingguy/ansible-role-certbot.git synced 2025-12-16 09:41:03 +01:00
Code Issues Projects Releases Wiki Activity

Compare commits

base: gregandev:3309860eb71975a407ac38c95b651a5433f7d3e6
Branches Tags
gregandev:master
gregandev:134-snap-install-method
gregandev:12-standalone-cert-generation
gregandev:5.4.1
gregandev:5.4.0
gregandev:5.3.1
gregandev:5.3.0
gregandev:5.2.1
gregandev:5.2.0
gregandev:5.1.1
gregandev:5.1.0
gregandev:5.0.2
gregandev:5.0.1
gregandev:5.0.0
gregandev:4.2.0
gregandev:4.1.0
gregandev:4.0.0
gregandev:3.1.0
gregandev:3.0.3
gregandev:3.0.2
gregandev:3.0.1
gregandev:3.0.0
gregandev:2.0.1
gregandev:2.0.0
gregandev:1.0.1
gregandev:1.0.0
gregandev:0.2.1
gregandev:0.2.0
gregandev:0.1.0
...
compare: gregandev:ee81c77df4f96154628f492bb50ae2e07297ff66
Branches Tags
gregandev:master
gregandev:134-snap-install-method
gregandev:12-standalone-cert-generation
gregandev:5.4.1
gregandev:5.4.0
gregandev:5.3.1
gregandev:5.3.0
gregandev:5.2.1
gregandev:5.2.0
gregandev:5.1.1
gregandev:5.1.0
gregandev:5.0.2
gregandev:5.0.1
gregandev:5.0.0
gregandev:4.2.0
gregandev:4.1.0
gregandev:4.0.0
gregandev:3.1.0
gregandev:3.0.3
gregandev:3.0.2
gregandev:3.0.1
gregandev:3.0.0
gregandev:2.0.1
gregandev:2.0.0
gregandev:1.0.1
gregandev:1.0.0
gregandev:0.2.1
gregandev:0.2.0
gregandev:0.1.0

5 Commits
3309860eb7 ... ee81c77df4

Author SHA1 Message Date
Eugene Mazhora
ee81c77df4
Merge 730ede0618d2ef3f54e678ea21eec97474b18606 into 101111391444ac4d1d407c392ab78ffe0f932910 2025-12-01 15:41:50 +07:00
Jeff Geerling
1011113914 Attempt to fix ansible_facts deprecation warnings. 2025-11-27 22:11:54 -06:00
Jeff Geerling
95afe409cc Attempt to fix ansible_facts deprecation warnings. 2025-11-27 21:55:16 -06:00
Eugene Mazhora
730ede0618
Merge branch 'master' into certbot-rfc2136-acme-challenge 2025-05-06 00:53:17 +07:00
Eugene Mazhora
17ec555d59 add dns acme challenge 2025-05-04 21:35:24 +07:00
15 changed files with 108 additions and 26 deletions
Show Stats Expand all files Collapse all files

10
.github/workflows/ci.yml vendored
View File

@ -50,6 +50,16 @@ jobs:
- distro: debian12 - distro: debian12
playbook: converge.yml playbook: converge.yml
experimental: false experimental: false
<<<<<<< Updated upstream
=======
- distro: debian10
playbook: converge.yml
experimental: false
# Source install started failing recently.
# - distro: centos7
# playbook: playbook-source-install.yml
# experimental: false
>>>>>>> Stashed changes
- distro: rockylinux9 - distro: rockylinux9
playbook: playbook-snap-install.yml playbook: playbook-snap-install.yml

19
defaults/main.yml
View File

@ -29,6 +29,21 @@ certbot_certs: []
# - example2.com # - example2.com
# - domains: # - domains:
# - example3.com # - example3.com
# - name: example4.com
# dns_rfc2136_credentials: "local-keyname"
# domains:
# - "example4.com"
# - "example5.com"
# certbot_dns_rfc2136_credentials:
# - name: "local-keyname"
# server: "192.0.2.1" # ip address only
# port: 53
# key_name: "keyname-in-dns-config"
# secret: "example_rfc2136_secret"
# algorithm: "HMAC-SHA256"
certbot_dns_rfc2136_propagation_seconds: 60
certbot_create_command: >- certbot_create_command: >-
{{ certbot_script }} certonly --{{ certbot_create_method }} {{ certbot_script }} certonly --{{ certbot_create_method }}
@ -39,6 +54,10 @@ certbot_create_command: >-
{{ '--expand' if certbot_expand else '' }} {{ '--expand' if certbot_expand else '' }}
{{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }} {{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }}
{{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }} {{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
{{ '--dns-rfc2136-propagation-seconds ' if certbot_create_method == 'dns-rfc2136' else '' }}
{{ certbot_dns_rfc2136_propagation_seconds if certbot_create_method == 'dns-rfc2136' else '' }}
{{ '--dns-rfc2136-credentials ' if certbot_create_method == 'dns-rfc2136' else '' }}
{{ '/etc/letsencrypt/' + cert_item.dns_rfc2136_credentials + '.ini' if certbot_create_method == 'dns-rfc2136' else '' }}
{{ certbot_create_extra_args }} {{ certbot_create_extra_args }}
--cert-name {{ cert_item_name }} --cert-name {{ cert_item_name }}
-d {{ cert_item.domains | join(',') }} -d {{ cert_item.domains | join(',') }}

6
molecule/default/converge.yml
View File

@ -9,7 +9,7 @@
pre_tasks: pre_tasks:
- name: Update apt cache. - name: Update apt cache.
apt: update_cache=yes cache_valid_time=600 apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
changed_when: false changed_when: false
- name: Install dependencies (RedHat). - name: Install dependencies (RedHat).
@ -18,11 +18,11 @@
- cronie - cronie
- epel-release - epel-release
state: present state: present
when: ansible_os_family == 'RedHat' when: ansible_facts.os_family == 'RedHat'
- name: Install cron (Debian). - name: Install cron (Debian).
apt: name=cron state=present apt: name=cron state=present
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
roles: roles:
- geerlingguy.certbot - geerlingguy.certbot

6
molecule/default/playbook-snap-install.yml
View File

@ -10,16 +10,16 @@
pre_tasks: pre_tasks:
- name: Update apt cache. - name: Update apt cache.
apt: update_cache=yes cache_valid_time=600 apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
changed_when: false changed_when: false
- name: Install cron (RedHat). - name: Install cron (RedHat).
yum: name=cronie state=present yum: name=cronie state=present
when: ansible_os_family == 'RedHat' when: ansible_facts.os_family == 'RedHat'
- name: Install cron (Debian). - name: Install cron (Debian).
apt: name=cron state=present apt: name=cron state=present
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
roles: roles:
- geerlingguy.git - geerlingguy.git

6
molecule/default/playbook-source-install.yml
View File

@ -10,16 +10,16 @@
pre_tasks: pre_tasks:
- name: Update apt cache. - name: Update apt cache.
apt: update_cache=yes cache_valid_time=600 apt: update_cache=yes cache_valid_time=600
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
changed_when: false changed_when: false
- name: Install cron (RedHat). - name: Install cron (RedHat).
yum: name=cronie state=present yum: name=cronie state=present
when: ansible_os_family == 'RedHat' when: ansible_facts.os_family == 'RedHat'
- name: Install cron (Debian). - name: Install cron (Debian).
apt: name=cron state=present apt: name=cron state=present
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
roles: roles:
- geerlingguy.git - geerlingguy.git

6
molecule/default/playbook-standalone-nginx-aws.yml
View File

@ -111,19 +111,19 @@
pre_tasks: pre_tasks:
- name: Update apt cache. - name: Update apt cache.
apt: update_cache=true cache_valid_time=600 apt: update_cache=true cache_valid_time=600
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
changed_when: false changed_when: false
- name: Install dependencies (RedHat). - name: Install dependencies (RedHat).
yum: name={{ item }} state=present yum: name={{ item }} state=present
when: ansible_os_family == 'RedHat' when: ansible_facts.os_family == 'RedHat'
with_items: with_items:
- cronie - cronie
- epel-release - epel-release
- name: Install cron (Debian). - name: Install cron (Debian).
apt: name=cron state=present apt: name=cron state=present
when: ansible_os_family == 'Debian' when: ansible_facts.os_family == 'Debian'
roles: roles:
- geerlingguy.certbot - geerlingguy.certbot

37
tasks/create-cert-dns-rfc2136.yml Normal file
View File

@ -0,0 +1,37 @@
---
- name: Determine certificate name
set_fact:
cert_item_name: "{{ cert_item.name | default(cert_item.domains | first | replace('*.', '')) }}"
- name: Check if certificate already exists.
stat:
path: /etc/letsencrypt/live/{{ cert_item_name }}/cert.pem
register: letsencrypt_cert
- name: Create dns_rfc2136_credentials files
template:
src: rfc2136_credentials.j2
dest: "/etc/letsencrypt/{{ item.name }}.ini"
mode: 0600
with_items: "{{ certbot_dns_rfc2136_credentials }}"
- name: Check if domains have changed
block:
- name: Register certificate domains
shell: "{{ certbot_script }} certificates --cert-name {{ cert_item_name }} | grep Domains | cut -d':' -f2"
changed_when: false
register: letsencrypt_cert_domains_dirty
- name: Cleanup domain list
set_fact:
letsencrypt_cert_domains: "{{ letsencrypt_cert_domains_dirty.stdout | trim | split(' ') | map('trim') | select('!=', '') | list | sort }}"
- name: Determine if domains have changed
set_fact:
letsencrypt_cert_domains_changed: "{{ letsencrypt_cert_domains != (cert_item.domains | map('trim') | select('!=', '') | list | sort) }}"
when: letsencrypt_cert.stat.exists
- name: Generate new certificate if one doesn't exist.
command: "{{ certbot_create_command }}"
when: not letsencrypt_cert.stat.exists

6
tasks/include-vars.yml
View File

@ -2,7 +2,7 @@
- name: Load a variable file based on the OS type, or a default if not found. - name: Load a variable file based on the OS type, or a default if not found.
include_vars: "{{ item }}" include_vars: "{{ item }}"
with_first_found: with_first_found:
- "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" - "{{ ansible_facts.distribution }}-{{ ansible_facts.distribution_version }}.yml"
- "{{ ansible_distribution }}.yml" - "{{ ansible_facts.distribution }}.yml"
- "{{ ansible_os_family }}.yml" - "{{ ansible_facts.os_family }}.yml"
- "default.yml" - "default.yml"

5
tasks/install-with-package.yml
View File

@ -1,9 +1,10 @@
--- ---
- name: Install Certbot. - name: Install Certbot.
package: package:
name: "{{ certbot_package }}" name: "{{ item }}"
state: present state: present
with_items: "{{ certbot_package }}"
- name: Set Certbot script variable. - name: Set Certbot script variable.
set_fact: set_fact:
certbot_script: "{{ certbot_package }}" certbot_script: "{{ certbot_package[0] }}"

2
tasks/install-with-snap.yml
View File

@ -16,7 +16,7 @@
src: /var/lib/snapd/snap src: /var/lib/snapd/snap
dest: /snap dest: /snap
state: link state: link
when: ansible_os_family != "Debian" when: ansible_facts.os_family != "Debian"
- name: Update snap after install. - name: Update snap after install.
shell: snap install core; snap refresh core shell: snap install core; snap refresh core

10
tasks/main.yml
View File

@ -2,7 +2,7 @@
- import_tasks: include-vars.yml - import_tasks: include-vars.yml
- import_tasks: setup-RedHat.yml - import_tasks: setup-RedHat.yml
when: ansible_os_family == 'RedHat' when: ansible_facts.os_family == 'RedHat'
- import_tasks: install-with-package.yml - import_tasks: install-with-package.yml
when: certbot_install_method == 'package' when: certbot_install_method == 'package'
@ -29,5 +29,13 @@
loop_control: loop_control:
loop_var: cert_item loop_var: cert_item
- include_tasks: create-cert-dns-rfc2136.yml
with_items: "{{ certbot_certs }}"
when:
- certbot_create_if_missing
- certbot_create_method == 'dns-rfc2136'
loop_control:
loop_var: cert_item
- import_tasks: renew-cron.yml - import_tasks: renew-cron.yml
when: certbot_auto_renew when: certbot_auto_renew

5
templates/rfc2136_credentials.j2 Normal file
View File

@ -0,0 +1,5 @@
dns_rfc2136_server = "{{ item.server }}"
dns_rfc2136_port = "{{ item.port }}"
dns_rfc2136_name = "{{ item.key_name }}"
dns_rfc2136_secret = "{{ item.secret }}"
dns_rfc2136_algorithm = "{{ item.algorithm }}"

6
templates/start_services.j2
View File

@ -3,11 +3,11 @@
{% for item in certbot_create_standalone_stop_services %} {% for item in certbot_create_standalone_stop_services %}
echo "starting service {{ item }}" echo "starting service {{ item }}"
{% if ansible_service_mgr == 'systemd' %} {% if ansible_facts.service_mgr == 'systemd' %}
systemctl start {{ item }} systemctl start {{ item }}
{% elif ansible_service_mgr == 'upstart' %} {% elif ansible_facts.service_mgr == 'upstart' %}
initctl start {{ item }} initctl start {{ item }}
{% elif ansible_service_mgr == 'openrc' %} {% elif ansible_facts.service_mgr == 'openrc' %}
rc-service {{ item }} start rc-service {{ item }} start
{% else %} {% else %}
service {{ item }} start service {{ item }} start

6
templates/stop_services.j2
View File

@ -3,11 +3,11 @@
{% for item in certbot_create_standalone_stop_services %} {% for item in certbot_create_standalone_stop_services %}
echo "stopping service {{ item }}" echo "stopping service {{ item }}"
{% if ansible_service_mgr == 'systemd' %} {% if ansible_facts.service_mgr == 'systemd' %}
systemctl stop {{ item }} systemctl stop {{ item }}
{% elif ansible_service_mgr == 'upstart' %} {% elif ansible_facts.service_mgr == 'upstart' %}
initctl stop {{ item }} initctl stop {{ item }}
{% elif ansible_service_mgr == 'openrc' %} {% elif ansible_facts.service_mgr == 'openrc' %}
rc-service {{ item }} stop rc-service {{ item }} stop
{% else %} {% else %}
service {{ item }} stop service {{ item }} stop

4
vars/default.yml
View File

@ -1,2 +1,4 @@
--- ---
certbot_package: certbot certbot_package:
- certbot
- python3-certbot-dns-rfc2136