mirror of
https://github.com/geerlingguy/ansible-role-certbot.git
synced 2026-05-08 04:01:20 +02:00
84e0193e31
certbot-auto was removed from the certbot repo by EFF in 2021 (see issue #204), which leaves certbot_install_method: source broken — the existing install-from-source.yml still references {{ certbot_dir }}/certbot-auto, a path that no longer exists after the git clone. This adds a new install method `pip` that follows EFF's recommended install path (https://certbot.eff.org/instructions?os=pip): create a Python venv at {{ certbot_dir }}, pip install certbot, symlink the binary onto PATH at /usr/local/bin/certbot. Plugins (e.g. certbot-dns-rfc2136, certbot-dns-cloudflare) can be opted into per-host via a new certbot_pip_extra_packages list, which installs additional pip packages into the same venv after certbot. The legacy `source` method is left in place for backwards compatibility but is now documented as deprecated in the README and defaults file. Tested on Debian 12 and Debian 13.
81 lines
2.8 KiB
YAML
81 lines
2.8 KiB
YAML
---
|
|
# Certbot auto-renew cron job configuration (for certificate renewals).
|
|
certbot_auto_renew: true
|
|
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
|
|
certbot_auto_renew_hour: "3"
|
|
certbot_auto_renew_minute: "30"
|
|
certbot_auto_renew_options: "--quiet"
|
|
|
|
certbot_testmode: false
|
|
certbot_hsts: false
|
|
|
|
|
|
# Parameters used when creating new Certbot certs.
|
|
certbot_create_if_missing: false
|
|
certbot_create_method: standalone
|
|
certbot_create_extra_args: ""
|
|
certbot_admin_email: email@example.com
|
|
certbot_expand: false
|
|
|
|
# Default webroot, overwritten by individual per-cert webroot directories
|
|
certbot_webroot: /var/www/letsencrypt
|
|
|
|
certbot_certs: []
|
|
# - name: example.com
|
|
# email: janedoe@example.com
|
|
# webroot: "/var/www/html/"
|
|
# domains:
|
|
# - example1.com
|
|
# - example2.com
|
|
# - domains:
|
|
# - example3.com
|
|
|
|
certbot_create_command: >-
|
|
{{ certbot_script }} certonly --{{ certbot_create_method }}
|
|
{{ '--hsts' if certbot_hsts else '' }}
|
|
{{ '--test-cert' if certbot_testmode else '' }}
|
|
--noninteractive --agree-tos
|
|
--email {{ cert_item.email | default(certbot_admin_email) }}
|
|
{{ '--expand' if certbot_expand else '' }}
|
|
{{ '--webroot-path ' if certbot_create_method == 'webroot' else '' }}
|
|
{{ cert_item.webroot | default(certbot_webroot) if certbot_create_method == 'webroot' else '' }}
|
|
{{ certbot_create_extra_args }}
|
|
--cert-name {{ cert_item_name }}
|
|
-d {{ cert_item.domains | join(',') }}
|
|
{{ '--expand' if certbot_expand else '' }}
|
|
{{ '--pre-hook /etc/letsencrypt/renewal-hooks/pre/stop_services'
|
|
if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
|
|
else '' }}
|
|
{{ '--post-hook /etc/letsencrypt/renewal-hooks/post/start_services'
|
|
if certbot_create_standalone_stop_services and certbot_create_method == 'standalone'
|
|
else '' }}
|
|
{{ "--deploy-hook '" ~ cert_item.deploy_hook ~ "'"
|
|
if 'deploy_hook' in cert_item
|
|
else '' }}
|
|
|
|
certbot_create_standalone_stop_services:
|
|
- nginx
|
|
# - apache
|
|
# - varnish
|
|
|
|
# Available options: 'package', 'snap', 'source', 'pip'.
|
|
# Note: 'source' is deprecated — it relies on certbot-auto, which EFF removed
|
|
# from the certbot repo in 2021. Use 'pip' for the equivalent always-latest
|
|
# install (creates a venv at {{ certbot_dir }} and pip-installs certbot).
|
|
certbot_install_method: 'package'
|
|
|
|
# Source / pip install configuration.
|
|
certbot_repo: https://github.com/certbot/certbot.git
|
|
certbot_version: master
|
|
certbot_keep_updated: true
|
|
|
|
# Where to put Certbot when installing from source or pip (venv root for pip).
|
|
certbot_dir: /opt/certbot
|
|
|
|
# Extra pip packages installed alongside certbot in the same venv (pip method only).
|
|
# Use this for plugins, e.g.:
|
|
# certbot_pip_extra_packages:
|
|
# - certbot-dns-rfc2136
|
|
# - certbot-dns-cloudflare
|
|
certbot_pip_extra_packages: []
|
