158 lines
4.5 KiB
YAML
158 lines
4.5 KiB
YAML
---
|
|
- name: Ensure lego cert group is created
|
|
ansible.builtin.group:
|
|
name: "{{ lego_cert_group }}"
|
|
state: present
|
|
system: true
|
|
|
|
- name: Ensure lego cert user is created
|
|
ansible.builtin.user:
|
|
name: "{{ lego_cert_user }}"
|
|
state: present
|
|
system: true
|
|
create_home: false
|
|
groups:
|
|
- "{{ lego_cert_group }}"
|
|
append: true
|
|
|
|
- name: Ensure lego user is created
|
|
ansible.builtin.user:
|
|
name: "{{ lego_user }}"
|
|
state: present
|
|
system: true
|
|
create_home: false
|
|
groups:
|
|
- "{{ lego_cert_group }}"
|
|
append: true
|
|
|
|
- name: Ensure lego is installed
|
|
block:
|
|
- name: Check if lego is present
|
|
ansible.builtin.command:
|
|
cmd: which lego
|
|
changed_when: false
|
|
failed_when: false
|
|
register: lego_binary_info
|
|
|
|
- name: Download lego from source
|
|
ansible.builtin.get_url:
|
|
url: "{{ lego_release_archive_url }}"
|
|
url_username: "{{ lego_release_archive_url_username | default(omit) }}"
|
|
url_password: "{{ lego_release_archive_url_password | default(omit) }}"
|
|
dest: "{{ lego_release_archive_file_path }}"
|
|
when: lego_binary_info.rc != 0
|
|
|
|
- name: Create folder to uncompress into
|
|
ansible.builtin.file:
|
|
dest: "{{ lego_release_archive_path }}"
|
|
state: directory
|
|
when: lego_binary_info.rc != 0
|
|
|
|
- name: Uncompress lego source archive
|
|
ansible.builtin.unarchive:
|
|
src: "{{ lego_release_archive_file_path }}"
|
|
dest: "{{ lego_release_archive_path }}"
|
|
remote_src: true
|
|
when: lego_binary_info.rc != 0
|
|
|
|
- name: Ensure lego binary is present in PATH
|
|
ansible.builtin.copy:
|
|
src: "{{ lego_release_archive_path }}/lego"
|
|
dest: "/usr/local/bin/lego"
|
|
mode: "u+rwx,g+rx,o+rx"
|
|
remote_src: true
|
|
when: lego_binary_info.rc != 0
|
|
|
|
- name: Ensure lego is allowed to bind to ports < 1024
|
|
community.general.capabilities:
|
|
path: "/usr/local/bin/lego"
|
|
capability: "cap_net_bind_service+ep"
|
|
state: present
|
|
when: lego_binary_allow_net_bind_service
|
|
|
|
- name: Ensure intermediate data is gone
|
|
ansible.builtin.file:
|
|
path: "{{ item }}"
|
|
state: absent
|
|
loop:
|
|
- "{{ lego_release_archive_path }}"
|
|
- "{{ lego_release_archive_file_path }}"
|
|
when: lego_binary_info.rc != 0
|
|
|
|
- name: Ensure lego base path exists
|
|
ansible.builtin.file:
|
|
path: "{{ lego_base_path }}"
|
|
state: directory
|
|
mode: "0755"
|
|
|
|
- name: Ensure template unit file is present
|
|
ansible.builtin.template:
|
|
src: "{{ lego_systemd_template_unit_file }}"
|
|
dest: "{{ lego_systemd_unit_path }}/{{ lego_systemd_template_unit_name }}"
|
|
notify:
|
|
- systemd_reload
|
|
|
|
- name: Ensure env file is templated
|
|
ansible.builtin.copy:
|
|
content: |+
|
|
{% for entry in lego_systemd_environment | dict2items %}
|
|
{{ entry.key }}={{ entry.value }}
|
|
{% endfor %}
|
|
dest: "{{ lego_base_path }}/{{ lego_instance }}.conf"
|
|
|
|
- name: Ensure timer unit is templated
|
|
ansible.builtin.template:
|
|
src: "{{ lego_systemd_timer_template }}"
|
|
dest: "{{ lego_systemd_unit_path }}/{{ lego_systemd_timer_name }}"
|
|
notify:
|
|
- systemd_reload
|
|
|
|
- name: Ensure handling script is templated
|
|
ansible.builtin.copy:
|
|
src: "lego_run.sh"
|
|
dest: "{{ lego_base_path }}/run.sh"
|
|
mode: "0755"
|
|
|
|
- name: Ensure per-instance base path is created
|
|
ansible.builtin.file:
|
|
path: "{{ lego_instance_path }}"
|
|
state: directory
|
|
owner: "{{ lego_cert_user }}"
|
|
group: "{{ lego_cert_group }}"
|
|
mode: "0755"
|
|
|
|
- name: Ensure per-instance sub folders are created with correct permissions
|
|
ansible.builtin.file:
|
|
path: "{{ item.path }}"
|
|
state: directory
|
|
owner: "{{ item.owner | default(lego_cert_user) }}"
|
|
group: "{{ item.group | default(lego_cert_group) }}"
|
|
mode: "{{ item.mode }}"
|
|
loop:
|
|
- path: "{{ lego_instance_path }}/secrets"
|
|
mode: "0750"
|
|
- path: "{{ lego_instance_path }}/accounts"
|
|
mode: "0770"
|
|
- path: "{{ lego_instance_path }}/certificates"
|
|
mode: "0775"
|
|
loop_control:
|
|
label: "{{ item.path }}"
|
|
|
|
- name: Ensure systemd daemon is reloaded
|
|
meta: flush_handlers
|
|
|
|
- name: Ensure systemd timer is enabled
|
|
ansible.builtin.systemd_service:
|
|
name: "{{ lego_systemd_timer_name }}"
|
|
enabled: true
|
|
|
|
- name: Ensure systemd timer is started
|
|
ansible.builtin.systemd_service:
|
|
name: "{{ lego_systemd_timer_name }}"
|
|
state: "started"
|
|
|
|
- name: Ensure systemd service is started once to obtain the certificate
|
|
ansible.builtin.systemd_service:
|
|
name: "{{ lego_systemd_service_name }}"
|
|
state: "started"
|