thomas
/
sovereign
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
No Description
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
1086 Commits
1 Branch
Tree: e6bd74153d
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'e6bd74153d'
${ noResults }
sovereign/roles/sslletsencrypt/tasks/letsencrypt.yml

letsencrypt.yml 2.7KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586878889909192939495969798 
  1. - name: Add group name ssl-cert for SSL certificates

  2.   group:

  3.     name: ssl-cert

  4.     state: present

  5. 

  6. - name: add stretch-backport for Certbot

  7.   apt_repository: repo='deb http://deb.debian.org/debian stretch-backports main' state=present update_cache=yes

  8.   tags:

  9.     - dependencies

  10.   when: ansible_distribution_version == '9'

  11. 

  12. - name: Install Certbot

  13.   apt:

  14.     name: "certbot"

  15.     state: present

  16.     default_release: stretch-backports

  17.   tags:

  18.     - dependencies

  19.   when: ansible_distribution_version == '9'

  20. 

  21. - name: Install Certbot

  22.   apt:

  23.     name: "certbot"

  24.     state: present

  25.   tags:

  26.     - dependencies

  27.   when: ansible_distribution_version == '10'

  28. 

  29. - name: Install Certbot

  30.   apt:

  31.     name: "certbot"

  32.     state: present

  33.   tags:

  34.     - dependencies

  35.   when: ansible_distribution_version == '11'

  36. 

  37. - name: Create directory for LetsEncrypt configuration and certificates

  38.   file: state=directory path=/etc/letsencrypt group=root owner=root

  39. 

  40. - name: Configure LetsEncrypt

  41.   template:

  42.     src=etc_letsencrypt_cli.conf.j2

  43.     dest=/etc/letsencrypt/cli.conf

  44.     owner=root

  45.     group=root

  46. 

  47. - name: Create directory for pre-renewal scripts

  48.   file: state=directory path=/etc/letsencrypt/prerenew group=root owner=root

  49. 

  50. - name: Create directory for post-renewal scripts

  51.   file: state=directory path=/etc/letsencrypt/postrenew group=root owner=root

  52. 

  53. - name: Create pre-renew hook to stop apache

  54.   copy:

  55.     content: "#!/bin/bash\n\nservice apache2 stop\n"

  56.     dest: /etc/letsencrypt/prerenew/apache

  57.     owner: root

  58.     group: root

  59.     mode: 0755

  60. 

  61. - name: Create post-renew hook to start apache

  62.   copy:

  63.     content: "#!/bin/bash\n\nservice apache2 start\n"

  64.     dest: /etc/letsencrypt/postrenew/apache

  65.     owner: root

  66.     group: root

  67.     mode: 0755

  68. 

  69. - name: Install crontab entry for LetsEncrypt

  70.   copy:

  71.     src: etc_cron-daily_letsencrypt-renew

  72.     dest: /etc/cron.daily/letsencrypt-renew

  73.     owner: root

  74.     group: root

  75.     mode: 0755

  76. 

  77. - name: Create live directory for LetsEncrypt cron job

  78.   file: state=directory path=/etc/letsencrypt/live group=ssl-cert owner=root

  79. 

  80. - name: Copy script to generate initial certificate

  81.   template:

  82.     src=root_letsencrypt_gencert.j2

  83.     dest=/root/letsencrypt-gencert

  84.     owner=root

  85.     group=root

  86.     mode=0755

  87. 

  88. - name: Get an SSL certificate for all specified domains and subdomains from Let's Encrypt

  89.   command: /root/letsencrypt-gencert creates=/etc/letsencrypt/live/{{ domain }}/privkey.pem

  90. 

  91. - name: Remove certificate script

  92.   file: path=/root/letsencrypt-gencert state=absent

  93. 

  94. - name: Modify permissions to allow ssl-cert group access to archive

  95.   file: path=/etc/letsencrypt/archive owner=root group=ssl-cert mode=0750 recurse=yes

  96. 

  97. - name: Modify permissions to allow ssl-cert group access to live

  98.   file: path=/etc/letsencrypt/live owner=root group=ssl-cert mode=0750 recurse=yes