Gitiles
Code Review Sign In
gerrit.opencord.org / ansible / role / acme / b13432c9037de68c816e3c37512d785bc1c64f26 / . / tasks / main.yml
blob: 6a57595c041400ec95068a73bcf4e0df984edb1a [file] [log] [blame]
---
# acme tasks/main.yml
#
# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
# SPDX-License-Identifier: Apache-2.0
- name: include OS-specific vars
include_vars: "{{ ansible_os_family }}.yml"
- name: include OS-specific tasks
include_tasks: "{{ ansible_os_family }}.yml"
- name: Create group for acme.sh
group:
name: "{{ acmesh_groupname }}"
- name: Create user for acme.sh
user:
name: "{{ acmesh_username }}"
group: "{{ acmesh_groupname }}"
comment: "{{ acmesh_comment }}"
shell: "{{ acmesh_shell }}"
home: "{{ acmesh_base_dir }}/home"
create_home: no # yamllint disable-line rule:truthy
password_lock: true
- name: Allow acme.sh user to restart the webserver
template:
src: "acme_sudoers.j2"
dest: "/etc/sudoers.d/acme_sudoers"
owner: "root"
group: "root"
mode: 0440
validate: "visudo -c -s -f %s"
- name: Create certificate dir
file:
path: "{{ certificate_dir }}"
state: directory
owner: "{{ acmesh_username }}"
group: "{{ webserver_groupname }}"
mode: "0750"
- name: Create per-domain sub-dirs
file:
path: "{{ certificate_dir }}/{{ item.cert_names | first }}"
state: directory
owner: "{{ acmesh_username }}"
group: "{{ webserver_groupname }}"
mode: "0750"
with_items: "{{ acme_certs }}"
- name: Create base dir for acme.sh
file:
path: "{{ acmesh_base_dir }}"
state: directory
owner: "{{ acmesh_username }}"
group: "{{ acmesh_groupname }}"
mode: "0755"
- name: Create subdirs for home/dist of acme.sh
file:
path: "{{ item }}"
state: directory
owner: "{{ acmesh_username }}"
group: "{{ webserver_groupname }}"
mode: "0700"
with_items:
- "{{ acmesh_base_dir }}/dist"
- "{{ acmesh_base_dir }}/home"
- name: Create log dir for acme.sh
file:
path: "{{ acmesh_log_dir }}"
state: directory
owner: "{{ acmesh_username }}"
group: "{{ acmesh_groupname }}"
mode: "0755"
- name: Create acme-challenge webroot directory
file:
path: "{{ acme_challenge_dir }}"
state: directory
owner: "{{ acmesh_username }}"
group: "{{ webserver_groupname }}"
mode: "0755"
- name: Checkout acme.sh into dist directory
become: true
become_user: "{{ acmesh_username }}"
git:
repo: "https://github.com/acmesh-official/acme.sh.git"
dest: "{{ acmesh_base_dir }}/dist"
version: "{{ acmesh_version }}"
register: acmesh_git
- name: Install acme.sh
become: true
become_user: "{{ acmesh_username }}"
command:
chdir: "{{ acmesh_base_dir }}/dist"
cmd: >
./acme.sh install
--log "{{ acmesh_log_dir }}/acmesh.log"
--config-home "{{ acmesh_base_dir }}/home"
--account_email "{{ acmesh_email }}"
creates: "{{ acmesh_base_dir }}/home/.acme.sh"
- name: Issue certificates (HTTP challenge)
become: true
become_user: "{{ acmesh_username }}"
command:
chdir: "{{ acmesh_base_dir }}/home/.acme.sh"
cmd: >
./acme.sh
--issue
-d {{ item.cert_names | join (" -d ") }}
--webroot {{ acme_challenge_dir }}
creates: |
{{ acmesh_base_dir }}/home/.acme.sh/{{ item.cert_names | first }}
with_items: "{{ acme_certs }}"
when: item.method is defined and item.method == "http"
notify:
install-certs
- name: Issue certificates (DNS challenge)
become: true
become_user: "{{ acmesh_username }}"
environment: "{{ acmesh_dns_env_vars }}"
command:
chdir: "{{ acmesh_base_dir }}/home/.acme.sh"
cmd: >
./acme.sh
--issue
-d {{ item.cert_names | join (" -d ") }}
--dns {{ acmesh_dns_provider }}
creates: |
{{ acmesh_base_dir }}/home/.acme.sh/{{ item.cert_names | first }}
with_items: "{{ acme_certs }}"
when: item.method is defined and item.method == "dns"
notify:
install-certs
- name: Flush handlers to reconfigure before dependent roles run (nginx, etc.)
meta: flush_handlers