tasks/main.yml

---
# acme tasks/main.yml
#
# SPDX-FileCopyrightText: © 2020 Open Networking Foundation <support@opennetworking.org>
# SPDX-License-Identifier: Apache-2.0

- name: include OS-specific vars
  include_vars: "{{ ansible_os_family }}.yml"

- name: include OS-specific tasks
  include_tasks: "{{ ansible_os_family }}.yml"

- name: Create group for acme.sh
  group:
    name: "{{ acmesh_groupname }}"

- name: Create user for acme.sh
  user:
    name: "{{ acmesh_username }}"
    group: "{{ acmesh_groupname }}"
    comment: "{{ acmesh_comment }}"
    shell: "{{ acmesh_shell }}"
    home: "{{ acmesh_base_dir }}/home"
    create_home: no  # yamllint disable-line rule:truthy
    password_lock: true

- name: Allow acme.sh user to restart the webserver
  template:
    src: "acme_sudoers.j2"
    dest: "/etc/sudoers.d/acme_sudoers"
    owner: "root"
    group: "root"
    mode: 0440
    validate: "visudo -c -s -f %s"

- name: Create certificate dir
  file:
    path: "{{ certificate_dir }}"
    state: directory
    owner: "{{ acmesh_username }}"
    group: "{{ webserver_groupname }}"
    mode: "0750"

- name: Create per-domain sub-dirs
  file:
    path: "{{ certificate_dir }}/{{ item.cert_names | first }}"
    state: directory
    owner: "{{ acmesh_username }}"
    group: "{{ webserver_groupname }}"
    mode: "0750"
  with_items: "{{ acme_certs }}"

- name: Create base dir for acme.sh
  file:
    path: "{{ acmesh_base_dir }}"
    state: directory
    owner: "{{ acmesh_username }}"
    group: "{{ acmesh_groupname }}"
    mode: "0755"

- name: Create subdirs for home/dist of acme.sh
  file:
    path: "{{ item }}"
    state: directory
    owner: "{{ acmesh_username }}"
    group: "{{ webserver_groupname }}"
    mode: "0700"
  with_items:
    - "{{ acmesh_base_dir }}/dist"
    - "{{ acmesh_base_dir }}/home"

- name: Create log dir for acme.sh
  file:
    path: "{{ acmesh_log_dir }}"
    state: directory
    owner: "{{ acmesh_username }}"
    group: "{{ acmesh_groupname }}"
    mode: "0755"

- name: Create acme-challenge webroot directory
  file:
    path: "{{ acme_challenge_dir }}"
    state: directory
    owner: "{{ acmesh_username }}"
    group: "{{ webserver_groupname }}"
    mode: "0755"

- name: Checkout acme.sh into dist directory
  become: true
  become_user: "{{ acmesh_username }}"
  git:
    repo: "https://github.com/acmesh-official/acme.sh.git"
    dest: "{{ acmesh_base_dir }}/dist"
    version: "{{ acmesh_version }}"
  register: acmesh_git

- name: Install acme.sh
  become: true
  become_user: "{{ acmesh_username }}"
  command:
    chdir: "{{ acmesh_base_dir }}/dist"
    cmd: >
      ./acme.sh install
      --log "{{ acmesh_log_dir }}/acmesh.log"
      --config-home "{{ acmesh_base_dir }}/home"
      --account_email "{{ acmesh_email }}"
    creates: "{{ acmesh_base_dir }}/home/.acme.sh"

- name: Issue certificates (HTTP challenge)
  become: true
  become_user: "{{ acmesh_username }}"
  command:
    chdir: "{{ acmesh_base_dir }}/home/.acme.sh"
    cmd: >
      ./acme.sh
      --issue
      -d {{ item.cert_names | join (" -d ") }}
      --webroot {{ acme_challenge_dir }}
    creates: |
      {{ acmesh_base_dir }}/home/.acme.sh/{{ item.cert_names | first }}
  with_items: "{{ acme_certs }}"
  when: item.method is defined and item.method == "http"
  notify:
    install-certs

- name: Issue certificates (DNS challenge)
  become: true
  become_user: "{{ acmesh_username }}"
  environment: "{{ acmesh_dns_env_vars }}"
  command:
    chdir: "{{ acmesh_base_dir }}/home/.acme.sh"
    cmd: >
      ./acme.sh
      --issue
      -d {{ item.cert_names | join (" -d ") }}
      --dns {{ acmesh_dns_provider }}
    creates: |
      {{ acmesh_base_dir }}/home/.acme.sh/{{ item.cert_names | first }}
  with_items: "{{ acme_certs }}"
  when: item.method is defined and item.method == "dns"
  notify:
    install-certs

- name: Flush handlers to reconfigure before dependent roles run (nginx, etc.)
  meta: flush_handlers