--- # tasks file for acme.sh - name: Create system acme group become: true ansible.builtin.group: name: "{{ acme_group }}" state: present system: true - name: Create system acme user become: true ansible.builtin.user: name: "{{ acme_user }}" group: "{{ acme_group }}" home: "{{ acme_home }}" shell: "{{ acme_shell }}" state: present system: true create_home: true skeleton: false - name: Ensure directories exist ansible.builtin.file: path: "{{ item }}" state: directory mode: "0755" owner: "{{ acme_user }}" group: "{{ acme_group }}" loop: - "{{ acme_home }}" - "{{ acmesh_config_path }}" - "{{ acmesh_install_path }}" - "{{ acmesh_cert_path }}" - name: Check acme.sh installation ansible.builtin.stat: path: "{{ acmesh_config_path }}/account.conf" register: stat_account_conf - name: Download and install acme.sh when: not stat_account_conf.stat.exists become: true become_method: su become_user: "{{ acme_user }}" become_flags: '-s /bin/sh' become_exe: "sudo su" block: - name: Create temporary directory for git repository ansible.builtin.tempfile: state: directory prefix: acmesh_git_ register: acme_tmp_repo changed_when: false - name: Temporary clone acme.sh git repository ansible.builtin.git: dest: "{{ acme_tmp_repo.path }}" clone: true depth: 1 repo: "{{ acmesh_repository }}" version: "{{ acmesh_version }}" changed_when: false - name: Make install script executable ansible.builtin.file: path: "{{ acme_tmp_repo.path }}/acme.sh" mode: "0744" owner: acme group: acme - name: Install acme.sh ansible.builtin.command: cmd: > "{{ acme_tmp_repo.path }}/acme.sh" --install --home "{{ acmesh_install_path }}" --config-home "{{ acmesh_config_path }}" --cert-home "{{ acmesh_cert_path }}" --accountemail "{{ acmesh_email | mandatory }}" --nocron chdir: "{{ acme_tmp_repo.path }}" creates: "{{ acmesh_config_path }}/account.conf" always: - name: Delete temporary git clone ansible.builtin.file: path: "{{ acme_tmp_repo.path }}" state: absent changed_when: false - name: "Set default CA [letsencrypt]" ansible.builtin.lineinfile: path: "{{ acmesh_config_path }}/account.conf" regexp: '^DEFAULT_ACME_SERVER=' line: "DEFAULT_ACME_SERVER='https://acme-v02.api.letsencrypt.org/directory'" - name: Create sudo config file ansible.builtin.file: path: "/etc/sudoers.d/60_user_{{ acme_user }}" state: touch mode: "0440" owner: root group: root access_time: preserve modification_time: preserve - name: Configure sudo permissions become: true ansible.builtin.lineinfile: path: "/etc/sudoers.d/60_user_{{ acme_user }}" line: "{{ acme_user }} ALL=(ALL:ALL) NOPASSWD: /usr/bin/{{ item.reloadcmd | regex_replace('^sudo (.*)$', '\\1') }}" state: present validate: /usr/sbin/visudo -csf %s loop: "{{ acme_domains }}" when: acme_domains is defined - name: Ensure directories exist become: true ansible.builtin.file: path: "{{ item }}" state: directory mode: "0755" owner: "{{ acme_user }}" group: "{{ acme_group }}" loop: - "{{ tls_cert_path }}" - name: Issue and install certificate when: acme_domains is defined become: true become_method: su become_user: "{{ acme_user }}" become_flags: '-s /bin/sh' become_exe: "sudo su" block: - name: Issue certificate with Netcup ansible.builtin.command: cmd: > "{{ acmesh_install_path }}/acme.sh" --issue --dns dns_netcup -d "{{ item.domain }}" {% if item.san is defined %} {% for san in item.san %} -d "{{ san }}" {% endfor %} {% endif %} {% if item.keylength is defined %} --keylength "{{ item.keylength }}" {% endif %} {% if item.staging is defined %} --staging {% endif %} {% if item.dnssleep is defined %} --dnssleep {{ item.dnssleep }} {% endif %} creates: "{{ acmesh_cert_path }}/{{ item.domain }}_ecc/{{ item.domain }}.cer" environment: LE_WORKING_DIR: "{{ acmesh_install_path }}" LE_CONFIG_HOME: "{{ acmesh_config_path }}" NC_CID: "{{ netcup_user | mandatory }}" NC_Apikey: "{{ netcup_api_key | mandatory }}" NC_Apipw: "{{ netcup_api_password | mandatory }}" loop: "{{ acme_domains }}" - name: Install certificates ansible.builtin.command: cmd: > "{{ acmesh_install_path }}/acme.sh" --installcert -d "{{ item.domain }}" {% if 'ec' in item.keylength %} --ecc {% endif %} --cert-file "{{ tls_cert_path }}/{{ item.domain }}.crt" --key-file "{{ tls_cert_path }}/{{ item.domain }}.key" --ca-file "{{ tls_cert_path }}/{{ item.domain }}.ca" --fullchain-file "{{ tls_cert_path }}/{{ item.domain }}.fullchain" {% if item.reloadcmd is defined %} --reloadcmd '{{ item.reloadcmd }}' {% endif %} creates: "{{ tls_cert_path }}/{{ item.domain }}.crt" environment: LE_WORKING_DIR: "{{ acmesh_install_path }}" LE_CONFIG_HOME: "{{ acmesh_config_path }}" loop: "{{ acme_domains }}" - name: Install systemd service ansible.builtin.template: src: acme_sh.service.j2 dest: /etc/systemd/system/acme_sh.service owner: root group: root mode: "0644" notify: Reload systemd daemon - name: Install systemd timer ansible.builtin.template: src: acme_sh.timer.j2 dest: /etc/systemd/system/acme_sh.timer owner: root group: root mode: "0644" notify: - Reload systemd daemon - Restart acme_sh systemd timer - name: Enable systemd timer ansible.builtin.systemd: name: acme_sh.timer enabled: true scope: system state: started