ac11734cf9
This has got me a number of times; I think we can tell in review if a task firing in response to a "changed" is best in a handler or not. Remove existing noqa flags Change-Id: I80ad631f978eeeb9903abe230a95f23f5709d20e
91 lines
2.7 KiB
YAML
91 lines
2.7 KiB
YAML
- name: Install acme.sh client
|
|
git:
|
|
repo: https://github.com/Neilpang/acme.sh
|
|
dest: /opt/acme.sh
|
|
version: dev
|
|
|
|
- name: Install letsencrypt group
|
|
group:
|
|
name: letsencrypt
|
|
state: present
|
|
gid: "{{ letsencrypt_gid | default(omit) }}"
|
|
|
|
- name: Install driver script
|
|
copy:
|
|
src: driver.sh
|
|
dest: /opt/acme.sh/driver.sh
|
|
mode: 0755
|
|
|
|
- name: Setup log directory
|
|
file:
|
|
path: /var/log/acme.sh
|
|
state: directory
|
|
mode: 0755
|
|
|
|
- name: Setup log rotation
|
|
include_role:
|
|
name: logrotate
|
|
vars:
|
|
logrotate_file_name: /var/log/acme.sh/acme.sh.log
|
|
|
|
- name: Setup top level cert directory
|
|
file:
|
|
path: /etc/letsencrypt-certs
|
|
state: directory
|
|
owner: root
|
|
group: letsencrypt
|
|
mode: u=rwx,g=rx,o=,g+s
|
|
|
|
- name: Create acme.sh config directory
|
|
file:
|
|
path: /root/.acme.sh
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: u=rwx,g=rx,o=
|
|
|
|
# An implementation note on accounts: We could share an account key
|
|
# across all our hosts and this would be the logical place to deploy
|
|
# it. However, really the only thing you can do with an account key
|
|
# is revoke a certificate if you lose the private key. It makes more
|
|
# sense to have an account per host with key material that never
|
|
# leaves the host rather than keeping a global secret that, if leaked,
|
|
# could revoke all keys simultaneously.
|
|
|
|
- name: Check for account email
|
|
assert:
|
|
that: letsencrypt_account_email is defined
|
|
|
|
- name: Configure account email
|
|
lineinfile:
|
|
path: /root/.acme.sh/account.conf
|
|
regexp: '^ACCOUNT_EMAIL='
|
|
line: 'ACCOUNT_EMAIL={{ letsencrypt_account_email }}'
|
|
create: true
|
|
register: account_email
|
|
|
|
# If we updated the email and we have existing accounts, we should
|
|
# update the address.
|
|
|
|
# NOTE(ianw) 2020-03-04 : acme.sh dumps the 200 response json from the
|
|
# ACME api when creating an account into this file to keep track of
|
|
# the account-id. However, it doesn't actually then update it in
|
|
# response to --updateaccount although the details in the account
|
|
# *are* correctly updated. It doesn't make a difference to ongoing
|
|
# operation since all that cares about is the unchanging id, but can
|
|
# be confusing if you check this and don't see an updated email
|
|
# address. I have filed:
|
|
# https://github.com/acmesh-official/acme.sh/pull/2769
|
|
- name: Check for existing account setup
|
|
stat:
|
|
path: '{{ item }}'
|
|
loop:
|
|
- /root/.acme.sh/ca/acme-v02.api.letsencrypt.org/account.json
|
|
- /root/.acme.sh/ca/acme-staging-v02.api.letsencrypt.org/account.json
|
|
register: existing_accounts
|
|
|
|
- name: Run account update
|
|
shell: |
|
|
/opt/acme.sh/acme.sh --debug --updateaccount
|
|
when: account_email.changed and (existing_accounts.results | selectattr('stat.exists') | map(attribute='item') | list | length > 0)
|