blob: abcb78569bc05a565e1309cb029e94169bb78a7b (
plain) (
blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
---
- name: Create acme user
user:
name: '{{acmesh_user.name}}'
state: present
home: '{{acmesh_user.home}}'
shell: '{{acmesh_user.shell}}'
system: '{{acmesh_user.system}}'
- name: Set homedir permissions
file:
path: '{{acmesh_user.home}}'
state: directory
mode: '0710'
owner: '{{acmesh_user.name}}'
- name: Create install directory
file:
state: directory
owner: '{{acmesh_user.name}}'
path: '{{acmesh_user.home}}/install'
- name: Get acme.sh tarball
get_url:
url: '{{acmesh_url}}'
dest: '{{acmesh_user.home}}/install/acme.sh-{{acmesh_commit}}.tar.gz'
mode: '0755'
checksum: '{{acmesh_checksum}}'
owner: '{{acmesh_user.name}}'
register: tarball
- name: Write install script
copy:
content: |
#!/bin/sh
set -e
set -x
cd '{{acmesh_user.home}}/install'
if ! [ -d 'acme.sh-{{acmesh_commit}}' ] ; then
tar -xzf 'acme.sh-{{acmesh_commit}}.tar.gz'
fi
cd 'acme.sh-{{acmesh_commit}}'
sh ./acme.sh --install \
--home $HOME/install \
--config-home $HOME/conf \
--cert-home $HOME/certs \
--accountemail "{{acmesh_email}}" \
--accountkey $HOME/account.key \
--accountconf $HOME/account.conf
dest: /tmp/acme_install.sh
mode: 0755
- name: Run acme.sh install script
shell: |
#!/bin/sh
echo '/tmp/acme_install.sh' | su -s /bin/sh '{{acmesh_user.name}}'
when: tarball.changed
- name: Set cert directory permissions
file:
path: '{{acmesh_user.home}}/certs'
state: directory
mode: 'u=rwX,g=rX,o-rwx'
owner: '{{acmesh_user.name}}'
recurse: true
- name: Write issue script
copy:
content: |
#!/bin/sh
set -e
set -x
cd '{{acmesh_user.home}}'
{{acmesh_env}}
. $HOME/install/acme.sh.env
force=""
if [ "{{acmesh_force}}" -eq 1 ] ; then
force="--force"
fi
{% for item in acmesh_domains %}
if ! [ -f "certs/{{item}}/{{item}}.cer" ] || ! [ -z "$force" ] ; then
acme.sh {{acmesh_flags | replace('\n', ' ')}} \
$force \
--issue \
--dns dns_aws \
--challenge-alias "{{acmesh_delegation_domain}}" \
-d "{{item}}" -d "*.{{item}}"
fi
{% endfor %}
dest: '{{acmesh_user.home}}/issue.sh'
mode: 0500
owner: '{{acmesh_user.name}}'
register: issue_script
- name: Run issue script
shell: |
#!/bin/sh
echo '{{acmesh_user.home}}/issue.sh' | su -s /bin/sh '{{acmesh_user.name}}'
when: issue_script.changed
# acme.sh should install a cron job automatically, in the event it does not
# you should be able to use a task like this
# - name: Install cron job for renewals
# cron:
# name: "letsencrypt / acme cron"
# job: '{{acmesh_user.home}}/install/acme.sh --cron >> {{acmesh_user.home}}/conf {{acmesh_user.home}}/renewals.log'
# hour: '0'
# minute: '0'
# user: '{{acmesh_user.name}}'
|
