- name: setup dehydrated gather_facts: no hosts: "{{target}}" become: "{{become_var}}" tasks: # todo - do not change minute randomly if the hour is alright # challenges http01 and dns01 can possibly be used on the very same host # deploy http01 and/or dns01 config only when necessary # at least one acme type should be enabled, as we need to choose a config file to register with - assert: that: dehydrated_domains_http01 is defined or dehydrated_domains_dns01 is defined - name: dehydrated http01 config ansible.builtin.template: src: config-http01 dest: /etc/dehydrated/config-http01 diff: true # check if domains-{http,dns}01.HOSTNAME exists #when: lookup('fileglob', 'templates/domains-http01.' + inventory_hostname_short, errors='ignore') when: dehydrated_domains_http01 is defined - name: dehydrated dns01 config ansible.builtin.template: src: config-dns01 dest: /etc/dehydrated/config-dns01 diff: true # check if domains-{http,dns}01.HOSTNAME exists #when: lookup('fileglob', 'templates/domains-dns01.' + inventory_hostname_short, errors='ignore') when: dehydrated_domains_dns01 is defined - name: register account at lencr ansible.builtin.shell: executable: /bin/bash cmd: | rmdir /etc/dehydrated/conf.d/ 2>/dev/null || true [[ -f /etc/dehydrated/config-http01 ]] && dehydrated --config /etc/dehydrated/config-http01 \ --register --accept-terms || true [[ -f /etc/dehydrated/config-dns01 ]] && dehydrated --config /etc/dehydrated/config-dns01 \ --register --accept-terms || true creates: /etc/dehydrated/accounts register: acme_register - debug: var=acme_register.stdout when: acme_register != '' - debug: var=acme_register.stderr when: acme_register != '' - name: deploy yandex hook script templates ansible.builtin.template: src: "{{item}}" dest: "/etc/dehydrated/{{item}}" mode: 0700 with_items: - hook-yandex.sh diff: true when: dehydrated_domains_dns01 is defined - name: deploy yandex hook script files ansible.builtin.copy: src: "{{item}}" dest: "/etc/dehydrated/{{item}}" mode: 0700 with_items: - yandex-dnszone-get.bash - yandex-dnszone-updaterecordset.bash diff: true when: dehydrated_domains_dns01 is defined # domain lists - name: host-specific dehydrated http01 domains ansible.builtin.copy: content: "{{ dehydrated_domains_http01 | join('\n') }}\n" dest: /etc/dehydrated/domains-http01 diff: true when: dehydrated_domains_http01 is defined - name: host-specific dehydrated dns01 domains ansible.builtin.copy: content: "{{ dehydrated_domains_dns01 | join('\n') }}\n" dest: /etc/dehydrated/domains-dns01 diff: true when: dehydrated_domains_dns01 is defined # cron job # check/renew certs and reload specific daemons - name: weekly script ansible.builtin.template: src: WEEKLY dest: /root/WEEKLY mode: 0755 diff: true # randomize minute so that our hosts don't flood acme at the same time - name: define roughly random minute ansible.builtin.shell: executable: /bin/bash cmd: printf "%02d\n" $(( RANDOM % 60 )) register: minute changed_when: false check_mode: false delegate_to: localhost become: false # in this case we precisely want to run that task multiple times! run_once: false # use system email instead of log file hence the null-mailer # goes outbound when smarthost is defined # otherwise local delivery hence the mail-reader below - name: weekly cron job ansible.builtin.cron: name: "check/renew ssl certificates weekly" minute: "{{minute.stdout}}" hour: "05" weekday: "0" job: "/root/WEEKLY 2>&1" diff: true - name: fix alpine personal-name ansible.builtin.lineinfile: path: /root/.pinerc regexp: '^personal-name=' line: "personal-name=root@{{inventory_hostname_short}}" diff: true when: not ansible_check_mode - name: fix alpine user-domain ansible.builtin.lineinfile: path: /root/.pinerc regexp: '^user-domain=' line: "user-domain={{domain}}" diff: true when: not ansible_check_mode - include_tasks: acme-manager.yml when: inventory_hostname_short == 'acme-manager'