-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathcertificate.yaml
57 lines (57 loc) · 1.83 KB
/
certificate.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
- hosts: all
tasks:
- name: ensure certbot installed
ansible.builtin.pip:
name:
- certbot==3.1.0
- certbot-plugin-gandi==1.5.0
- six==1.17.0
executable: /root/.pyenv/versions/3.11.10/bin/pip
- name: ensure ssl group exists
group:
name: ssl
state: present
gid: 900
- name: provision gandi api key
copy:
content: "{{ certbot_dns_ini }}"
dest: "{{ certbot_dns_ini_location }}"
mode: '0600'
- name: certificate renewal with lets encrypt
block:
- name: certbot certonly
command:
cmd: "/root/.pyenv/versions/3.11.10/bin/certbot certonly --key-type ecdsa --authenticator dns-gandi --renew-by-default -m postmaster@{{ domain }} --cert-name {{ inventory_hostname }} --agree-tos -n -d {{ inventory_hostname }} {% for san in sans %} -d {{ san }} {% endfor %} --dns-gandi-credentials {{ certbot_dns_ini_location }}"
always:
- name: cleanup gandi api key
file:
path: "{{ certbot_dns_ini_location }}"
state: absent
- name: chgrp ssl -R
file:
path: /etc/letsencrypt
group: ssl
recurse: yes
- name: chmod -R o-rwx
file:
path: /etc/letsencrypt/
mode: o-rwx
recurse: yes
- name: chmod g+x live
file:
path: /etc/letsencrypt/live
mode: g+x
- name: chmod g+x archive
file:
path: /etc/letsencrypt/archive
mode: g+x
- name: chmod -R g+r archive
file:
path: /etc/letsencrypt/archive
mode: g+r
recurse: yes
- name: restart nginx
systemd:
state: reloaded
name: nginx
ignore_errors: yes