Add existing code

.gitignore

@@ -0,0 +1 @@
+__pycache__/

LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2020-2021 Alex Kotov
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

defaults/main.yml

@@ -0,0 +1,8 @@
+---
+certbot__state: install
+certbot__run: true
+certbot__email: 'user@example.com'
+certbot__cert_name: 'example.com'
+certbot__cert_domains: ['example.com', 'www.example.com']
+certbot__post_hook: null
+certbot__pre_hook: null

meta/main.yml

@@ -0,0 +1,28 @@
+---
+allow_duplicates: false
+dependencies: []
+
+galaxy_info:
+  role_name: certbot
+  author: Alex Kotov
+  description: Certbot and Let's Encrypt
+  license: MIT
+  min_ansible_version: 2.8
+
+  galaxy_tags:
+    - certbot
+    - letsencrypt
+    - certificate
+    - ssl
+    - tls
+
+  platforms:
+    - name: Debian
+      versions:
+        - stretch  # Debian 9 Stretch
+        - buster   # Debian 10 Buster
+    - name: Ubuntu
+      versions:
+        - xenial  # Ubuntu 16.04 LTS Xenial Xerus
+        - bionic  # Ubuntu 18.04 LTS Bionic Beaver
+        - focal   # Ubuntu 20.04 LTS Focal Fossa

tasks/install.yml

@@ -0,0 +1,86 @@
+---
+- name: Create Let's Encrypt system group
+  group:
+    name: '{{ certbot__group }}'
+    system: true
+
+- name: Install Certbot
+  apt:
+    name: certbot
+
+- name: Create directories for Let's Encrypt configuration
+  file:
+    state: directory
+    path: '{{ item }}'
+    mode: 'u=rwx,go=rx'
+    owner: root
+    group: root
+  with_items:
+    - '{{ certbot__conf_dir }}'
+    - '{{ certbot__archive_dir }}'
+    - '{{ certbot__archive_dir }}/{{ certbot__cert_name }}'
+    - '{{ certbot__live_dir }}'
+    - '{{ certbot__live_dir }}/{{ certbot__cert_name }}'
+
+- name: Install Let's Encrypt config
+  template:
+    src: templates/certbot/cli.ini
+    dest: '{{ certbot__conf_cli }}'
+    mode: 'u=rw,go=r'
+    owner: root
+    group: root
+
+- name: Install Nginx SSL options
+  template:
+    src: templates/certbot/options-ssl-nginx.conf
+    dest: '{{ certbot__conf_nginx }}'
+    mode: 'u=rw,go=r'
+    owner: root
+    group: root
+
+- name: Obtain Let's Encrypt certificate
+  command: 'certbot certonly'
+  register: certbot__result
+  when: certbot__run|bool
+  changed_when: >-
+    certbot__result.stdout is
+    not search('Certificate not yet due for renewal; no action taken.')
+
+- name: Find Let's Encrypt certificates and chains
+  register: certs_and_chains
+  find:
+    paths: '{{ certbot__archive_dir }}/{{ certbot__cert_name }}'
+    patterns:
+      - 'cert*.pem'
+      - 'chain*.pem'
+      - 'fullchain*.pem'
+
+- name: Find Let's Encrypt private keys
+  register: privkeys
+  find:
+    paths: '{{ certbot__archive_dir }}/{{ certbot__cert_name }}'
+    patterns: 'privkey*.pem'
+
+- name: Display Let's Encrypt certificates and chains
+  debug:
+    msg: "{{ certs_and_chains.files | map(attribute='path') | list }}"
+
+- name: Display Let's Encrypt private keys
+  debug:
+    msg: "{{ privkeys.files | map(attribute='path') | list }}"
+
+- name: Change group of Let's Encrypt certificates and chains
+  file:
+    path: '{{ item }}'
+    mode: 'u=rw,go=r'
+    owner: root
+    group: root
+  with_items: "{{ certs_and_chains.files | map(attribute='path') | list }}"
+
+- name: Change group of Let's Encrypt private keys
+  file:
+    path: '{{ item }}'
+    mode: 'u=rw,g=r,o='
+    owner: root
+    group: '{{ certbot__group }}'
+  with_items: "{{ privkeys.files | map(attribute='path') | list }}"

tasks/main.yml

@@ -0,0 +1,13 @@
+---
+- fail:
+    msg: 'Invalid `certbot__state`: {{ certbot__state }}'
+  when: (certbot__state != None) and
+        (certbot__state != 'purge') and
+        (certbot__state != 'remove') and
+        (certbot__state != 'install')
+- include_tasks: purge.yml
+  when: certbot__state == 'purge'
+- include_tasks: remove.yml
+  when: certbot__state == 'remove'
+- include_tasks: install.yml
+  when: certbot__state == 'install'

tasks/purge.yml

@@ -0,0 +1,11 @@
+---
+- name: Purge Certbot
+  apt:
+    name: certbot
+    state: absent
+    purge: true
+
+- name: Delete Certbot configuration
+  file:
+    state: absent
+    path: '{{ certbot__conf_dir }}'

tasks/remove.yml

@@ -0,0 +1,6 @@
+---
+- name: Uninstall Certbot
+  apt:
+    name: certbot
+    state: absent
+    purge: false

templates/cli.ini

@@ -0,0 +1,17 @@
+# see https://certbot.eff.org/docs/using.html#certbot-command-line-options
+agree-tos = true
+cert-name = {{ certbot__cert_name }}
+domains = {{ certbot__cert_domains | join(',') }}
+email = {{ certbot__email }}
+max-log-backups = 0
+no-eff-email = true
+non-interactive = true
+{% if certbot__post_hook %}
+post-hook = {{ certbot__post_hook }}
+{% endif %}
+{% if certbot__pre_hook %}
+pre-hook = {{ certbot__pre_hook }}
+{% endif %}
+redirect = true
+rsa-key-size = 4096
+standalone = true

templates/options-ssl-nginx.conf

@@ -0,0 +1,14 @@
+# This file contains important security parameters. If you modify this file
+# manually, Certbot will be unable to automatically provide future security
+# updates. Instead, Certbot will print and log an error message with a path to
+# the up-to-date file that you will need to refer to when manually updating
+# this file.
+
+ssl_session_cache shared:le_nginx_SSL:10m;
+ssl_session_timeout 1440m;
+ssl_session_tickets off;
+
+ssl_protocols TLSv1.2 TLSv1.3;
+ssl_prefer_server_ciphers off;
+
+ssl_ciphers "{{ certbot__nginx_ssl_ciphers | join(':') }}";

vars/main.yml

@@ -0,0 +1,17 @@
+---
+certbot__group: 'letsencrypt'
+certbot__conf_dir: '/etc/letsencrypt'
+certbot__conf_cli: '{{ certbot__conf_dir }}/cli.ini'
+certbot__conf_nginx: '{{ certbot__conf_dir }}/options-ssl-nginx.conf'
+certbot__archive_dir: '{{ certbot__conf_dir }}/archive'
+certbot__live_dir: '{{ certbot__conf_dir }}/live'
+
+certbot__nginx_ssl_ciphers:
+  - 'ECDHE-ECDSA-AES128-GCM-SHA256'
+  - 'ECDHE-RSA-AES128-GCM-SHA256'
+  - 'ECDHE-ECDSA-AES256-GCM-SHA384'
+  - 'ECDHE-RSA-AES256-GCM-SHA384'
+  - 'ECDHE-ECDSA-CHACHA20-POLY1305'
+  - 'ECDHE-RSA-CHACHA20-POLY1305'
+  - 'DHE-RSA-AES128-GCM-SHA256'
+  - 'DHE-RSA-AES256-GCM-SHA384'