diff --git a/tasks/certbot/install.yml b/tasks/certbot/install.yml index a6d3060..f188595 100644 --- a/tasks/certbot/install.yml +++ b/tasks/certbot/install.yml @@ -1,15 +1,26 @@ --- +- name: Create Let's Encrypt system group + group: + name: '{{ common__certbot__group }}' + system: true + - name: Install Certbot apt: name: certbot -- name: Create directory for Let's Encrypt configuration +- name: Create directories for Let's Encrypt configuration file: state: directory - path: '{{ common__certbot__conf_dir }}' + path: '{{ item }}' mode: 'u=rwx,g=rx,o=rx' owner: root group: root + with_items: + - '{{ common__certbot__conf_dir }}' + - '{{ common__certbot__archive_dir }}' + - '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}' + - '{{ common__certbot__live_dir }}' + - '{{ common__certbot__live_dir }}/{{ common__certbot__cert_name }}' - name: Install Let's Encrypt config template: @@ -34,3 +45,42 @@ changed_when: >- common__certbot__result.stdout is not search('Certificate not yet due for renewal; no action taken.') + +- name: Find Let's Encrypt certificates and chains + register: certs_and_chains + find: + paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}' + patterns: + - 'cert*.pem' + - 'chain*.pem' + - 'fullchain*.pem' + +- name: Find Let's Encrypt private keys + register: privkeys + find: + paths: '{{ common__certbot__archive_dir }}/{{ common__certbot__cert_name }}' + patterns: 'privkey*.pem' + +- name: Display Let's Encrypt certificates and chains + debug: + msg: "{{ certs_and_chains.files | map(attribute='path') | list }}" + +- name: Display Let's Encrypt private keys + debug: + msg: "{{ privkeys.files | map(attribute='path') | list }}" + +- name: Change group of Let's Encrypt certificates and chains + file: + path: '{{ item }}' + mode: 'u=rw,g=r,o=r' + owner: root + group: root + with_items: "{{ certs_and_chains.files | map(attribute='path') | list }}" + +- name: Change group of Let's Encrypt private keys + file: + path: '{{ item }}' + mode: 'u=rw,g=r,o=' + owner: root + group: '{{ common__certbot__group }}' + with_items: "{{ privkeys.files | map(attribute='path') | list }}" diff --git a/vars/main.yml b/vars/main.yml index 958e977..1c697f7 100644 --- a/vars/main.yml +++ b/vars/main.yml @@ -1,7 +1,10 @@ --- +common__certbot__group: 'letsencrypt' common__certbot__conf_dir: '/etc/letsencrypt' common__certbot__conf_cli: '{{ common__certbot__conf_dir }}/cli.ini' common__certbot__conf_nginx: '{{ common__certbot__conf_dir }}/options-ssl-nginx.conf' +common__certbot__archive_dir: '{{ common__certbot__conf_dir }}/archive' +common__certbot__live_dir: '{{ common__certbot__conf_dir }}/live' common__iptables__conf_dir: '/etc/iptables' common__iptables__conf_ipv4: '{{ common__iptables__conf_dir }}/rules.v4'