diff --git a/handlers/main.yml b/handlers/main.yml new file mode 100644 index 0000000..c059bbe --- /dev/null +++ b/handlers/main.yml @@ -0,0 +1,5 @@ +--- +- name: Update snap after install + ansible.builtin.shell: snap install core; snap refresh core + changed_when: true + failed_when: false diff --git a/tasks/create-cert-standalone.yml b/tasks/create-cert-standalone.yml index 1d1f979..090ba4e 100644 --- a/tasks/create-cert-standalone.yml +++ b/tasks/create-cert-standalone.yml @@ -1,11 +1,11 @@ --- - name: Check if certificate already exists. - stat: + ansible.builtin.stat: path: /etc/letsencrypt/live/{{ cert_item.domains | first | replace('*.', '') }}/cert.pem register: letsencrypt_cert - name: Ensure pre and post hook folders exist. - file: + ansible.builtin.file: path: /etc/letsencrypt/renewal-hooks/{{ item }} state: directory mode: 0755 @@ -16,7 +16,7 @@ - post - name: Create pre hook to stop services. - template: + ansible.builtin.template: src: stop_services.j2 dest: /etc/letsencrypt/renewal-hooks/pre/stop_services owner: root @@ -27,7 +27,7 @@ - certbot_create_standalone_stop_services - name: Create post hook to start services. - template: + ansible.builtin.template: src: start_services.j2 dest: /etc/letsencrypt/renewal-hooks/post/start_services owner: root @@ -38,5 +38,8 @@ - certbot_create_standalone_stop_services - name: Generate new certificate if one doesn't exist. - command: "{{ certbot_create_command }}" + ansible.builtin.command: "{{ certbot_create_command }}" + register: certbot_create_command_result when: not letsencrypt_cert.stat.exists + changed_when: + - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0 diff --git a/tasks/create-cert-webroot.yml b/tasks/create-cert-webroot.yml index 8399872..a99fe17 100644 --- a/tasks/create-cert-webroot.yml +++ b/tasks/create-cert-webroot.yml @@ -1,14 +1,20 @@ --- - name: Check if certificate already exists. - stat: + ansible.builtin.stat: path: /etc/letsencrypt/live/{{ cert_item.domains | first }}/cert.pem register: letsencrypt_cert - name: Create webroot directory if it doesn't exist yet - file: + ansible.builtin.file: path: "{{ cert_item.webroot | default(certbot_webroot) }}" state: directory + owner: root + group: root + mode: '0755' - name: Generate new certificate if one doesn't exist. - command: "{{ certbot_create_command }}" + ansible.builtin.command: "{{ certbot_create_command }}" + register: certbot_create_command_result when: not letsencrypt_cert.stat.exists + changed_when: + - certbot_create_command_result.rc is defined and certbot_create_command_result.rc == 0 diff --git a/tasks/include-vars.yml b/tasks/include-vars.yml index 0a70e50..da86128 100644 --- a/tasks/include-vars.yml +++ b/tasks/include-vars.yml @@ -1,6 +1,6 @@ --- - name: Load a variable file based on the OS type, or a default if not found. - include_vars: "{{ item }}" + ansible.builtin.include_vars: "{{ item }}" with_first_found: - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yml" - "{{ ansible_distribution }}.yml" diff --git a/tasks/install-from-source.yml b/tasks/install-from-source.yml index daee685..195bcb7 100644 --- a/tasks/install-from-source.yml +++ b/tasks/install-from-source.yml @@ -1,6 +1,6 @@ --- - name: Clone Certbot into configured directory. - git: + ansible.builtin.git: repo: "{{ certbot_repo }}" dest: "{{ certbot_dir }}" version: "{{ certbot_version }}" @@ -8,10 +8,10 @@ force: true - name: Set Certbot script variable. - set_fact: + ansible.builtin.set_fact: certbot_script: "{{ certbot_dir }}/certbot-auto" - name: Ensure certbot-auto is executable. - file: + ansible.builtin.file: path: "{{ certbot_script }}" mode: 0755 diff --git a/tasks/install-with-package.yml b/tasks/install-with-package.yml index 10490ff..00d8c0d 100644 --- a/tasks/install-with-package.yml +++ b/tasks/install-with-package.yml @@ -1,7 +1,9 @@ --- - name: Install Certbot. - package: "name={{ certbot_package }} state=present" + ansible.builtin.package: + name: "{{ certbot_package }}" + state: present - name: Set Certbot script variable. - set_fact: + ansible.builtin.set_fact: certbot_script: "{{ certbot_package }}" diff --git a/tasks/install-with-snap.yml b/tasks/install-with-snap.yml index 7a0ca65..5900e9e 100644 --- a/tasks/install-with-snap.yml +++ b/tasks/install-with-snap.yml @@ -1,41 +1,36 @@ --- - name: Ensure snapd is installed. - package: + ansible.builtin.package: name: snapd state: present - register: snapd_install + notify: + - Update snap after install - name: Ensure snapd is enabled. - systemd: + ansible.builtin.systemd: name: snapd.socket enabled: true state: started - name: Enable classic snap support. - file: + ansible.builtin.file: src: /var/lib/snapd/snap dest: /snap state: link when: ansible_os_family != "Debian" -- name: Update snap after install. - shell: snap install core; snap refresh core - changed_when: true - failed_when: false - when: snapd_install is changed - - name: Install certbot via snap. - snap: + community.general.snap: name: certbot classic: true - name: Symlink certbot into place. - file: + ansible.builtin.file: src: /snap/bin/certbot dest: /usr/bin/certbot state: link ignore_errors: "{{ ansible_check_mode }}" - name: Set Certbot script variable. - set_fact: + ansible.builtin.set_fact: certbot_script: /usr/bin/certbot diff --git a/tasks/main.yml b/tasks/main.yml index 894143c..3e796ec 100644 --- a/tasks/main.yml +++ b/tasks/main.yml @@ -1,19 +1,25 @@ --- -- import_tasks: include-vars.yml +- name: Include vars + ansible.builtin.import_tasks: include-vars.yml -- import_tasks: setup-RedHat.yml +- name: Import Redhat task + ansible.builtin.import_tasks: setup-RedHat.yml when: ansible_os_family == 'RedHat' -- import_tasks: install-with-package.yml +- name: Standalone install method choosed + ansible.builtin.import_tasks: install-with-package.yml when: certbot_install_method == 'package' -- import_tasks: install-with-snap.yml +- name: Snap install method choosed + ansible.builtin.import_tasks: install-with-snap.yml when: certbot_install_method == 'snap' -- import_tasks: install-from-source.yml +- name: Source install method choosed + ansible.builtin.import_tasks: install-from-source.yml when: certbot_install_method == 'source' -- include_tasks: create-cert-standalone.yml +- name: Create certs for standalone install + ansible.builtin.include_tasks: create-cert-standalone.yml with_items: "{{ certbot_certs }}" when: - certbot_create_if_missing @@ -21,7 +27,8 @@ loop_control: loop_var: cert_item -- include_tasks: create-cert-webroot.yml +- name: Create certs for webroot install + ansible.builtin.include_tasks: create-cert-webroot.yml with_items: "{{ certbot_certs }}" when: - certbot_create_if_missing @@ -29,5 +36,6 @@ loop_control: loop_var: cert_item -- import_tasks: renew-cron.yml +- name: Check cron jobs + ansible.builtin.import_tasks: renew-cron.yml when: certbot_auto_renew diff --git a/tasks/renew-cron.yml b/tasks/renew-cron.yml index 394a30e..3ee6b70 100644 --- a/tasks/renew-cron.yml +++ b/tasks/renew-cron.yml @@ -1,6 +1,6 @@ --- - name: Add cron job for certbot renewal (if configured). - cron: + ansible.builtin.cron: name: Certbot automatic renewal. job: "{{ certbot_script }} renew {{ certbot_auto_renew_options }}" minute: "{{ certbot_auto_renew_minute }}" diff --git a/tasks/setup-RedHat.yml b/tasks/setup-RedHat.yml index 8a271fa..44283de 100644 --- a/tasks/setup-RedHat.yml +++ b/tasks/setup-RedHat.yml @@ -1,5 +1,31 @@ --- # See: https://github.com/geerlingguy/ansible-role-certbot/issues/107 +- name: Check dnf modules for Redhat family + when: + - ansible_distribution == 'CentOS' + - ansible_distribution_major_version | int >= 8 + block: + - name: Ensure dnf-plugins are installed on CentOS 8+. + ansible.builtin.yum: + name: dnf-plugins-core + state: present + + when: ansible_facts['distribution_version'] is version('8.2', '<=') + - name: Check dnf modules for Centos + block: + - name: Enable DNF module for CentOS 8.3+. + ansible.builtin.shell: | + dnf config-manager --set-enabled powertools + register: dnf_module_enable + changed_when: false + when: ansible_facts['distribution_version'] is version('8.3', '>=') + + - name: Enable DNF module for CentOS 8.0–8.2. + ansible.builtin.shell: | + dnf config-manager --set-enabled PowerTools + register: dnf_module_enable + changed_when: false + - name: Ensure dnf-plugins are installed on Rocky/AlmaLinux. yum: name: dnf-plugins-core