Initial commit

defaults/main.yaml

@@ -0,0 +1,8 @@
+---
+certbot_certs: []
+certbot_certs_email: root@{{ ansible_inventory }}
+
+certbot_plugin_arguments:
+  digitalocean: --dns-digitalocean --dns-digitalocean-credentials /root/do_secrets.ini
+  godaddy: --authenticator dns-godaddy --dns-godaddy-credentials /root/gd_secrets.ini
+  default: "--webroot -w /var/www/acme-challenge"

meta/main.yaml

@@ -0,0 +1,15 @@
+---
+allow_duplicates: false
+
+galaxy_info:
+  role_name: certbot
+  author: Andrew Williams
+  description: Basic installation for Certbot
+  license: MIT
+
+  min_ansible_version: "2.4"
+
+  platforms:
+    - name: Ubuntu
+      versions:
+        - jammy

tasks/cert.yaml

@@ -0,0 +1,20 @@
+---
+- name: "Check the cert exists"
+  ansible.builtin.stat:
+    path: "/etc/letsencrypt/live/{{ item.hostname }}/cert.pem"
+  register: cert_stat
+
+- name: "Get the SANs from the certificate file"
+  community.crypto.x509_certificate_info:
+    path: "/etc/letsencrypt/live/{{ item.hostname }}/cert.pem"
+  register: cert_info
+  when: cert_stat.stat.exists
+
+- name: Calculate the SAN list
+  ansible.builtin.set_fact:
+    cert_sans: "{{ ['DNS:'] | product(item.sans | default([item.hostname])) | map('join') | list }}"
+
+- name: "Request a certificate"  # noqa no-changed-when ignore-errors
+  ansible.builtin.command: "certbot certonly -n --expand --agree-tos {{ certbot_plugin_arguments[item.plugin | default('default')] }} -d '{{ item.hostname }}' {% for san in item.sans | default([]) %} -d '{{ san }}' {% endfor %} -m {{ certbot_certs_email }}"  # noqa no-change-when
+  ignore_errors: true
+  when: not cert_stat.stat.exists or cert_sans | difference(cert_info.subject_alt_name) | list | length > 0

tasks/config.yaml

@@ -0,0 +1,21 @@
+---
+- name: Write out DigitalOcean auth key
+  ansible.builtin.template:
+    src: do_secrets.j2
+    dest: /root/do_secrets.ini
+    mode: "0600"
+    owner: root
+    group: root
+  when:
+    - certbot_digitalocean_token is defined
+
+- name: Write out GoDaddy auth key
+  ansible.builtin.template:
+    src: do_secrets.j2
+    dest: /root/gd_secrets.ini
+    mode: "0600"
+    owner: root
+    group: root
+  when:
+    - certbot_godaddy_secret is defined
+    - certbot_godaddy_key is defined

tasks/install.yaml

@@ -0,0 +1,35 @@
+---
+- name: Install certbot
+  ansible.builtin.package:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+      - certbot
+
+- name: Install DigitalOcean certbot extension
+  ansible.builtin.package:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+      - python3-certbot-dns-digitalocean
+  when:
+    - certbot_digitalocean_token is defined
+
+- name: Install GoDaddy certbot extension from PyPi
+  ansible.builtin.pip:
+    name: "{{ packages }}"
+    state: present
+  vars:
+    packages:
+      - certbot-dns-godaddy
+  when:
+    - certbot_godaddy_key is defined
+    - certbot_godaddy_secret is defined
+
+- name: Enable certbot renewal timer
+  ansible.builtin.systemd:
+    name: certbot.timer
+    state: started
+    enabled: true

tasks/install_el.yaml

@@ -0,0 +1,37 @@
+---
+- name: When on EL 8
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version != '9'
+  block:
+    - name: Install certbot
+      ansible.builtin.package:
+        name: "{{ certbot_el_packages }}"
+        state: present
+      vars:
+        certbot_el_packages:
+          - certbot
+          - python3-certbot-dns-digitalocean
+
+- name: When on EL 9
+  when:
+    - ansible_os_family == 'RedHat'
+    - ansible_distribution_major_version == '9'
+  block:
+    - name: Install certbot
+      ansible.builtin.package:
+        name: "{{ certbot_el9_packages }}"
+        state: present
+      vars:
+        certbot_el9_packages:
+          - certbot
+    - name: Install certbot-dns-digitalocean from pip
+      ansible.builtin.pip:
+        name: certbot-dns-digitalocean
+        state: present
+
+- name: Enable certbot renewal timer
+  ansible.builtin.systemd:
+    name: certbot-renew.timer
+    state: started
+    enabled: true

tasks/main.yaml

@@ -0,0 +1,11 @@
+---
+- name: Install Certbot
+  ansible.builtin.import_tasks: install.yaml
+
+- name: Configure Certbot
+  ansible.builtin.import_tasks: config.yaml
+
+- name: Request Certificates
+  ansible.builtin.import_tasks: request_certs.yaml
+  tags:
+    - request_certs

tasks/request_certs.yaml

@@ -0,0 +1,9 @@
+---
+- name: Add FQDN if not already listed in certs
+  ansible.builtin.set_fact:
+    certbot_certs: "{{ certbot_certs + [{'hostname': ansible_fqdn}] }}"
+  when: certbot_certs | selectattr('hostname', 'equalto', ansible_fqdn) | list | length == 0
+
+- name: Request Certificate
+  ansible.builtin.include_tasks: cert.yaml
+  loop: "{{ certbot_certs }}"

templates/do_secrets.j2

@@ -0,0 +1,2 @@
+# DigitalOcean API credentials used by Certbot
+dns_digitalocean_token = {{ digitalocean_token }}

templates/gd_secrets.j2

@@ -0,0 +1,3 @@
+# GoDaddy API credentials used by Certbot
+dns_godaddy_secret = {{ certbot_godaddy_secret }}
+dns_godaddy_key = {{ certbot_godaddy_key }}