v0.01

2026-03-12 12:41:28 +01:00
parent 87755ef08e
commit 64c7b6c310
12 changed files with 539 additions and 0 deletions
--- a/tasks/facts.yml
+++ b/tasks/facts.yml
@@ -0,0 +1,54 @@
+---
+# Certbot
+#
+# Linux-Server-Admin.com Ansible Role for cert management with Certbot
+#
+# Fact Tasks
+#
+
+- name: Install python3 and pip (inkl. venv)
+  ansible.builtin.package:
+    name:
+      - python3
+      - python3-pip
+      - python3-psutil
+      - python3-venv
+    state: latest
+    update_cache: true
+  become: true
+
+- name: Create python venv for facts
+  ansible.builtin.command:
+    cmd: python3 -m venv /opt/ansible-facts-venv
+  become: true
+  args:
+    creates: /opt/ansible-facts-venv
+
+- name: Install pyyaml in venv
+  ansible.builtin.command:
+    cmd: /opt/ansible-facts-venv/bin/pip install pyyaml
+  become: true
+
+- name: "Create certbot parse facts script"
+  ansible.builtin.template:
+    src: "certbot-certificates.py.j2"
+    dest: "/usr/local/bin/ansible_certbot_parse_facts.py"
+    mode: +x
+  become: true
+
+- name: "Create directory for ansible system facts"
+  ansible.builtin.file:
+    state: directory
+    recurse: true
+    path: /etc/ansible/facts.d
+  become: true
+
+- name: "Set certbot fact file"
+  ansible.builtin.template:
+    src: "certbot.fact.j2"
+    dest: "/etc/ansible/facts.d/certbot.json"
+  become: true
+
+- name: Run certbot parse script in venv
+  ansible.builtin.shell: certbot certificates | /opt/ansible-facts-venv/bin/python3 /usr/local/bin/ansible_certbot_parse_facts.py
+  become: true
--- a/tasks/install.yml
+++ b/tasks/install.yml
@@ -0,0 +1,32 @@
+---
+# Certbot
+#
+# Linux-Server-Admin.com Ansible Role for cert management with Certbot
+#
+# Install Tasks
+#
+
+- name: Install EPEL Release
+  ansible.builtin.package:
+   name: "epel-release"
+   state: latest
+   update_cache: true
+  when: ansible_facts["os_family"] == "RedHat"
+  become: true
+
+- name: Install Certbot
+  ansible.builtin.package:
+   name: "certbot"
+   state: latest
+   update_cache: true
+  become: true
+
+- name: Install Certbot's Nginx/Apache package
+  ansible.builtin.package:
+   name: "{{ certbot_python }}"
+   state: latest
+  when:
+    - not certbot_freeipa | default(false) | bool
+    - certbot_webserver is defined
+    - certbot_webserver_plugin_install | default(true) | bool
+  become: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -0,0 +1,80 @@
+---
+# Certbot
+#
+# Linux-Server-Admin.com Ansible Role for cert management with Certbot
+#
+# Main Tasks
+#
+
+- name: "Check if certbot_debug is defined and true and if set debug_nolog to false for all sensitive tasks"
+  set_fact:
+    debug_nolog: false
+  when: certbot_debug is defined and certbot_debug is true
+
+- name: "Install Certbot"
+  include_tasks: install.yml
+  when: certbot_install | default(true) | bool
+
+- shell: "certbot --version"
+  register: __certbot_version
+
+- debug:
+    var: __certbot_version
+  when: certbot_debug is defined and certbot_debug is true
+
+- name: Check Webserver
+  debug:
+    msg: "Selected Webserver: {{ certbot_webserver }}"
+  when: certbot_webserver is defined and certbot_debug is defined and certbot_debug is true
+
+- name: "Check if certificate already exists"
+  ansible.builtin.stat:
+    path: /etc/letsencrypt/live/{{ item.name }}/cert.pem
+  register: certbot_vhosts_host
+  with_items: "{{ certbot_vhosts }}"
+  become: true
+
+- name: "Generate certificate scripts"
+  ansible.builtin.template:
+    src: "generate-cert.sh.j2"
+    dest: "/usr/local/bin/certbot-{{ item.item.name }}.sh"
+    mode: +x
+  with_items: "{{ certbot_vhosts_host.results }}"
+  become: true
+#  no_log: debug_nolog | default(true) | bool
+
+- name: "Exec cert script"
+  ansible.builtin.shell: '/usr/local/bin/certbot-{{ item.item.name }}.sh'
+  with_items: "{{ certbot_vhosts_host.results }}"
+  become: true
+#  no_log: debug_nolog | default(true) | bool
+
+# list all installed certificates
+- name: "List all installed certificates"
+  ansible.builtin.command:
+    cmd: "certbot certificates"
+  register: __certbot_certificates
+  failed_when: false
+  changed_when: false
+  become: true
+#  when: certbot_debug is defined and certbot_debug is true
+
+- debug:
+    var: __certbot_certificates.stdout_lines
+  when: certbot_debug is defined and certbot_debug is true
+
+- name: "Generate LetsEncrypt FreeIPA Integration script"
+  ansible.builtin.template:
+    src: "letsencrypt-freeipa.sh.j2"
+    dest: "/usr/local/bin/letsencrypt-freeipa.sh"
+    mode: +x
+  when: certbot_freeipa | default(false) | bool
+  become: true
+
+- name: "Setup Certbot facts"
+  include_tasks: facts.yml
+  when: certbot_facts | default(false) | bool
+
+- name: "Setup Certbot readme"
+  include_tasks: readme.yml
+  when: certbot_readme | default(false) | bool
--- a/tasks/readme.yml
+++ b/tasks/readme.yml
@@ -0,0 +1,21 @@
+---
+# Certbot
+#
+# Linux-Server-Admin.com Ansible Role for cert management with Certbot
+#
+# Readme Tasks
+#
+
+- name: "Create Readme Directory"
+  ansible.builtin.file:
+    path: "{{ certbot_readme_path | default('/etc/ansible/readme/') }}"
+    state: directory
+    mode: "{{ certbot_readme_mode | default('0640') }}"
+  become: true
+
+- name: "Update Readme"
+  ansible.builtin.template:
+    src: "certbot.md.j2"
+    dest: "{{ certbot_readme_path | default('/etc/ansible/readme/') }}certbot.md"
+    mode: "{{ certbot_readme_mode | default('0640') }}"
+  become: true