1
0
Fork 0
mirror of https://github.com/roles-ansible/ansible_role_acmetool.git synced 2024-08-16 12:29:49 +02:00
Ansible role to manage letsencrypt certs with acme tool
Find a file
2022-03-27 19:51:32 +02:00
.github improve and update linting 2022-03-27 19:51:32 +02:00
defaults Create standalone mode 2021-09-30 22:07:35 +02:00
files Improve services restart hook 2021-08-11 23:17:29 +02:00
meta Improve services restart hook 2021-08-11 23:17:29 +02:00
tasks improve and update linting 2022-03-27 19:51:32 +02:00
templates Manage systemd by acmetool 2021-09-30 14:41:15 +02:00
vars improve and update linting 2022-03-27 19:51:32 +02:00
.gitignore repair linting 2021-03-20 18:28:29 +01:00
.yamllint repair linting 2021-03-20 18:28:29 +01:00
LICENCE Add myself to License 2021-03-20 18:55:33 +01:00
README.md typofix 2021-09-30 22:41:04 +02:00

Ansible Galaxy MIT License

Acmetool LE client

Install and configure the acmetool LE client.

We recomend to use this role together with the do1jlr.nginx ansible role. But this role has a standalone version too.

The do1jlr.nginx role installs a hook to enable nginx https sites and is running the acmetool want $domain command. Or you add the domains you need to the acme_domain_want_list: []. But make sure you your acmetool is able to request the domains. Maybe you want to configure the response-file.yml.j2 for that.

Variables

  • acme_notification_email: (Default: root@example.org): LE account email. The default needs to be changed!

  • acme_reload_services: (Default: []): Services that need a reload by certificat change (There are some services pre-defined in the files/reload file)

  • acme_restart_services: (Default: []): Services that need a restart by certificat change

  • acme_domain_want_list: (Default: []): A list of domain you want to enable. Example:

acme_domain_want_list:
  - name: 'www.example.com'
  • acme_domain_unwant_list: (Default: []): Disable a enabled domain. Same syntax than acme_domain_want_list.

  • submodules_versioncheck: (Default: false): Enable basic versionscheck. (true is recomended)

Files

  • We search the response-file.yml.j2 using the first_found_lookup with the following config:
  files:
    - "response-file.{{ inventory_hostname }}.yml.j2"
    - 'response-file.yml.j2'
  paths:
    - 'templates/acmetool'
    - "templates/{{ inventory_hostname }}"
    - 'files/acmetool'
    - "files/{{ inventory_hostname }}"
    - 'templates'

This file is configuring the acmetool behaviour like certificate type, challange methode, acme notification email and so on. Change the values by providing your own response-file.yml.j2.

  • We search the reload and restart hook using the first_found_lookup with the config defined in vars/main.yml.

  • We deploy the acme-reload and acme-restart configuration based on the acme_reload_services: and acme_restart_services: variables

References

Good to know

  • If you are using debian buster, you are probably interested in a more up to date version of acmetool. Have a look at the do1jlr.acmetool_fix role, that will install a specific version of acmetool on debian based systems.
  • To add a domain manually to acmetool run acmetool want example.com
  • To remove a domain manually from acmetool, acmetool unwant example.com

Testing

We are using the following github actions for testing and releasing to ansible galaxy.

Action Status Marketplace
Ansible Lint check ansible-lint
Galaxy release publish-ansible-role-to-galaxy
Yamllint GitHub Actions yamllint-github-action