ansible-playbooks/roles/caddy/tasks/setup_lego.yml

- name: determine host architecture
  include_tasks: tasks/get_host_arch.yml


- name: create lego working dir
  file:
    path: "{{ caddy_lego_dir }}"
    state: directory
    mode: 0700
    owner: "{{ caddy_user }}"
    group: "{{ caddy_group }}"


- name: get and extract latest lego version
  include_tasks: tasks/get_lastversion.yml
  vars:
    package:
      name: go-acme/lego
      location: github
      assets: yes
      asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}"
      file: "{{ caddy_lego_dir }}/last_version"
      extract: "{{ caddy_lego_dir }}"
      user: "{{ caddy_user }}"
      group: "{{ caddy_group }}"


- block:
    - name: remove unnecessary files
      file:
        path: "{{ (caddy_lego_dir, item) | path_join }}"
        state: absent
      loop:
        - LICENSE
        - CHANGELOG.md
  rescue:
    - meta: noop


- name: set lego parameters
  set_fact:
    lego_params: "{{
      [
        ([] | zip_longest(caddy_domains | d([]) | select() | map('quote'), fillvalue='--domains ') | map('join') | list),
        '--server ' ~ (acme_endpoint | quote),
        '--accept-tos',
        '--email ' ~ (acme_email | quote),
        '--key-type ec384',
        '--path ' ~ (caddy_lego_dir | quote),
        '--dns acme-dns',
        '--dns.resolvers 9.9.9.9',
        '--dns.disable-cp'
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_renewal_params: "{{
      [
        (('--days ' ~ (acme_renewal_days | quote)) if acme_renewal_days is defined else ''),
        ('--reuse-key' if acme_reuse_key | d(false) == true else ''),
        ('--no-random-sleep' if acme_no_random_sleep | d(true) == true else '')
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_preferred_chain | quote) if acme_preferred_chain is defined else '' }}"


- name: check if lastrun file exists
  stat:
    path: "{{ caddy_lego_lastrun_file }}"
    get_checksum: no
    get_mime: no
  register: result


- name: set initial reissue value
  set_fact:
    lego_must_reissue: yes
    lego_full_command: "{{ (caddy_lego_dir, 'lego') | path_join }} {{ lego_params }} run {{ lego_preferred_chain }}"
    lego_renew_command: "{{ (caddy_lego_dir, 'lego') | path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}"


- block:
    - name: get lastrun file contents
      slurp:
        path: "{{ caddy_lego_lastrun_file }}"
      register: file_content
      no_log: yes

    - name: set acme-dns-client domain fact
      set_fact:
        lego_must_reissue: "{{ (file_content.content | b64decode) != lego_full_command }}"

  when: result.stat.exists


- block:
    - name: issue cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ caddy_lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_dns_server }}"
        ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') | path_join }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ caddy_user }}"

  when: lego_must_reissue
  rescue:
    - pause:

    - name: retry issuing cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ caddy_lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_dns_server }}"
        ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') | path_join }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ caddy_user }}"


- block:
    - name: save data to lastrun file
      copy:
        content: "{{ lego_full_command }}"
        dest: "{{ caddy_lego_lastrun_file }}"
        remote_src: yes


    - name: defer caddy restart
      debug:
        msg: deferring caddy restart
      changed_when: yes
      notify: restart caddy

  when: lego_must_reissue


- name: template systemd files
  template:
    src: "{{ item.src }}.j2"
    dest: "/etc/systemd/system/{{ item.dst }}"
    force: yes
    lstrip_blocks: yes
  loop:
    - { src: 'lego_systemd', dst: 'lego.service' }
    - { src: 'lego_timer', dst: 'lego.timer' }
  notify: reload systemd daemons


- name: enable lego timer
  systemd:
    name: lego.timer
    state: started
    enabled: yes


# TODO: restart script
feat: caddy fix: various fixes 2 years ago			`- name: determine host architecture`
			`include_tasks: tasks/get_host_arch.yml`


			`- name: create lego working dir`
			`file:`
			`path: "{{ caddy_lego_dir }}"`
			`state: directory`
			`mode: 0700`
			`owner: "{{ caddy_user }}"`
			`group: "{{ caddy_group }}"`


			`- name: get and extract latest lego version`
			`include_tasks: tasks/get_lastversion.yml`
			`vars:`
			`package:`
			`name: go-acme/lego`
			`location: github`
			`assets: yes`
			`asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}"`
			`file: "{{ caddy_lego_dir }}/last_version"`
			`extract: "{{ caddy_lego_dir }}"`
			`user: "{{ caddy_user }}"`
			`group: "{{ caddy_group }}"`


			`- block:`
			`- name: remove unnecessary files`
			`file:`
			`path: "{{ (caddy_lego_dir, item) \| path_join }}"`
			`state: absent`
			`loop:`
			`- LICENSE`
			`- CHANGELOG.md`
			`rescue:`
			`- meta: noop`


			`- name: set lego parameters`
			`set_fact:`
			`lego_params: "{{`
			`[`
			`([] \| zip_longest(caddy_domains \| d([]) \| select() \| map('quote'), fillvalue='--domains ') \| map('join') \| list),`
			`'--server ' ~ (acme_endpoint \| quote),`
			`'--accept-tos',`
			`'--email ' ~ (acme_email \| quote),`
			`'--key-type ec384',`
			`'--path ' ~ (caddy_lego_dir \| quote),`
			`'--dns acme-dns',`
			`'--dns.resolvers 9.9.9.9',`
			`'--dns.disable-cp'`
			`] \| flatten(levels=1) \| select() \| list \| join(' ') }}"`
			`lego_renewal_params: "{{`
			`[`
			`(('--days ' ~ (acme_renewal_days \| quote)) if acme_renewal_days is defined else ''),`
			`('--reuse-key' if acme_reuse_key \| d(false) == true else ''),`
			`('--no-random-sleep' if acme_no_random_sleep \| d(true) == true else '')`
			`] \| flatten(levels=1) \| select() \| list \| join(' ') }}"`
			`lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_preferred_chain \| quote) if acme_preferred_chain is defined else '' }}"`


			`- name: check if lastrun file exists`
			`stat:`
			`path: "{{ caddy_lego_lastrun_file }}"`
			`get_checksum: no`
			`get_mime: no`
			`register: result`


			`- name: set initial reissue value`
			`set_fact:`
			`lego_must_reissue: yes`
			`lego_full_command: "{{ (caddy_lego_dir, 'lego') \| path_join }} {{ lego_params }} run {{ lego_preferred_chain }}"`
			`lego_renew_command: "{{ (caddy_lego_dir, 'lego') \| path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}"`


			`- block:`
			`- name: get lastrun file contents`
			`slurp:`
			`path: "{{ caddy_lego_lastrun_file }}"`
			`register: file_content`
			`no_log: yes`

			`- name: set acme-dns-client domain fact`
			`set_fact:`
			`lego_must_reissue: "{{ (file_content.content \| b64decode) != lego_full_command }}"`

			`when: result.stat.exists`


			`- block:`
			`- name: issue cert with dns mode`
			`shell:`
			`cmd: "{{ lego_full_command }}"`
			`chdir: "{{ caddy_lego_dir }}"`
			`environment:`
			`ACME_DNS_API_BASE: "{{ acme_dns_server }}"`
			`ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') \| path_join }}"`
			`register: result`
			`become: yes`
			`become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"`
			`become_user: "{{ caddy_user }}"`

			`when: lego_must_reissue`
			`rescue:`
			`- pause:`

			`- name: retry issuing cert with dns mode`
			`shell:`
			`cmd: "{{ lego_full_command }}"`
			`chdir: "{{ caddy_lego_dir }}"`
			`environment:`
			`ACME_DNS_API_BASE: "{{ acme_dns_server }}"`
			`ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') \| path_join }}"`
			`register: result`
			`become: yes`
			`become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"`
			`become_user: "{{ caddy_user }}"`


			`- block:`
			`- name: save data to lastrun file`
			`copy:`
			`content: "{{ lego_full_command }}"`
			`dest: "{{ caddy_lego_lastrun_file }}"`
			`remote_src: yes`


			`- name: defer caddy restart`
			`debug:`
			`msg: deferring caddy restart`
			`changed_when: yes`
			`notify: restart caddy`

			`when: lego_must_reissue`


			`- name: template systemd files`
			`template:`
			`src: "{{ item.src }}.j2"`
			`dest: "/etc/systemd/system/{{ item.dst }}"`
			`force: yes`
			`lstrip_blocks: yes`
			`loop:`
			`- { src: 'lego_systemd', dst: 'lego.service' }`
			`- { src: 'lego_timer', dst: 'lego.timer' }`
			`notify: reload systemd daemons`


			`- name: enable lego timer`
			`systemd:`
			`name: lego.timer`
			`state: started`
			`enabled: yes`


			`# TODO: restart script`