ansible-playbooks/roles/lego/tasks/main.yml

- name: set acme_cfg
  set_fact:
    acme_cfg: "{{ acme_default_config | d({}) |
      combine(acme_config | d({}), recursive=true) }}"


- name: determine host architecture
  include_tasks: tasks/get_host_arch.yml


- name: create user and group
  include_tasks: tasks/create_user.yml
  vars:
    user:
      name: "{{ lego_user }}"
      group: "{{ lego_group }}"
      create_home: no


- name: create lego working dir
  file:
    path: "{{ lego_dir }}"
    state: directory
    mode: 0700


- name: get and extract latest lego version
  include_tasks: tasks/get_lastversion.yml
  vars:
    package:
      name: go-acme/lego
      location: github
      assets: yes
      asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}"
      file: "{{ lego_dir }}/last_version"
      extract: "{{ lego_dir }}"


- block:
    - name: remove unnecessary files
      file:
        path: "{{ (lego_dir, item) | path_join }}"
        state: absent
      loop:
        - LICENSE
        - CHANGELOG.md
  rescue:
    - meta: noop


- name: set lego parameters
  set_fact:
    lego_params: "{{
      [
        ([] | zip_longest(acme_domains | d([]) | select() | map('quote'), fillvalue='--domains ') | map('join') | list),
        '--server ' ~ ((acme_cfg.endpoint_staging if acme_cfg.staging else acme_cfg.endpoint_prod) | quote),
        '--accept-tos',
        '--email ' ~ (acme_cfg.email | d(maintainer_email) | quote),
        '--key-type ec384',
        '--path ' ~ (lego_dir | quote),
        '--dns acme-dns',
        '--dns.resolvers ' ~ (acme_cfg.resolver | d('1.1.1.1') | quote),
        '--dns.disable-cp'
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_renewal_params: "{{
      [
        (('--days ' ~ (acme_cfg.renew_at_days | quote)) if acme_cfg.renew_at_days is defined else ''),
        ('--reuse-key' if acme_cfg.reuse_key | d(false) == true else ''),
        ('--no-random-sleep' if acme_cfg.no_random_sleep | d(true) == true else '')
      ] | flatten(levels=1) | select() | list | join(' ') }}"
    lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_cfg.preferred_chain | quote) if acme_cfg.preferred_chain is defined else '' }}"


- name: check if lastrun file exists
  stat:
    path: "{{ lego_lastrun_file }}"
    get_checksum: no
    get_mime: no
  register: result


- name: set initial reissue value
  set_fact:
    lego_must_reissue: yes
    lego_full_command: "{{ (lego_dir, 'lego') | path_join }} {{ lego_params }} run {{ lego_preferred_chain }}"
    lego_renew_command: "{{ (lego_dir, 'lego') | path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}"


- block:
    - name: get lastrun file contents
      slurp:
        path: "{{ lego_lastrun_file }}"
      register: file_content
      no_log: yes

    - name: determine if cert should be reissued
      set_fact:
        lego_must_reissue: "{{ (file_content.content | b64decode) != lego_full_command }}"

  when: result.stat.exists


- block:
    - name: issue cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_cfg.server }}"
        ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file | d((lego_dir, 'accounts.conf') | path_join) }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ lego_user }}"

  when: lego_must_reissue
  rescue:
    - pause:
      when: interactive | d(false) == true

    - name: retry issuing cert with dns mode
      shell:
        cmd: "{{ lego_full_command }}"
        chdir: "{{ lego_dir }}"
      environment:
        ACME_DNS_API_BASE: "{{ acme_cfg.server }}"
        ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file | d((lego_dir, 'accounts.conf') | path_join) }}"
      register: result
      become: yes
      become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"
      become_user: "{{ lego_user }}"


- block:
    - name: save data to lastrun file
      copy:
        content: "{{ lego_full_command }}"
        dest: "{{ lego_lastrun_file }}"
        remote_src: yes


    - name: defer service restart
      debug:
        msg: deferring service restart
      changed_when: yes
      notify: "{{ lego_notify }}"
      when: lego_notify is defined

  when: lego_must_reissue


- block:
    - name: template systemd files
      template:
        src: "{{ item.src }}.j2"
        dest: "{{ ('/etc/systemd/system', item.dst) | path_join }}"
        force: yes
        lstrip_blocks: yes
      loop:
        - { src: 'lego_systemd', dst: 'lego.service' }
        - { src: 'lego_timer', dst: 'lego.timer' }
      notify: reload systemd daemons


    - name: enable lego timer
      systemd:
        name: lego.timer
        state: started
        enabled: yes

  when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'


# TODO: restart script
fix: various fixes 2 years ago			`- name: set acme_cfg`
			`set_fact:`
			`acme_cfg: "{{ acme_default_config \| d({}) \|`
			`combine(acme_config \| d({}), recursive=true) }}"`


			`- name: determine host architecture`
			`include_tasks: tasks/get_host_arch.yml`


			`- name: create user and group`
			`include_tasks: tasks/create_user.yml`
			`vars:`
			`user:`
			`name: "{{ lego_user }}"`
			`group: "{{ lego_group }}"`
			`create_home: no`


			`- name: create lego working dir`
			`file:`
			`path: "{{ lego_dir }}"`
			`state: directory`
			`mode: 0700`


			`- name: get and extract latest lego version`
			`include_tasks: tasks/get_lastversion.yml`
			`vars:`
			`package:`
			`name: go-acme/lego`
			`location: github`
			`assets: yes`
			`asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}"`
			`file: "{{ lego_dir }}/last_version"`
			`extract: "{{ lego_dir }}"`


			`- block:`
			`- name: remove unnecessary files`
			`file:`
			`path: "{{ (lego_dir, item) \| path_join }}"`
			`state: absent`
			`loop:`
			`- LICENSE`
			`- CHANGELOG.md`
			`rescue:`
			`- meta: noop`


			`- name: set lego parameters`
			`set_fact:`
			`lego_params: "{{`
			`[`
			`([] \| zip_longest(acme_domains \| d([]) \| select() \| map('quote'), fillvalue='--domains ') \| map('join') \| list),`
			`'--server ' ~ ((acme_cfg.endpoint_staging if acme_cfg.staging else acme_cfg.endpoint_prod) \| quote),`
			`'--accept-tos',`
			`'--email ' ~ (acme_cfg.email \| d(maintainer_email) \| quote),`
			`'--key-type ec384',`
			`'--path ' ~ (lego_dir \| quote),`
			`'--dns acme-dns',`
			`'--dns.resolvers ' ~ (acme_cfg.resolver \| d('1.1.1.1') \| quote),`
			`'--dns.disable-cp'`
			`] \| flatten(levels=1) \| select() \| list \| join(' ') }}"`
			`lego_renewal_params: "{{`
			`[`
			`(('--days ' ~ (acme_cfg.renew_at_days \| quote)) if acme_cfg.renew_at_days is defined else ''),`
			`('--reuse-key' if acme_cfg.reuse_key \| d(false) == true else ''),`
			`('--no-random-sleep' if acme_cfg.no_random_sleep \| d(true) == true else '')`
			`] \| flatten(levels=1) \| select() \| list \| join(' ') }}"`
			`lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_cfg.preferred_chain \| quote) if acme_cfg.preferred_chain is defined else '' }}"`


			`- name: check if lastrun file exists`
			`stat:`
			`path: "{{ lego_lastrun_file }}"`
			`get_checksum: no`
			`get_mime: no`
			`register: result`


			`- name: set initial reissue value`
			`set_fact:`
			`lego_must_reissue: yes`
			`lego_full_command: "{{ (lego_dir, 'lego') \| path_join }} {{ lego_params }} run {{ lego_preferred_chain }}"`
			`lego_renew_command: "{{ (lego_dir, 'lego') \| path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}"`


			`- block:`
			`- name: get lastrun file contents`
			`slurp:`
			`path: "{{ lego_lastrun_file }}"`
			`register: file_content`
			`no_log: yes`

			`- name: determine if cert should be reissued`
			`set_fact:`
			`lego_must_reissue: "{{ (file_content.content \| b64decode) != lego_full_command }}"`

			`when: result.stat.exists`


			`- block:`
			`- name: issue cert with dns mode`
			`shell:`
			`cmd: "{{ lego_full_command }}"`
			`chdir: "{{ lego_dir }}"`
			`environment:`
			`ACME_DNS_API_BASE: "{{ acme_cfg.server }}"`
			`ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file \| d((lego_dir, 'accounts.conf') \| path_join) }}"`
			`register: result`
			`become: yes`
			`become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"`
			`become_user: "{{ lego_user }}"`

			`when: lego_must_reissue`
			`rescue:`
			`- pause:`
			`when: interactive \| d(false) == true`

			`- name: retry issuing cert with dns mode`
			`shell:`
			`cmd: "{{ lego_full_command }}"`
			`chdir: "{{ lego_dir }}"`
			`environment:`
			`ACME_DNS_API_BASE: "{{ acme_cfg.server }}"`
			`ACME_DNS_STORAGE_PATH: "{{ lego_accounts_file \| d((lego_dir, 'accounts.conf') \| path_join) }}"`
			`register: result`
			`become: yes`
			`become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}"`
			`become_user: "{{ lego_user }}"`


			`- block:`
			`- name: save data to lastrun file`
			`copy:`
			`content: "{{ lego_full_command }}"`
			`dest: "{{ lego_lastrun_file }}"`
			`remote_src: yes`


			`- name: defer service restart`
			`debug:`
			`msg: deferring service restart`
			`changed_when: yes`
			`notify: "{{ lego_notify }}"`
			`when: lego_notify is defined`

			`when: lego_must_reissue`


			`- block:`
			`- name: template systemd files`
			`template:`
			`src: "{{ item.src }}.j2"`
			`dest: "{{ ('/etc/systemd/system', item.dst) \| path_join }}"`
			`force: yes`
			`lstrip_blocks: yes`
			`loop:`
			`- { src: 'lego_systemd', dst: 'lego.service' }`
			`- { src: 'lego_timer', dst: 'lego.timer' }`
			`notify: reload systemd daemons`


			`- name: enable lego timer`
			`systemd:`
			`name: lego.timer`
			`state: started`
			`enabled: yes`

			`when: ansible_distribution == 'Debian' or ansible_distribution == 'Ubuntu'`


			`# TODO: restart script`