- name: determine host architecture include_tasks: tasks/get_host_arch.yml - name: create lego working dir file: path: "{{ caddy_lego_dir }}" state: directory mode: 0700 owner: "{{ caddy_user }}" group: "{{ caddy_group }}" - name: get and extract latest lego version include_tasks: tasks/get_lastversion.yml vars: package: name: go-acme/lego location: github assets: yes asset_filter: "{{ 'linux_' ~ host_architecture ~ '.tar.gz$' }}" file: "{{ caddy_lego_dir }}/last_version" extract: "{{ caddy_lego_dir }}" user: "{{ caddy_user }}" group: "{{ caddy_group }}" - block: - name: remove unnecessary files file: path: "{{ (caddy_lego_dir, item) | path_join }}" state: absent loop: - LICENSE - CHANGELOG.md rescue: - meta: noop - name: set lego parameters set_fact: lego_params: "{{ [ ([] | zip_longest(caddy_domains | d([]) | select() | map('quote'), fillvalue='--domains ') | map('join') | list), '--server ' ~ (acme_endpoint | quote), '--accept-tos', '--email ' ~ (acme_email | quote), '--key-type ec384', '--path ' ~ (caddy_lego_dir | quote), '--dns acme-dns', '--dns.resolvers 9.9.9.9', '--dns.disable-cp' ] | flatten(levels=1) | select() | list | join(' ') }}" lego_renewal_params: "{{ [ (('--days ' ~ (acme_renewal_days | quote)) if acme_renewal_days is defined else ''), ('--reuse-key' if acme_reuse_key | d(false) == true else ''), ('--no-random-sleep' if acme_no_random_sleep | d(true) == true else '') ] | flatten(levels=1) | select() | list | join(' ') }}" lego_preferred_chain: "{{ '--preferred-chain ' ~ (acme_preferred_chain | quote) if acme_preferred_chain is defined else '' }}" - name: check if lastrun file exists stat: path: "{{ caddy_lego_lastrun_file }}" get_checksum: no get_mime: no register: result - name: set initial reissue value set_fact: lego_must_reissue: yes lego_full_command: "{{ (caddy_lego_dir, 'lego') | path_join }} {{ lego_params }} run {{ lego_preferred_chain }}" lego_renew_command: "{{ (caddy_lego_dir, 'lego') | path_join }} {{ lego_params }} renew {{ lego_preferred_chain }} {{ lego_renewal_params }}" - block: - name: get lastrun file contents slurp: path: "{{ caddy_lego_lastrun_file }}" register: file_content no_log: yes - name: set acme-dns-client domain fact set_fact: lego_must_reissue: "{{ (file_content.content | b64decode) != lego_full_command }}" when: result.stat.exists - block: - name: issue cert with dns mode shell: cmd: "{{ lego_full_command }}" chdir: "{{ caddy_lego_dir }}" environment: ACME_DNS_API_BASE: "{{ acme_dns_server }}" ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') | path_join }}" register: result become: yes become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}" become_user: "{{ caddy_user }}" when: lego_must_reissue rescue: - pause: - name: retry issuing cert with dns mode shell: cmd: "{{ lego_full_command }}" chdir: "{{ caddy_lego_dir }}" environment: ACME_DNS_API_BASE: "{{ acme_dns_server }}" ACME_DNS_STORAGE_PATH: "{{ (caddy_lego_dir, 'accounts.conf') | path_join }}" register: result become: yes become_method: "{{ 'su' if ansible_distribution == 'Alpine' else 'sudo' }}" become_user: "{{ caddy_user }}" - block: - name: save data to lastrun file copy: content: "{{ lego_full_command }}" dest: "{{ caddy_lego_lastrun_file }}" remote_src: yes - name: defer caddy restart debug: msg: deferring caddy restart changed_when: yes notify: restart caddy when: lego_must_reissue - name: template systemd files template: src: "{{ item.src }}.j2" dest: "/etc/systemd/system/{{ item.dst }}" force: yes lstrip_blocks: yes loop: - { src: 'lego_systemd', dst: 'lego.service' } - { src: 'lego_timer', dst: 'lego.timer' } notify: reload systemd daemons - name: enable lego timer systemd: name: lego.timer state: started enabled: yes # TODO: restart script