mirror of
https://github.com/KevinMidboe/schleppe-ha-project.git
synced 2026-01-10 02:45:30 +00:00
82 lines
2.6 KiB
YAML
82 lines
2.6 KiB
YAML
---
|
|
- name: Read Cloudflare secrets directory from environment (invalid by default)
|
|
ansible.builtin.set_fact:
|
|
cloudflare_api_key: >-
|
|
{{ lookup('ansible.builtin.env', 'CLOUDFLARE_API_KEY')
|
|
| default('__CLOUDFLARE_API_KEY_NOT_SET__', true) }}
|
|
no_log: true
|
|
|
|
- name: Fail if CLOUDFLARE_API_KEY is not set
|
|
ansible.builtin.assert:
|
|
that:
|
|
- cloudflare_api_key != '__CLOUDFLARE_API_KEY_NOT_SET__'
|
|
fail_msg: >
|
|
CLOUDFLARE_API_KEY environment variable is required
|
|
|
|
- name: Validate dns_cloudflare_api_token looks sane
|
|
ansible.builtin.assert:
|
|
that:
|
|
- cloudflare_api_key is regex('[A-Za-z0-9]$')
|
|
fail_msg: >
|
|
must contain a valid
|
|
CLOUDFLARE_API_KEY = <alphanumeric>
|
|
no_log: false
|
|
|
|
- name: Ensure certbot secrets directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ certbot_secrets_dir }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0700"
|
|
|
|
- name: Write Cloudflare credential file
|
|
ansible.builtin.template:
|
|
src: cloudflare.ini.j2
|
|
dest: "{{ certbot_secrets_dir }}/certbot-cloudflare.ini"
|
|
owner: root
|
|
group: root
|
|
mode: "0600"
|
|
no_log: true
|
|
|
|
- name: Ensure combined cert output directory exists
|
|
ansible.builtin.file:
|
|
path: "{{ combined_certs_dir }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: "0755"
|
|
|
|
# Request/renew: certbot is already idempotent-ish. We guard with `creates` to avoid
|
|
# re-issuing on first provision runs; renewals happen via cron/systemd timer (recommended).
|
|
- name: Obtain certificate via certbot dns-cloudflare (first issuance)
|
|
ansible.builtin.command: >
|
|
certbot certonly
|
|
--agree-tos
|
|
--non-interactive
|
|
--email {{ certbot_email }}
|
|
--dns-cloudflare
|
|
--dns-cloudflare-credentials {{ certbot_secrets_dir }}/certbot-cloudflare.ini
|
|
-d {{ item }}
|
|
{% if certbot_use_staging %}--staging{% endif %}
|
|
args:
|
|
creates: "/etc/letsencrypt/live/{{ item }}/fullchain.pem"
|
|
loop: "{{ certbot_cloudflare_domains | default([]) }}"
|
|
register: certbot_issue
|
|
changed_when: certbot_issue.rc == 0
|
|
failed_when: certbot_issue.rc != 0
|
|
async: 0
|
|
|
|
# Combine cert+key for Traefik/HAProxy-style PEM bundle
|
|
- name: Combine fullchain + privkey into single PEM bundle
|
|
ansible.builtin.shell: |
|
|
set -euo pipefail
|
|
cat \
|
|
/etc/letsencrypt/live/{{ item }}/fullchain.pem \
|
|
/etc/letsencrypt/live/{{ item }}/privkey.pem \
|
|
> {{ combined_certs_dir }}/{{ combined_cert_prefix }}{{ item }}.pem
|
|
chmod 0600 {{ combined_certs_dir }}/{{ combined_cert_prefix }}{{ item }}.pem
|
|
args:
|
|
executable: /bin/bash
|
|
loop: "{{ certbot_cloudflare_domains | default([]) }}"
|