New certbot role covering standalone and webroot setups

host_vars/wiki.emma.ccchb.de.yml

@@ -10,3 +10,9 @@ user_mgmt:
   fritz:
     state: present
     groups: sudo
+
+certbot_certs:
+  - [ "wiki.ccchb.de" ]
+  - [ "ccchb.de", "www.ccchb.de" ]
+  - [ "files.ccchb.de" ]
+

roles/certbot/defaults/main.yml

@@ -0,0 +1,11 @@
+---
+certbot_admin_email: hostmaster@ccchb.de
+
+certbot_package: letsencrypt
+
+certbot_method: webroot
+certbot_webroot: /var/www/html
+
+certbot_certs: []
+
+certbot_renew: true

roles/certbot/tasks/main.yml

@@ -0,0 +1,22 @@
+---
+- name: Enable certbot timer.
+  systemd:
+    name: certbot.timer
+    enabled: yes
+
+- name: Install certbot.
+  package:
+    name: "{{ certbot_package }}"
+    state: present
+
+- name: Check for presence of certificates.
+  stat:
+    path: "/etc/letsencrypt/live/{{ item | first | replace(\"*.\", \"\") }}/cert.pem"
+  register: certs_presence
+  loop: "{{ certbot_certs }}"
+
+- name: Obtain certificates.
+  include_tasks: 'obtain_{{ certbot_method }}.yml'
+  when: not item.stat.exists
+  loop: "{{ certs_presence.results }}"
+...

roles/certbot/tasks/obtain_standalone.yml

@@ -0,0 +1,4 @@
+---
+- name: "Obtain certificate for {{ item.item | join(',') }}"
+  command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --standalone"
+...

roles/certbot/tasks/obtain_webroot.yml

@@ -0,0 +1,4 @@
+---
+- name: "Obtain certificate for {{ item.item | join(',') }}"
+  command: "certbot certonly --agree-tos -m {{ certbot_admin_email | quote }} -d {{ item.item | join(',') }} --webroot -w {{ certbot_webroot | quote }}"
+...

roles/certbot/templates/certbot.conf.j2

@@ -0,0 +1,4 @@
+location /.well-known/acme-challenge/ {
+	alias {{ certbot_webroot }}/.well-known/acme-challenge/;
+	allow all;
+}

wiki.yml

@@ -4,3 +4,4 @@
   become: yes
   roles:
     - mediawiki
+    - certbot