manage_letsencrypt.yml

---

- name: lets encrypt play
  hosts: letsencrypt-server
  vars_files: group_vars/vault.yml
  vars:
    ansible_user: root
    package_name: python3-certbot
    letsencrypt_home: /var/lib/letsencrypt
    ttl: 300

  tasks:
  - name: install
    package: "name={{ package_name }} state=present"

  - name: create user
    user:
      name: letsencrypt
      shell: /bin/bash
      home: "{{ letsencrypt_home }}"

  - name: create home
    file:
      name: "{{ letsencrypt_home }}"
      state: directory
      owner: letsencrypt
      group: letsencrypt
      mode: 0770

  - name: add dovecot to letencrypt group
    user:
      name: dovecot
      groups: letsencrypt
      append: yes

  - name: create log dir
    file:
      name: /var/log/letsencrypt
      state: directory
      recurse: true
      owner: letsencrypt
      group: letsencrypt
      mode: 0750

  - name: create home etc
    file:
      name: /var/lib/letsencrypt/etc-letsencrypt
      state: directory
      recurse: true
      owner: letsencrypt
      group: letsencrypt
      mode: u=rwX,g=rX,o-rwx

  - name: create etc letsencrypt link
    file:
      path: /etc/letsencrypt
      src: /var/lib/letsencrypt/etc-letsencrypt
      state: link
      force: yes
  - name:
    apt:
      name: jq
      state: present

  - name: create letsencrypt wildcard token script
    copy:
      dest: /usr/local/sbin/certbot-gandi.sh
      content: |
        #!/bin/bash
        set -e
        APIOUTPUT="$( curl -s -H 'X-Api-Key: {{ gandi_api_key }}' https://dns.api.gandi.net/api/v5/zones )"
        APIURL="$( echo $APIOUTPUT | jq -r --arg CERTBOT_DOMAIN "$CERTBOT_DOMAIN" '.[] | select(.name==$CERTBOT_DOMAIN) | .zone_records_href' )"
        TXTNAME=_acme-challenge
        CURL_OUTPUT=$( curl -s -X PUT -H "Content-Type: application/json" -H "X-Api-Key: {{ gandi_api_key }}" -d "{\"rrset_ttl\": "{{ ttl }}", \"rrset_values\": [\"$CERTBOT_VALIDATION\"]}" "$APIURL/$TXTNAME/TXT" )
        if [[ ! $CURL_OUTPUT =~ "DNS Record Created" ]]; then
          exit 1
        fi
      mode: 0550
      owner: letsencrypt
      group: letsencrypt

  - name: disable certbot timer
    systemd:
      name: certbot.timer
      state: stopped
      enabled: false

  - name: overwrite certbot cron, so that is no longer triggered as root
    copy:
      dest: /etc/cron.d/certbot
      content: ""