Kapisi/roles/SSL/tasks/main.yml

---

 - name: SSL packages
   become: yes
   package:
     name:
      - certbot
      - openssl

 - name: LetsEncrypt directories
   become: yes
   file:
     path: "{{ item }}"
     owner: root
     group: ssl
     mode: 0750
   loop:
     - /etc/letsencrypt
     - /etc/certbot

 - name: Service timer
   become: yes
   register: services
   copy:
     src: "certbot.timer"
     dest: /usr/lib/systemd/system/certbot.timer
     owner: root
     group: root
     mode: 0644

 # per https://www.cloudns.net/wiki/article/448/
 - name: ClouDNS configuration
   become: yes
   template:
     src: "certbot.conf.j2"
     dest: /etc/certbot/certbot.conf
     owner: root
     group: root
     mode: 0600

 - name: Create virtual environment and install package
   become: yes
   command:
     cmd: "python3 -m venv /etc/certbot/venv && /etc/certbot/venv/bin/pip3 install certbot-dns-cloudns"
     creates: /etc/certbot/venv

 - name: Service
   become: yes
   template:
     src: "certbot.service.j2"
     dest: /usr/lib/systemd/system/certbot.service
     owner: root
     group: root
     mode: 0600

 - name: Enable timer
   when: services.changed
   become: yes
   systemd:
     daemon_reload: yes
     name: certbot.timer
     enabled: yes
     state: started

 - name: Create letsencrypt folder
   become: yes
   file:
     path: /var/lib/letsencrypt
     owner: root
     group: http
     mode: 2755

 - name: Remove old TLSA script
   become: yes
   file:
     path: /usr/local/sbin/tlsa-generation.bash
     state: absent

 - name: Copy record generator script
   become: yes
   template:
     src: record-generation.bash.j2
     dest: /usr/local/sbin/record-generation.bash
     owner: root
     group: root
     mode: 0700

 - debug:
     msg: 'Run `sudo /usr/local/sbin/record-generation.bash` to generate a zonefile for import into a DNS provider.'
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`---`

			`- name: SSL packages`
			`become: yes`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00			`package:`
			`name:`
Updating Ubiqtorate 2020-10-08 16:33:19 -05:00			`- certbot`
			`- openssl`
Catching up with current successes 2022-01-25 23:54:43 -06:00
Moving LetsEncrypt to ClouDNS API validation -- some LetsEncrypt queries come from non-US origins. 2026-01-13 02:10:33 -06:00			`- name: LetsEncrypt directories`
Updates for Raspberry Pi 12 Bookworm 2024-07-23 14:18:32 -05:00			`become: yes`
			`file:`
Moving LetsEncrypt to ClouDNS API validation -- some LetsEncrypt queries come from non-US origins. 2026-01-13 02:10:33 -06:00			`path: "{{ item }}"`
Updates for Raspberry Pi 12 Bookworm 2024-07-23 14:18:32 -05:00			`owner: root`
			`group: ssl`
			`mode: 0750`
Moving LetsEncrypt to ClouDNS API validation -- some LetsEncrypt queries come from non-US origins. 2026-01-13 02:10:33 -06:00			`loop:`
			`- /etc/letsencrypt`
			`- /etc/certbot`
Updates for Raspberry Pi 12 Bookworm 2024-07-23 14:18:32 -05:00
Moving LetsEncrypt to ClouDNS API validation -- some LetsEncrypt queries come from non-US origins. 2026-01-13 02:10:33 -06:00			`- name: Service timer`
Catching up with current successes 2022-01-25 23:54:43 -06:00			`become: yes`
			`register: services`
			`copy:`
Moving LetsEncrypt to ClouDNS API validation -- some LetsEncrypt queries come from non-US origins. 2026-01-13 02:10:33 -06:00			`src: "certbot.timer"`
			`dest: /usr/lib/systemd/system/certbot.timer`
Catching up with current successes 2022-01-25 23:54:43 -06:00			`owner: root`
			`group: root`
			`mode: 0644`
Moving LetsEncrypt to ClouDNS API validation -- some LetsEncrypt queries come from non-US origins. 2026-01-13 02:10:33 -06:00
			`# per https://www.cloudns.net/wiki/article/448/`
			`- name: ClouDNS configuration`
			`become: yes`
			`template:`
			`src: "certbot.conf.j2"`
			`dest: /etc/certbot/certbot.conf`
			`owner: root`
			`group: root`
			`mode: 0600`

			`- name: Create virtual environment and install package`
			`become: yes`
			`command:`
			`cmd: "python3 -m venv /etc/certbot/venv && /etc/certbot/venv/bin/pip3 install certbot-dns-cloudns"`
			`creates: /etc/certbot/venv`

			`- name: Service`
			`become: yes`
			`template:`
			`src: "certbot.service.j2"`
			`dest: /usr/lib/systemd/system/certbot.service`
			`owner: root`
			`group: root`
			`mode: 0600`
Catching up with current successes 2022-01-25 23:54:43 -06:00
			`- name: Enable timer`
			`when: services.changed`
Updates to fix certbot.service issues reloading 2022-10-01 23:54:40 -05:00			`become: yes`
Catching up with current successes 2022-01-25 23:54:43 -06:00			`systemd:`
			`daemon_reload: yes`
			`name: certbot.timer`
			`enabled: yes`
			`state: started`
Whitespace cleanup to get in sync with AniNIX/Uniglot hooks 2022-11-20 20:03:01 -06:00
Catching up with current successes 2022-01-25 23:54:43 -06:00			`- name: Create letsencrypt folder`
			`become: yes`
			`file:`
			`path: /var/lib/letsencrypt`
			`owner: root`
			`group: http`
			`mode: 2755`

AniNIX/Wiki#21 -- effecting renames for policy 2024-04-01 00:44:23 -05:00			`- name: Remove old TLSA script`
			`become: yes`
			`file:`
			`path: /usr/local/sbin/tlsa-generation.bash`
			`state: absent`

			`- name: Copy record generator script`
Catching up with current successes 2022-01-25 23:54:43 -06:00			`become: yes`
			`template:`
AniNIX/Wiki#21 -- effecting renames for policy 2024-04-01 00:44:23 -05:00			`src: record-generation.bash.j2`
			`dest: /usr/local/sbin/record-generation.bash`
Catching up with current successes 2022-01-25 23:54:43 -06:00			`owner: root`
			`group: root`
			`mode: 0700`

AniNIX/Wiki#21 -- effecting renames for policy 2024-04-01 00:44:23 -05:00			`- debug:`
			msg: 'Run `sudo /usr/local/sbin/record-generation.bash` to generate a zonefile for import into a DNS provider.'