--- - name: Install certbot and certbot Cloudflare plugin package: name: - python3-certbot - python3-certbot-dns-cloudflare state: present tags: - role::certbot - name: Generate Cloudflare credentials file copy: content: | # This file is managed by Ansible dns_cloudflare_api_token = {{ certbot_cloudflare_token }} dest: /etc/letsencrypt/cloudflare.ini owner: root group: root mode: "0400" tags: - role::certbot - name: Create cert-users group group: name: cert-users state: present tags: - role::certbot - name: Create certificate directories on hosts file: path: '{{ item }}' recurse: true state: directory owner: root group: cert-users # User read/write/dir execute (list), group read/dir execute (list) mode: "u=rwX,g=rX" with_items: - /etc/letsencrypt/live - /etc/letsencrypt/archive tags: - role::certbot - name: Request certificates for configured domains command: | certbot certonly --agree-tos --non-interactive --email {{ certbot_email }} --dns-cloudflare --dns-cloudflare-credentials /etc/letsencrypt/cloudflare.ini -d {{ item }} args: creates: "/etc/letsencrypt/live/{{ item | split(',') | first }}/fullchain.pem" with_items: - "{{ inventory_hostname }}.box.pydis.wtf" - "{{ certbot_domains[inventory_hostname] }}" tags: - role::certbot - name: Add authorized users to cert-users group user: name: '{{ item }}' groups: cert-users append: true with_items: - "{{ certbot_cert_users[inventory_hostname] }}" when: "inventory_hostname in certbot_cert_users" tags: - role::certbot # BEGIN temporary cleanup task - name: Remove old hook file ansible.builtin.file: path: /etc/letsencrypt/renewal-hooks/deploy/reload-nginx state: absent # END temporary cleanup task - name: Reload services after certificate renewal ansible.builtin.copy: content: | #!/bin/sh set -ex systemctl reload nginx {% if certbot_reload_services %} systemctl reload {{ certbot_reload_services | join(" ") }} {% endif %} dest: /etc/letsencrypt/renewal-hooks/deploy/reload-services owner: root group: root mode: "0500"