Ivo C.S. Wingelaar
4da71eadec
This automatically renews Let's Encrypt certificates, but does nothing further with them. You need additional logic to use them for example with nginx.
48 lines
1.5 KiB
YAML
48 lines
1.5 KiB
YAML
---
|
|
- name: Create Certbot volumes
|
|
containers.podman.podman_volume:
|
|
name: "{{ item }}"
|
|
state: present
|
|
loop:
|
|
- certbot-etc
|
|
- certbot-var-lib
|
|
|
|
- name: Create LetsEncrypt container
|
|
containers.podman.podman_container:
|
|
name: certbot
|
|
state: present
|
|
image: docker.io/certbot/certbot
|
|
command: certonly -n --standalone --domains {{ sce_certbot_domains }} --agree-tos --email {{ sce_certbot_email }}
|
|
volumes:
|
|
- certbot-etc:/etc/letsencrypt
|
|
- certbot-var-lib:/var/lib/letsencrypt
|
|
ports:
|
|
- "{{ sce_certbot_port_mapping }}"
|
|
generate_systemd:
|
|
path: ~/.config/systemd/user
|
|
# If validation fails a number of times in a pre-defined window, we will get rate-limited by
|
|
# LetsEncrypt. Setting this option will prevent us from angering the rate-limiter.
|
|
#
|
|
# Also, search for the YAML norway problem, lol, these quotations are necessary. YAML is insane.
|
|
restart_policy: "no"
|
|
notify: Reload user systemd daemon
|
|
|
|
- name: Install systemd files for certbot certificate renewal
|
|
ansible.builtin.template:
|
|
src: "{{ filename }}.j2"
|
|
dest: ~/.config/systemd/user/{{ filename }}
|
|
mode: "0640"
|
|
vars:
|
|
filename: container-certbot.timer
|
|
notify: Reload user systemd daemon
|
|
|
|
# Must be placed here to ensure proper ordering of events
|
|
- name: Flush handlers
|
|
meta: flush_handlers
|
|
|
|
- name: Ensure certbot timer unit is enabled and started
|
|
ansible.builtin.systemd_service:
|
|
name: container-certbot.timer
|
|
state: started
|
|
scope: user
|
|
enabled: true
|