5 files changed, 117 insertions, 0 deletions

diff --git a/roles/certbot/defaults/main.yml b/roles/certbot/defaults/main.yml
new file mode 100644
index 0000000..9174deb
--- /dev/null
+++ b/roles/certbot/defaults/main.yml
@@ -0,0 +1,10 @@
+certificate_email: 'root@{{ email_domain }}'
+
+certificate_sans: '{{ [ansible_fqdn] + cnames }}'
+certificate_type: ecdsa
+certificate_size: 2048
+
+certificate_owner: root
+certificate_mode: 0400
+
+certificate_use_apache: no
diff --git a/roles/certbot/files/etc/pki/tls/certbot-post.sh b/roles/certbot/files/etc/pki/tls/certbot-post.sh
new file mode 100644
index 0000000..b39ef67
--- /dev/null
+++ b/roles/certbot/files/etc/pki/tls/certbot-post.sh
@@ -0,0 +1,40 @@
+#!/bin/bash
+
+exec 1> >(logger -s -t $(basename "$0")) 2>&1
+
+usage() {
+  echo "$0 -c CERT_PATH -k KEY_PATH [-o OWNER] [-m MODE] [POST_COMMAND ...]"
+  exit 1
+}
+
+OWNER=root:root
+MODE=400
+
+while getopts ':c:k:m:o:' opt; do
+  case $opt in
+    c) CERT_PATH=$OPTARG ;;
+    k) KEY_PATH=$OPTARG ;;
+    m) MODE=$OPTARG ;;
+    o) OWNER=$OPTARG ;;
+    *) usage ;;
+  esac
+done
+
+shift $((OPTIND-1))
+
+if [ -z "$CERT_PATH" -o -z "$KEY_PATH" ]; then
+  usage
+fi
+
+OWNER_USER=${OWNER%:*}
+OWNER_GROUP=${OWNER#*:}
+OWNER_GROUP=${OWNER_GROUP:-$OWNER_USER}
+
+install -v -m "$MODE" -o "${OWNER_USER}" -g "${OWNER_GROUP}" "${RENEWED_LINEAGE}/fullchain.pem" "$CERT_PATH"
+install -v -m "$MODE" -o "${OWNER_USER}" -g "${OWNER_GROUP}" "${RENEWED_LINEAGE}/privkey.pem"   "$KEY_PATH"
+
+# run post-command
+if (($#)); then
+  echo "running post-command: $*"
+  "$@"
+fi
diff --git a/roles/certbot/meta/main.yml b/roles/certbot/meta/main.yml
new file mode 100644
index 0000000..29230f9
--- /dev/null
+++ b/roles/certbot/meta/main.yml
@@ -0,0 +1,4 @@
+dependencies:
+  - role: yum
+    yum_repositories: epel
+    tags: yum
diff --git a/roles/certbot/tasks/main.yml b/roles/certbot/tasks/main.yml
new file mode 100644
index 0000000..3df7304
--- /dev/null
+++ b/roles/certbot/tasks/main.yml
@@ -0,0 +1,50 @@
+- name: install certbot
+  dnf:
+    name: certbot
+    state: installed
+
+- name: allow HTTP through firewall
+  firewalld:
+    service: http
+    permanent: yes
+    immediate: yes
+    state: enabled
+  tags: firewalld
+
+- name: copy certbot hook script
+  copy:
+    src: etc/pki/tls/certbot-post.sh
+    dest: '{{ certificate_postcmd_path }}'
+    mode: 0555
+
+- name: create certbot webroot path
+  file:
+    path: '{{ certificate_webroot_path }}'
+    state: directory
+  when: certificate_use_apache
+
+- name: retrieve certificate from letsencrypt
+  command:
+    cmd: >-
+      certbot certonly
+      --noninteractive
+      --agree-tos
+      --no-eff-email
+      --key-type {{ certificate_type | lower }}
+      --rsa-key-size {{ certificate_size }}
+      --email {{ certificate_email }}
+      {% if certificate_use_apache %}
+      --webroot
+      --webroot-path {{ certificate_webroot_path }}
+      {% else %}
+      --standalone
+      {% endif %}
+      --deploy-hook {{ certificate_postcmd_argv | quote }}
+      --domains {{ certificate_sans | join(',') }}
+    creates: '{{ certificate_path }}'
+
+- name: enable certbot renew timer
+  systemd:
+    name: certbot-renew.timer
+    enabled: yes
+    state: started
diff --git a/roles/certbot/vars/main.yml b/roles/certbot/vars/main.yml
new file mode 100644
index 0000000..9045602
--- /dev/null
+++ b/roles/certbot/vars/main.yml
@@ -0,0 +1,13 @@
+certificate_postcmd_path: /etc/pki/tls/certbot-post.sh
+
+certificate_postcmd_argv: >-
+  {{ certificate_postcmd_path }}
+  -o {{ certificate_owner }}
+  -m {{ '%0o' % certificate_mode }}
+  -k {{ certificate_key_path }}
+  -c {{ certificate_path }}
+  {% if certificate_hook is defined %}
+  {{ certificate_hook }}
+  {% endif %}
+
+certificate_webroot_path: /var/www/letsencrypt