-
Notifications
You must be signed in to change notification settings - Fork 0
/
letsencrypt.yml
62 lines (56 loc) · 1.96 KB
/
letsencrypt.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
- name: Generate Diffie Hellman parameters; takes a few minutes
shell: openssl dhparam -out /etc/ssl/certs/dhparam.pem 4096
args:
creates: /etc/ssl/certs/dhparam.pem
- name: Test for existing certificate tar file
local_action: stat path={{ servername }}-certs.tar
become: false
register: certtarfile
- name: Test for existing certificate on server
stat:
path: /etc/letsencrypt/archive/{{ servername }}/privkey1.pem
register: certfile
- name: Test for existing live directory
stat:
path: /etc/letsencrypt/live/{{ servername }}
register: livedir
- name: Set up Letsencrypt license
block:
- apt:
name: [letsencrypt]
- shell:
certbot certonly --standalone -d {{ servername }} -n --agree-tos -m {{ adminemail }}
# When JupyterHub is run standalone (without Nginx),
# the jupyterhub accounts needs to be able to read the certificate
# Ensure the base directory is readable by all, and
# let the JupyterHub account own the relevant subdirectory
# For use with Nginx, root permissions are fine.
#- file:
# path: /etc/letsencrypt/archive
# mode: 0755
#- file:
# path: /etc/letsencrypt/archive/{{ servername }}
# owner: jupyterhub
# group: jupyterhub
when: not (certtarfile.stat.exists or certfile.stat.exists)
- name: Copy and untar existing certificates
block:
- file:
path: /etc/letsencrypt/archive/{{ servername }}/
state: directory
- unarchive:
src: "{{ servername }}-certs.tar"
dest: /etc/letsencrypt/archive/{{ servername }}/
group: root
owner: root
when: certtarfile.stat.exists and not certfile.stat.exists
- name: Create link for live directory with certificates
block:
- file:
path: /etc/letsencrypt/live
state: directory
- file:
src: /etc/letsencrypt/archive/{{ servername }}
dest: /etc/letsencrypt/live/{{ servername }}
state: link
when: not livedir.stat.exists