-
Notifications
You must be signed in to change notification settings - Fork 0
/
main.yml
77 lines (66 loc) · 3.08 KB
/
main.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
---
certbot_enabled: true
# Set to false to completely disable the role
certbot_auto_renew: true
certbot_auto_renew_user: "{{ ansible_user | default(lookup('env', 'USER')) }}"
certbot_auto_renew_hour: "3"
certbot_auto_renew_minute: "30"
certbot_auto_renew_options: "--quiet --no-self-upgrade"
# By default, this role configures a systemd timer to run under the provided
# user account at the given hour and minute, every day. The defaults run
# `certbot renew` every day at 03:30:00 by the user
# you use in your Ansible playbook. It's preferred that you set a custom
# user/hour/minute so the renewal is during a low-traffic period and done by
# a non-root user account. Set `certbot_auto_renew` to false to disable
# automatic updating.
certbot_create_if_missing: false
# Set to true to let this role generate certs.
certbot_create_method: standalone
# Currently, this is the only supported method to generate certificates.
certbot_admin_email: [email protected]
# The email address used to agree to Let's Encrypt's TOS and subscribe to
# cert-related notifications. This should be customized and set to an email
# address that you or your organization regularly monitors.
certbot_certs: []
# - email: [email protected]
# domains:
# - example1.com
# - example2.com
# - domains:
# - example3.com
# A list of domains (and other data) for which certs should be generated. You
# can add an `email` key to any list item to override the `certbot_admin_email`.
certbot_create_command: >-
certbot certonly --standalone --noninteractive --agree-tos
--email {{ cert_item.email | default(certbot_admin_email) }}
-d {{ cert_item.domains | join(',') }}
# The `certbot_create_command` defines the command used to generate the cert.
certbot_hooks_enable: true
# Set to true to create pre and post hooks that will run before and after
# creating/renewing certificates. This is useful to eg stop web servers from
# running on port 80/443 so that certbot can run its own server (in standalone
# mode) and request the certificates.
certbot_hooks_pre: []
certbot_hooks_post: []
# By default, if `certbot_hooks_enable` is true, the role will install a pre and
# a post hook that will disable and enable the services defined in
# `certbot_hooks_services` before and after generating/renewing
# certificates. If you want more stuff to happen as part of the hooks, you can
# use these two lists to define blocks of shell commands that you want to run.
# Eg:
# certbot_hooks_pre:
# - |
# chmod -R ubuntu:ubuntu /etc/letsencrypt/
# rm -rf /tmp/*
certbot_hooks_services:
- nginx
# - apache
# - varnish
# Services that should be stopped while `certbot` runs it's own standalone
# server on ports 80 and 443. If you're running Apache, set this to `apache2`
# (Ubuntu), or `httpd` (RHEL), or if you have Nginx on port 443 and something
# else on port 80 (e.g. Varnish, a Java app, or something else), add it to the
# list so it is stopped when the certificate is generated. These services will
# only be stopped the first time a new cert is generated.
certbot_dir: /opt/certbot
# Where to put Certbot when installing from source.