--- - name: 'install certbot' apt: pkg: - 'certbot' - 'sendmail-bin' - 'cron' state: 'present' update_cache: true cache_valid_time: 3600 tags: - 'packages' # Standard nginx installation should not listen on port 80 # -> This is probably not required. #- name: 'shutdown webservers' # service: # name: '{{ webserver_name }}' # state: 'stopped' # ignore_errors: true - name: 'request certificate' command: > certbot certonly -a standalone --agree-tos --email {{ letsencrypt_email }} --preferred-challenges http -d {{ certbot_site_fqdn }} {% for fqdn in certbot_site_alternate_fqdns %} -d {{ fqdn }} {% endfor %} -n args: creates: '/etc/letsencrypt/live/{{ certbot_site_fqdn }}/cert.pem' tags: - 'tls_pub' #- name: 'restart webservers' # service: # name: '{{ webserver_name }}' # state: 'started' # ignore_errors: true - name: 'add systemd timer for cert renewal' template: src: 'certbot.timer' dest: '/etc/systemd/system/certbot.timer' tags: - 'tls_pub' - name: 'add systemd service for cert renewal' template: src: 'certbot.service' dest: '/etc/systemd/system/certbot.service' tags: - 'tls_pub' - name: 'enable timer' systemd: name: 'certbot.timer' state: 'started' enabled: true daemon_reload: true tags: - 'tls_pub' ...