Sourcing environment variables from the playbook was redundant.

README.md

@@ -2,6 +2,8 @@
 
 This role runs [acme-lego](https://go-acme.github.io/lego/) on the localhost, such that the acme account and DNS api credentials are never communicated to the server. It also creates boilerplate nginx configuration in accordance with the Mozilla's recomended TLS configuration.
 
+This role supports using multiple providers at the same time, just source all the credentials needed beforehand.
+
 ## Requirements
 
 The `nginx_config` role which is distributed in the nginx_core collection.
@@ -23,6 +25,16 @@ acme_domains:
   - { domain: myhost.example.com, provider: easydns }
 ```
 
+Lego uses environment variables to authenticate to your DNS provider. You should source those secrets as environment variables before running the playbook.
+
+If for some reason you cannot source the environment variables ahead of running the playbook, you can define them as Ansible variables.
+
+```yaml
+lego_environment:
+  - NAMECHEAP_API_USER: '...'
+  - NAMECHEAP_API_KEY: '...'
+```
+
 ## Secrets
 
 The api keys are sprinkled throughout the task as environment variables until I come up with a smarter way to do that.

defaults/main.yml

@@ -4,12 +4,11 @@ acme_system_user: acme
 acme_system_group: acme
 nginx_config_dhparam: "{{ acme_path }}/dhparams.pem"
 nginx_user: nginx
-#EASYDNS_TOKEN: "{{ lookup('ansible.builtin.env', 'EASYDNS_TOKEN') }}"
-#EASYDNS_KEY: "{{ lookup('ansible.builtin.env', 'EASYDNS_KEY') }}"
-NAMECHEAP_API_USER: "{{ lookup('ansible.builtin.env', 'NAMECHEAP_API_USER') }}"
-NAMECHEAP_API_KEY: "{{ lookup('ansible.builtin.env', 'NAMECHEAP_API_KEY') }}"
 
-# lego_path refers to the local ansible user's home directory, used in delegate_to: localhost
+lego_environment:
+  EXAMPLE_DNS_PROVIDER_USERNAME: "example"
+
+# lego_path refers to the local ansible user's home directory, used in a task with delegate_to: localhost
 lego_path: ~/.secrets/acme
 # This might work if the playbook is executing as the local user:
 #lego_path: "{{ ansible_env.HOME }}/.secrets/acme/certificates"

tasks/lego.yml

@@ -24,11 +24,8 @@
   changed_when: False
   ignore_errors: true
   tags: lego
-  environment:
+  environment: []
-#   EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
+# environment: "{{ lego_environment }}"
-#   EASYDNS_KEY: "{{ EASYDNS_KEY }}"
-    NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
-    NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
   
 - name: Print lego output with dns.disable-cp
   ansible.builtin.debug:
@@ -47,11 +44,8 @@
   delegate_to: localhost
   changed_when: False
   tags: lego
-  environment:
+  environment: []
-#   EASYDNS_TOKEN: "{{ EASYDNS_TOKEN }}"
+# environment: "{{ lego_environment }}"
-#   EASYDNS_KEY: "{{ EASYDNS_KEY }}"
-    NAMECHEAP_API_USER: "{{ NAMECHEAP_API_USER }}"
-    NAMECHEAP_API_KEY: "{{ NAMECHEAP_API_KEY }}"
   
 - name: Print lego output without dns.disable-cp
   ansible.builtin.debug:

tasks/main.yml

@@ -1,11 +1,12 @@
 ---
-- name: Assert all secrets have been configured.
+- name: Assert secrets have been configured.
   ansible.builtin.assert:
     that:
-      - NAMECHEAP_API_USER != ''
+      - acme_domains is defined
-      - NAMECHEAP_API_KEY != ''
+      - acme_email is defined
-    fail_msg: "FAILED: Secrets have not been configured."
+      - acme_email != ''
-  no_log: true
+    fail_msg: "FAILED: No ACME variables have been configured for this host."
+# no_log: true
 
 - name: Set up the ACME system user and group.
   import_tasks: setup-user.yml