| defaults | ||
| meta | ||
| tasks | ||
| .gitignore | ||
| LICENSE | ||
| README.md | ||
Ansible Role: lego
This role runs acme-lego on the localhost, such that the acme account and DNS api credentials are never communicated to the server. It also creates boilerplate nginx configuration in accordance with the Mozilla's recomended TLS configuration.
Requirements
The nginx_config role which is distributed in the nginx_core collection.
collections:
- name: nginxinc.nginx_core
It's not listed in the meta dependencies since that would run the role out of sequence.
Role Variables
You can configure multiple providers and domains with a single ACME account.
acme_email: acme@example.com
acme_domains:
- { domain: myhost.example.com, provider: easydns }
Secrets
The api keys are sprinkled throughout the task as environment variables until I come up with a smarter way to do that.
File Permissions
File access to the certificates and keys are controlled by way of unix permissions. The files are owned by the acme system user/group, and each service that needs to use the certificates just need to belong to the acme group.
The playbook could be used to renew certificates from multiple DNS providers. The only provider I'm using currently is Name cheap. You will need to edit the environment variables in the following files if you want to use other providers:
- main.yml
- tasks/certificates.yml
You can test your results: ssllabs.com/ssltest
Example Playbook
- hosts: all
roles:
- bleetube.lego