Inital logical commit - untested

.ansible-lint

@@ -0,0 +1,6 @@
+# .ansible-lint
+# implicit unless exclude_paths is defined in config
+---
+exclude_paths:
+  - .cache/
+  - .github/

.yamllint

@@ -0,0 +1,10 @@
+---
+
+extends: default
+
+ignore: |
+  .github/
+rules:
+  line-length: false
+  document-start: enable
+  truthy: false

README.md

@@ -0,0 +1,77 @@
+# ACME.SH - Ansible Role for requesting SSL/TLS certs
+
+## Default Variables
+
+| **Variable**                       | **Default**                                          | **Description**                                                                                                             |
+| ---------------------------------- | ---------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
+| `acme_letsencrypt_email`           | `acme@domain.tld`                                    | The mail to receive mails to                                                                                                |
+| `acme_hostname`                    | `{{ inventory_hostname }}`                           | The default host name to acquire a cert for                                                                                 |
+| `acme_letsencrypt_api`             | `https://acme-v02.api.letsencrypt.org/directory`     | By default production, you might want to use `https://acme-staging-v02.api.letsencrypt.org/directory` for staging dev certs |
+| `acme_letsencrypt_repo`            | `https://github.com/acmesh-official/acme.sh.git`     | The repository where to acquire acme.sh from, in case you run a mirror / fork                                               |
+| `acme_letsencrypt_dir`             | `/opt/acme`                                          | Where acme.sh should be installed to                                                                                        |
+| `acme_letsencrypt_version`         | `master`                                             | Which git version / branch to checkout                                                                                      |
+| `acme_letsencrypt_keep_updated`    | `true`                                               | Update the git repository when re-running this role?                                                                        |
+| `acme_letsencrypt_install_command` | [defaults/default.yaml#13](./defaults/main.yaml#L13) | The acme.sh install command for the local configuration for cert creating                                                   |
+| `acme_letsencrypt_create_command`  | [defaults/default.yaml#21](./defaults/main.yaml#L13) | The acme.sh create cert command, here you can add the `--force` option to force a renewal                                   |
+| `DO_API_KEY` | `NONE` | A DigitalOcean API key which is by default empty |
+
+## Example Usage of this role
+
+## Playbook example
+
+```yaml
+---
+- name: Run ACME.SH - We need more SSL/TLS!
+  hosts: all
+  roles:
+    - role: acme.sh
+```
+
+### Variables for apache2 with just one domain
+
+```yaml
+acme_letsencrypt_create_command: >-
+  {{ acme_letsencrypt_script }} --issue
+  --domain {{ acme_hostname }}
+  --standalone
+  --server letsencrypt
+  --keylength ec-256
+  --pre-hook "systemctl stop apache2.service"
+  --post-hook "systemctl start apache2.service"
+  --server {{ acme_letsencrypt_api }}
+```
+
+### Variables for apache2 with multiple domains
+
+```yaml
+acme_letsencrypt_create_command: >-
+  {{ acme_letsencrypt_script }} --issue
+  --domain {{ acme_hostname }}
+  --domain foo.bar.DOMAIN.TLD
+  --domain bar.foo.DOMAIN.TLD
+  --standalone
+  --server letsencrypt
+  --keylength ec-256
+  --pre-hook "systemctl stop apache2.service"
+  --post-hook "systemctl start apache2.service"
+  --server {{ acme_letsencrypt_api }}
+```
+
+### Variables to use DigitalOcean dnsapi certificate generation
+
+More about acme.sh dnsapi => <https://github.com/acmesh-official/acme.sh/wiki/dnsapi>
+
+```yaml
+DO_API_KEY: "The Secret DigitalOcean API Token"
+
+acme_letsencrypt_create_command: >-
+  {{ acme_letsencrypt_script }} --issue
+  --domain *.{{ acme_hostname }}
+  --domain {{ acme_hostname }}
+  --dns dns_dgon
+  --server letsencrypt
+  --keylength ec-256
+  --post-hook "systemctl reload nginx.service"
+  --server {{ acme_letsencrypt_api }}
+  --force
+```

defaults/main.yaml

@@ -0,0 +1,29 @@
+---
+acme_letsencrypt_email: "acme@domain.tld"
+# The hostname - default to "{{ inventory_hostname }}" you may want to use ansible_fqdn instead
+acme_hostname: "{{ inventory_hostname }}"
+# The API URL of the authority
+# Want to use staging certs: https://acme-staging-v02.api.letsencrypt.org/directory
+acme_letsencrypt_api: https://acme-v02.api.letsencrypt.org/directory
+acme_letsencrypt_repo: https://github.com/acmesh-official/acme.sh.git
+# Where the certs will be installed to
+acme_letsencrypt_dir: /opt/acme
+acme_letsencrypt_version: master
+acme_letsencrypt_keep_updated: true
+# https://github.com/acmesh-official/acme.sh/wiki/How-to-issue-a-cert
+acme_letsencrypt_install_command: >-
+  {{ acme_letsencrypt_script }} --install
+  --home /root/.acme.sh
+  --config-home /root/.acme.sh
+  --certhome /root/.acme.sh
+  --days 30
+  --accountemail {{ acme_letsencrypt_email }}
+  --accountkey /root/.acme.sh/account.key
+acme_letsencrypt_create_command: >-
+  {{ acme_letsencrypt_script }} --issue --domain {{ acme_hostname }}
+  --standalone
+  --server letsencrypt
+  --keylength ec-256
+  --pre-hook "systemctl stop nginx.service"
+  --post-hook "systemctl start nginx.service"
+  --server {{ acme_letsencrypt_api }}

tasks/main.yaml

@@ -0,0 +1,40 @@
+---
+- name: Install socat package
+  ansible.builtin.apt:
+    name: socat
+    state: present
+
+- name: Clone acme into configured directory.
+  ansible.builtin.git:
+    repo: "{{ acme_letsencrypt_repo }}"
+    dest: "{{ acme_letsencrypt_dir }}"
+    version: "{{ acme_letsencrypt_version }}"
+    update: "{{ acme_letsencrypt_keep_updated }}"
+    force: true
+
+- name: Set acme.sh script variable.
+  ansible.builtin.set_fact:
+    acme_letsencrypt_script: "{{ acme_letsencrypt_dir }}/acme.sh"
+
+- name: Ensure acme.sh is executable.
+  ansible.builtin.file:
+    path: "{{ acme_letsencrypt_script }}"
+    mode: "0755"
+
+- name: ACME.sh install
+  become: true
+  ansible.builtin.command: "{{ acme_letsencrypt_install_command }}"
+  args:
+    chdir: "{{ acme_letsencrypt_dir }}"
+  register: acme_install_result
+  changed_when: "'ok' in acme_install_result.stdout"
+
+- name: Generate or renew certificate with acme.sh
+  become: true
+  ansible.builtin.command: "{{ acme_letsencrypt_create_command }}"
+  environment:
+    email: "{{ acme_letsencrypt_email }}"
+    DO_API_KEY: "{{ DO_API_KEY | default('') }}"
+  register: result
+  changed_when: "'new certificate deployed' in result.stdout"
+  failed_when: "result.rc not in [ 0, 2 ]"