eaec4d7b87
All checks were successful
Gitea Actions Demo / Explore-Gitea-Actions (push) Successful in 1s
67 lines
2.4 KiB
YAML
67 lines
2.4 KiB
YAML
---
|
|
#### TODO заставить работать
|
|
|
|
|
|
# 1. Готовим окружение и папки
|
|
- name: Ensure git and curl are installed
|
|
ansible.builtin.apt:
|
|
name:
|
|
- git
|
|
- curl
|
|
state: present
|
|
|
|
- name: Create SSL directory for Angie
|
|
ansible.builtin.file:
|
|
path: "{{ angie_ssl_dir }}"
|
|
state: directory
|
|
owner: root
|
|
group: root
|
|
mode: '0755'
|
|
|
|
# 2. Установка acme.sh (Идемпотентный способ через Git вместо curl | sh)
|
|
- name: Clone acme.sh repository
|
|
ansible.builtin.git:
|
|
repo: 'https://github.com'
|
|
dest: /root/acme.sh-src
|
|
version: master
|
|
depth: 1
|
|
|
|
- name: Check if acme.sh is already installed
|
|
ansible.builtin.stat:
|
|
path: /root/.acme.sh/acme.sh
|
|
register: acme_installed
|
|
|
|
- name: Run acme.sh installer
|
|
ansible.builtin.command:
|
|
cmd: "./acme.sh --install -m {{ acme_email }}"
|
|
chdir: /root/acme.sh-src
|
|
when: not acme_installed.stat.exists
|
|
|
|
# 3. Выпуск сертификата через DNS Reg.ru
|
|
- name: Issue Let's Encrypt certificate via Reg.ru DNS
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
/root/.acme.sh/acme.sh --issue --dns dns_regru
|
|
-d "{{ acme_domain }}"
|
|
--server https://acme-v02.api.letsencrypt.org/directory
|
|
# Передаем секреты строго внутри контекста выполнения этой задачи
|
|
environment:
|
|
REGRU_API_Username: "{{ regru_username }}"
|
|
REGRU_API_Password: "{{ regru_password }}"
|
|
register: issue_result
|
|
# acme.sh вернет ошибку, если сертификат уже есть и еще свежий.
|
|
# Игнорируем эту ошибку, чтобы плейбук не падал при повторных запусках.
|
|
failed_when:
|
|
- issue_result.rc != 0
|
|
- "'Sign failed: LE_OrderFinalize' not in issue_result.stderr"
|
|
- "'Create new order error' not in issue_result.stderr"
|
|
|
|
# 4. Привязка (инсталляция) сертификата в папки Angie и настройка автопродления
|
|
- name: Install certificate to Angie directory and configure reload cmd
|
|
ansible.builtin.command:
|
|
cmd: >
|
|
/root/.acme.sh/acme.sh --install-cert -d "{{ acme_domain }}"
|
|
--key-file "{{ angie_ssl_dir }}/key.pem"
|
|
--fullchain-file "{{ angie_ssl_dir }}/cert.pem"
|
|
--reloadcmd "systemctl reload angie"
|
|
# service angie force-reload заменен на более современный systemctl reload |