Update to 2021-12-01 19:13

roles/letsencrypt/templates/cert_config.j2

@@ -0,0 +1,5 @@
+{% if item.config is defined and item.config is mapping %}
+{% for key in item.config.keys() | list %}
+{{ key }}={{ item.config[key] }}
+{% endfor %}
+{% endif %}

roles/letsencrypt/templates/config.j2

@@ -0,0 +1,33 @@
+{% if letsencrypt_ca is defined %}
+CA={{ letsencrypt_ca }}
+{% endif %}
+IP_VERSION=4
+BASEDIR=/var/lib/dehydrated/certificates
+DOMAINS_TXT=/etc/dehydrated/domains.txt
+DOMAINS_D=/etc/dehydrated/certificates
+WELLKNOWN=/var/lib/dehydrated/challenges
+KEYSIZE="{{ letsencrypt_key_size | default('4096') }}"
+HOOK=/usr/{{ (ansible_os_family == 'Debian') | ternary('local/','') }}bin/dehydrated_hooks
+RENEW_DAYS="{{ letsencrypt_renew_days | default('30') }}"
+PRIVATE_KEY_RENEW="yes"
+{% if letsencrypt_preferred_chain is not defined %}
+PREFERRED_CHAIN="{{ letsencrypt_openssl_version.stdout is version('1.1', '>=') | ternary('ISRG Root X1','issuer= /C=US/O=Internet Security Research Group/CN=ISRG Root X1') }}"
+{% elif letsencrypt_preferred_chain != 'default' %}
+PREFERRED_CHAIN={{ letsencrypt_preferred_chain | quote }}
+{% endif %}
+{% if letsencrypt_key_algo | default('rsa') in ['rsa', 'prime256v1', 'secp384r1' ] %}
+KEY_ALGO={{ letsencrypt_key_algo | default('rsa') }}
+{% endif %}
+{% if system_admin_email is defined %}
+CONTACT_EMAIL={{ system_admin_email }}
+{% endif %}
+{% if letsencrypt_challenge == 'dns' and letsencrypt_dns_provider is defined and letsencrypt_dns_auth_token is defined %}
+CHALLENGETYPE=dns-01
+export DNS_PROVIDER="{{ letsencrypt_dns_provider }}"
+export LEXICON_{{ letsencrypt_dns_provider | upper }}_TOKEN="{{ letsencrypt_dns_auth_token }}"
+{% endif %}
+{% if system_proxy is defined and system_proxy != '' %}
+{% for proto in ['http','https','HTTP','HTTPS'] %}
+export {{ proto }}_proxy={{ system_proxy }}
+{% endfor %}
+{% endif %}

roles/letsencrypt/templates/cron.j2

@@ -0,0 +1,10 @@
+#!/bin/sh
+
+{% if letsencrypt_auto_renew | default(True) %}
+sleep $[ $RANDOM % 900 ];
+systemd-cat dehydrated --cron --keep-going
+{% endif %}
+
+{% if letsencrypt_revoke_old_certs | default(False) and ansible_os_family == 'RedHat' %}
+systemd-cat dehydrated_revoke
+{% endif %}

roles/letsencrypt/templates/dns-lexicon-clean_challenge.j2

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+DOMAIN="${1}"
+TOKEN_VALUE="${3}"
+lexicon $DNS_PROVIDER {% if letsencrypt_dns_provider_options is defined %}{{ letsencrypt_dns_provider_options }} {% endif %}delete ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}"

roles/letsencrypt/templates/dns-lexicon-deploy_challenge.j2

@@ -0,0 +1,7 @@
+#!/bin/sh
+
+DOMAIN="${1}"
+TOKEN_VALUE="${3}"
+lexicon $DNS_PROVIDER {% if letsencrypt_dns_provider_options is defined %}{{ letsencrypt_dns_provider_options }} {% endif %}create ${DOMAIN} TXT --name="_acme-challenge.${DOMAIN}." --content="${TOKEN_VALUE}"
+sleep 5
+

roles/letsencrypt/templates/domains.txt.j2

@@ -0,0 +1,51 @@
+{% for cert in letsencrypt_certs | default([]) %}
+{{ cert.common_name }} {{ cert.alt_names | default([]) | join(' ') }}
+{% endfor %}
+{% if nginx_auto_letsencrypt_cert is defined and nginx_auto_letsencrypt_cert and nginx_vhosts is defined %}
+{% for vhost in nginx_vhosts %}
+{% if vhost.ssl.cert is not defined and (vhost.ssl.letsencrypt_cert is not defined or vhost.ssl.letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name')) %}
+{{ vhost.name }} {{ vhost.aliases | default([]) | join(' ') }}
+{% endif %}
+{% endfor %}
+{% endif %}
+{% if role_wh_proxy | default(False) %}
+{% for client in wh_clients | default([]) %}
+{% for app in client.apps %}
+{% set app = wh_default_app | combine(app, recursive=True) %}
+{% if app.letsencrypt_cert %}
+{{ app.vhost | default(client.name + '-' + app.name + '.wh.fws.fr') }} {{ app.aliases | join(' ') }}
+{% endif %}
+{% endfor %}
+{% endfor %}
+{% endif %}
+{% if pve_letsencrypt is defined and pve_letsencrypt and inventory_hostname not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ inventory_hostname }} {{ pve_cluster_vhosts | join(' ') }}
+{% endif %}
+{% if graylog_letsencrypt_cert is defined and graylog_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ graylog_letsencrypt_cert }}
+{% endif %}
+{% if zcs_letsencrypt is defined and zcs_letsencrypt and inventory_hostname not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ inventory_hostname }} {{ zcs_vhosts | default([]) | join(' ') }}
+{% endif %}
+{% if bitwarden_letsencrypt_cert is defined and bitwarden_letsencrypt_cert == True %}
+{{ bitwarden_public_url | urlsplit('hostname') }}
+{% endif %}
+{% if psono_letsencrypt_cert is defined and psono_letsencrypt_cert == True %}
+{{ psono_public_url | urlsplit('hostname') }}
+{% endif %}
+{% if jitsi_letsencrypt_cert is defined and jitsi_letsencrypt_cert == True and jitsi_domain is defined %}
+{{ jitsi_domain }} auth.{{ jitsi_domain }}
+{% endif %}
+{% if turn_letsencrypt_cert is defined and turn_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ turn_letsencrypt_cert }}
+{% endif %}
+{% if rabbitmq_letsencrypt_cert is defined and rabbitmq_letsencrypt_cert != False %}
+{% if rabbitmq_letsencrypt_cert is string and rabbitmq_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ rabbitmq_letsencrypt_cert }}
+{% elif rabbitmq_letsencrypt_cert == True and inventory_hostname not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ inventory_hostname }}
+{% endif %}
+{% endif %}
+{% if pbs_letsencrypt_cert is defined and pbs_letsencrypt_cert not in letsencrypt_certs | default([]) | map(attribute='common_name') %}
+{{ pbs_letsencrypt_cert }}
+{% endif %}