Ansible role for setting up lego.
| OS Family | Distribution | Latest | Supported Version(s) | Comment |
|---|---|---|---|---|
| RedHat | RHEL | ✔️ | 9 | |
| RockyLinux | ✔️ | 8, 9 | ||
| AlmaLinux | ✔️ | 8, 9 | ||
| Fedora | ✔️ | 36, 37, 38 |
Ansible 2.12 or higher.
| Name | Default Value | Description |
|---|---|---|
lego_version |
latest | Set Lego version, can be specific version, i.e. v4.14.2 |
lego_renew_oncalendar |
*-*-* 00/12:00:00 |
Sets systemd timer schedule |
lego_renew_random_delay |
1h | Sets systemd timer random delay |
lego_pre_script |
"" | Raw string inserted in lego-wrapper |
lego_home |
/etc/lego | Path to store files, including accounts and certificates |
lego_user |
lego | User to run Lego as |
lego_group |
lego | Group to run Lego as |
lego_domains |
[] | Domains to get certs for, see example |
lego_provisioning_synced |
true | Delete renew hooks which are no longer defined |
lego_renew_hooks |
[] | Hooks to run after renewing, see example |
None.
---
- hosts: all
become: true
gather_facts: true
roles:
- role: lego
vars:
lego_domains:
- name: "example.com"
email: [email protected]
dns: rfc2136
env:
RFC2136_NAMESERVER: 127.0.0.1
RFC2136_TSIG_KEY: lego
RFC2136_TSIG_ALGORITHM: hmac-sha256.
RFC2136_TSIG_SECRET: YWJjZGVmZGdoaWprbG1ub3BxcnN0dXZ3eHl6MTIzNDU=
lego_renew_hooks:
# Hooks prefixed with sudo run as root
- name: sudo-restart-nginx
content: |
#!/bin/sh
echo "I am root"
systemctl restart nginx
# Anything else runs as lego user
- name: something-else
content: |
#!/bin/sh
echo "I am not root"