~sirn/ansible-freebsd-s6-dehydrated

Ansible role for installing and configuring Dehydrated on S6-enabled FreeBSD host
tasks: also install py37-dnspython
meta: rename dependencies to collections

refs

master
browse  log 

clone

read-only
https://git.sr.ht/~sirn/ansible-freebsd-s6-dehydrated
read/write
git@git.sr.ht:~sirn/ansible-freebsd-s6-dehydrated

You can also use your local clone with git send-email.

#ansible-freebsd-s6-dehydrated

builds.sr.ht status

Configure Dehydrated for FreeBSD host using S6. This playbook only supports provisioning using DNS-01 via Lexicon.

Requires ansible-freebsd-s6 to be applied first.

#Variables

#dehydrated_domains
dehydrated_domains: []

Define a list of domains to provision certificates for. One certificate may contains Subject Alternative Name (SAN) of which the first Common Name will be used as a primary cert name, for example:

dehydrated_domains:
    - foo.example.com
    - example.com *.example.com

In the above example, two certificates will be created:

  • foo.example.com only valid for foo.example.com
  • example.com also valid for all subdomains under example.com
#dehydrated_lexicon_config
dehydrated_lexicon_config: {}

Configure Lexicon. See also Lexicon documentation. For example:

dehydrated_lexicon_config:
    PROVIDER: cloudflare
    LEXICON_CLOUDFLARE_AUTH_TOKEN: replacement
    LEXICON_CLOUDFLARE_ZONE_ID: replaceme
#dehydrated_logger
dehydrated_logger: |
    #!/usr/local/bin/execlineb -P
    s6-log -b n10 s1000000 t !"gzip -nq9" /var/log/dehydrated/

Configure a Dehydrated logger. See also s6-log.

#dehydrated_postcmds
dehydrated_postcmds:

Command to run after Dehydrated successfully provisioned a certificate. This command will be run as root in a POSIX shell. Useful for reloading a web server, e.g.

dehydrated_postcmds:
    - s6-svc -h /var/service/nginx
#dehydrated_staging
dehydrated_staging: yes

Use Let's Encrypt staging environment instead of production. Useful for testing.