Default role variables¶

Sections

Basic configuration
Certificate authority configuration
Domain configuration
Service configuration
User configuration

Basic configuration ¶

acme_tiny__config_dir¶

acme-tiny configuration base directory.

acme_tiny__config_dir: '/etc/ssl/acme-tiny'

acme_tiny__challenge_dir¶

Directory accessible through a HTTP server used for temporary challenge storage.

acme_tiny__challenge_dir: '/var/www/acme-challenges'

acme_tiny__account_key¶

File name of the Let’s encrypt account key relative to the acme_tiny__config_dir. For more information see Let’s Encrypt Account Key.

acme_tiny__account_key: 'account.key'

acme_tiny__cert_backup¶

If a certificate already exists create a backup before overwriting it with the re-newed certificate.

acme_tiny__cert_backup: True

Certificate authority configuration ¶

acme_tiny__ca_directory_url¶

Certificate authority directory URL.

acme_tiny__ca_directory_url: 'https://acme-v02.api.letsencrypt.org/directory'

acme_tiny__ca_chain¶

List of certificates which will be added to the certificate chain. Each list item must be defined as a dictionary that defines url where the certificate will be downloaded and file where the certificate will be stored.

acme_tiny__ca_chain:
  - url: 'https://letsencrypt.org/certs/lets-encrypt-r3.pem'
    file: 'intermediate.crt'
  - url: 'https://letsencrypt.org/certs/isrgrootx1.pem'
    file: 'ca.crt'

Domain configuration ¶

acme_tiny__domain¶

Domain for which certificate is requested. Value can be a single domain or a list of domain names (e.g. [ 'example.com', 'www.example.com' ])

acme_tiny__domain: 'example.com'

acme_tiny__cert_name¶

File name of key, certificate request and certificate (without file extension). By default this will be set to the (first) domain name defined in acme_tiny__domain.

acme_tiny__cert_name: '{{ acme_tiny__domain[0]
                          if (acme_tiny__domain is iterable and not acme_tiny__domain is string)
                          else acme_tiny__domain }}'

acme_tiny__cert_dir¶

Directory name where key, certificate request and certificate are stored for this domain.

acme_tiny__cert_dir: '{{ acme_tiny__config_dir }}/{{ acme_tiny__cert_name }}'

acme_tiny__private_key¶

File name of the RSA key used for generating the certificate request. If key doesn’t exist yet, a RSA key of acme_tiny__key_length bit will be generated under this name.

acme_tiny__private_key: '{{ acme_tiny__cert_dir }}/{{ acme_tiny__cert_name }}.key'

acme_tiny__key_length¶

Length in bit of the RSA key.

acme_tiny__key_length: 4096

acme_tiny__cert_request¶

File name of the certificate request sent to the Let’s Encrypt certificate service. The certificate request will be generated using acme_tiny__domain if not existent.

acme_tiny__cert_request: '{{ acme_tiny__cert_dir }}/{{ acme_tiny__cert_name }}.csr'

acme_tiny__certificate¶

File name of certificate which will be retrieved from the Let’s Encrypt certificate authority.

acme_tiny__certificate: '{{ acme_tiny__cert_dir }}/{{ acme_tiny__cert_name }}.crt'

Service configuration ¶

acme_tiny__service¶

Name (or YAML list of names) of the service for which the certificate should be installed and which should be restarted after certificate replacement. Value must be one of the configuration keys defined in acme_tiny__service_map. A custom service can be chosen by redefining acme_tiny__service_map in the Ansible inventory.

acme_tiny__service: ''

acme_tiny__service_map¶

Configuration map for defining default role behaviour regarding individual services. For more information see Custom services.

acme_tiny__service_map:
  apache2:
    cert_format: 'chain'
    cert_directory: '/etc/apache2/ssl'
    restart_command: '/usr/bin/sudo -n /bin/systemctl reload apache2'
  dovecot:
    cert_format: 'chain'
    cert_directory: '/etc/dovecot/ssl'
    restart_command: '/usr/bin/sudo -n /bin/systemctl reload dovecot'
  httpd:
    cert_format: 'chain'
    cert_directory: '/etc/httpd/ssl'
    restart_command: '/usr/bin/sudo -n /bin/systemctl reload httpd'
  lighttpd:
    cert_format: 'keycert'
    cert_directory: '/etc/lighttpd/ssl'
    restart_command: '/usr/bin/sudo -n /bin/systemctl reload lighttpd'
  nginx:
    cert_format: 'chain'
    cert_directory: '/etc/nginx/ssl'
    restart_command: '/usr/bin/sudo -n /bin/systemctl reload nginx'
  postfix:
    cert_format: 'chain'
    cert_directory: '/etc/postfix/ssl'
    restart_command: '/usr/bin/sudo -n /bin/systemctl reload postfix'

acme_tiny__service_restart¶

Restart affected service after certificate has been replaced.

acme_tiny__service_restart: True

acme_tiny__cert_format¶

Certificate format. By default the format will be determined by the service name which will lookup the value from item.cert_format in acme_tiny__service_map. The value must be one of plain, chain or keycert. If acme_tiny__service is undefined or empty the format will be plain.

Parameter description:

plain: Simply store the certificate base64-encoded under acme_tiny__certificate.
chain: Same as plain but additionally generate a certificate chain including the certificates of the issuing certificate authority. The certificate chain will be stored in <acme-tiny-cert-dir>/<cert-name>_chain.crt depending on the values of acme_tiny__cert_dir and acme_tiny__cert_name.
keycert: Same as plain but additionally generate a PEM file which includes the base64-encoded RSA key and certificate. The PEM file will be stored in <acme-tiny-cert-dir>/<cert-name>.pem depending on the values of acme_tiny__cert_dir and acme_tiny__cert_name.

acme_tiny__cert_format: '{{ acme_tiny__service_map[acme_tiny__service].cert_format
                            if (acme_tiny__service and
                                acme_tiny__service in acme_tiny__service_map | default({}) and
                                "cert_format" in acme_tiny__service_map[acme_tiny__service])
                            else "plain" }}'

acme_tiny__cert_symlink¶

Create symlinks from the service configuration directory (item.cert_directory) defined in acme_tiny__service_map to the actual RSA key and certificate in acme_tiny__cert_dir.

acme_tiny__cert_symlink: True

User configuration ¶

User account meant for running certificate renewal via this Ansible role.

acme_tiny__user_name¶

User name.

acme_tiny__user_name: 'acmetiny'

acme_tiny__user_group¶

Primary group of the functional user.

acme_tiny__user_group: '{{ acme_tiny__user_name }}'

acme_tiny__user_home¶

Home directory.

acme_tiny__user_home: '/var/lib/acme-tiny'

acme_tiny__log_dir¶

Log directory owned by acme_tiny__user_name.

acme_tiny__log_dir: '/var/log/acme-tiny'

acme_tiny__log_file¶

Log file defined in ~/.ansible.cfg of acme_tiny__user_name.

acme_tiny__log_file: '{{ acme_tiny__log_dir }}/{{ acme_tiny__user_name }}.log'

Default role variables¶

Basic configuration¶

Certificate authority configuration¶

Domain configuration¶

Service configuration¶

User configuration¶

Basic configuration ¶

Certificate authority configuration ¶

Domain configuration ¶

Service configuration ¶

User configuration ¶