Default role variables¶
Sections
Basic configuration¶
-
acme_tiny__config_dir
¶
acme-tiny configuration base directory.
acme_tiny__config_dir: '/etc/ssl/acme-tiny'
-
acme_tiny__challenge_dir
¶
Directory accessible through a HTTP server used for temporary challenge storage.
acme_tiny__challenge_dir: '/var/www/acme-challenges'
-
acme_tiny__account_key
¶
File name of the Let’s encrypt account key relative to the
acme_tiny__config_dir
. For more information see
Let’s Encrypt Account Key.
acme_tiny__account_key: 'account.key'
-
acme_tiny__cert_backup
¶
If a certificate already exists create a backup before overwriting it with the re-newed certificate.
acme_tiny__cert_backup: True
Certificate authority configuration¶
-
acme_tiny__ca_directory_url
¶
Certificate authority directory URL.
acme_tiny__ca_directory_url: 'https://acme-v02.api.letsencrypt.org/directory'
-
acme_tiny__ca_chain
¶
List of certificates which will be added to the certificate chain. Each list item must be defined as a dictionary that defines url where the certificate will be downloaded and file where the certificate will be stored.
acme_tiny__ca_chain:
- url: 'https://letsencrypt.org/certs/lets-encrypt-r3.pem'
file: 'intermediate.crt'
- url: 'https://letsencrypt.org/certs/isrgrootx1.pem'
file: 'ca.crt'
Domain configuration¶
-
acme_tiny__domain
¶
Domain for which certificate is requested. Value can be a single domain or
a list of domain names (e.g. [ 'example.com', 'www.example.com' ]
)
acme_tiny__domain: 'example.com'
-
acme_tiny__cert_name
¶
File name of key, certificate request and certificate (without file
extension). By default this will be set to the (first) domain name defined
in acme_tiny__domain
.
acme_tiny__cert_name: '{{ acme_tiny__domain[0]
if (acme_tiny__domain is iterable and not acme_tiny__domain is string)
else acme_tiny__domain }}'
-
acme_tiny__cert_dir
¶
Directory name where key, certificate request and certificate are stored for this domain.
acme_tiny__cert_dir: '{{ acme_tiny__config_dir }}/{{ acme_tiny__cert_name }}'
-
acme_tiny__private_key
¶
File name of the RSA key used for generating the certificate request. If key
doesn’t exist yet, a RSA key of acme_tiny__key_length
bit will be
generated under this name.
acme_tiny__private_key: '{{ acme_tiny__cert_dir }}/{{ acme_tiny__cert_name }}.key'
-
acme_tiny__key_length
¶
Length in bit of the RSA key.
acme_tiny__key_length: 4096
-
acme_tiny__cert_request
¶
File name of the certificate request sent to the Let’s Encrypt certificate
service. The certificate request will be generated using
acme_tiny__domain
if not existent.
acme_tiny__cert_request: '{{ acme_tiny__cert_dir }}/{{ acme_tiny__cert_name }}.csr'
-
acme_tiny__certificate
¶
File name of certificate which will be retrieved from the Let’s Encrypt certificate authority.
acme_tiny__certificate: '{{ acme_tiny__cert_dir }}/{{ acme_tiny__cert_name }}.crt'
Service configuration¶
-
acme_tiny__service
¶
Name (or YAML list of names) of the service for which the certificate should
be installed and which should be restarted after certificate replacement.
Value must be one of the configuration keys defined in
acme_tiny__service_map
. A custom service can be chosen by
redefining acme_tiny__service_map
in the Ansible inventory.
acme_tiny__service: ''
-
acme_tiny__service_map
¶
Configuration map for defining default role behaviour regarding individual services. For more information see Custom services.
acme_tiny__service_map:
apache2:
cert_format: 'chain'
cert_directory: '/etc/apache2/ssl'
restart_command: '/usr/bin/sudo -n /bin/systemctl reload apache2'
dovecot:
cert_format: 'chain'
cert_directory: '/etc/dovecot/ssl'
restart_command: '/usr/bin/sudo -n /bin/systemctl reload dovecot'
httpd:
cert_format: 'chain'
cert_directory: '/etc/httpd/ssl'
restart_command: '/usr/bin/sudo -n /bin/systemctl reload httpd'
lighttpd:
cert_format: 'keycert'
cert_directory: '/etc/lighttpd/ssl'
restart_command: '/usr/bin/sudo -n /bin/systemctl reload lighttpd'
nginx:
cert_format: 'chain'
cert_directory: '/etc/nginx/ssl'
restart_command: '/usr/bin/sudo -n /bin/systemctl reload nginx'
postfix:
cert_format: 'chain'
cert_directory: '/etc/postfix/ssl'
restart_command: '/usr/bin/sudo -n /bin/systemctl reload postfix'
-
acme_tiny__service_restart
¶
Restart affected service after certificate has been replaced.
acme_tiny__service_restart: True
-
acme_tiny__cert_format
¶
Certificate format. By default the format will be determined by the service
name which will lookup the value from item.cert_format
in
acme_tiny__service_map
. The value must be one of plain
,
chain
or keycert
. If acme_tiny__service
is undefined or
empty the format will be plain
.
Parameter description:
plain
- Simply store the certificate base64-encoded under
acme_tiny__certificate
. chain
- Same as
plain
but additionally generate a certificate chain including the certificates of the issuing certificate authority. The certificate chain will be stored in<acme-tiny-cert-dir>/<cert-name>_chain.crt
depending on the values ofacme_tiny__cert_dir
andacme_tiny__cert_name
. keycert
- Same as
plain
but additionally generate a PEM file which includes the base64-encoded RSA key and certificate. The PEM file will be stored in<acme-tiny-cert-dir>/<cert-name>.pem
depending on the values ofacme_tiny__cert_dir
andacme_tiny__cert_name
.
acme_tiny__cert_format: '{{ acme_tiny__service_map[acme_tiny__service].cert_format
if (acme_tiny__service and
acme_tiny__service in acme_tiny__service_map | default({}) and
"cert_format" in acme_tiny__service_map[acme_tiny__service])
else "plain" }}'
-
acme_tiny__cert_symlink
¶
Create symlinks from the service configuration directory
(item.cert_directory
) defined in acme_tiny__service_map
to the
actual RSA key and certificate in acme_tiny__cert_dir
.
acme_tiny__cert_symlink: True
User configuration¶
User account meant for running certificate renewal via this Ansible role.
-
acme_tiny__user_name
¶
User name.
acme_tiny__user_name: 'acmetiny'
-
acme_tiny__user_group
¶
Primary group of the functional user.
acme_tiny__user_group: '{{ acme_tiny__user_name }}'
-
acme_tiny__user_home
¶
Home directory.
acme_tiny__user_home: '/var/lib/acme-tiny'
-
acme_tiny__log_dir
¶
Log directory owned by acme_tiny__user_name
.
acme_tiny__log_dir: '/var/log/acme-tiny'
-
acme_tiny__log_file
¶
Log file defined in ~/.ansible.cfg
of acme_tiny__user_name
.
acme_tiny__log_file: '{{ acme_tiny__log_dir }}/{{ acme_tiny__user_name }}.log'