Ansible-HAProxy-Failover/roles/haproxy/tasks/certbot.yml

---
# file: roles/haproxy/tasks/main.yml

- name: Install certbot
  pip:
    name: certbot
    executable: pip3
    state: latest
  tags: packages

- name: Place certbot script
  template:
    src: "certbot-renewal-cluster.j2"
    dest: "/usr/local/sbin/certbot-renewal-cluster"
    owner: root
    mode: 755

- name: Deploy certbot renewal service
  template:
    src: certbot-renewal.service.j2
    dest: /etc/systemd/system/certbot-renewal.service
  notify: Daemon Reload

- name: Deploy certbot renewal timer
  template:
    src: certbot-renewal.timer.j2
    dest: /etc/systemd/system/certbot-renewal.timer
  notify: Daemon Reload

- name: Start and enable systemd timer for certbot renewal
  service:
    name: certbot-renewal.timer
    state: started
    enabled: yes

- name: Generate ssh keypair
  user:
    name: "{{ haproxy_certbot_user }}"
    generate_ssh_key: yes
    ssh_key_type: ed25519
    ssh_key_bits: 4096
    ssh_key_file: "{{ haproxy_private_key }}"
    ssh_key_passphrase: ""
    force: no

- name: Get the public key
  slurp:
    src: "{{ haproxy_private_key }}.pub"
  register: slurped_pub_key

- name: Decode the pub key and store as fact
  set_fact:
    haproxy_pub_key: "{{ slurped_pub_key.content | b64decode }}"

- name: "Setup authorized key for the user with limited access"
  authorized_key:
    user: "{{ haproxy_certbot_user }}"
    state: present
    key: "{{ hostvars[item]['haproxy_pub_key'] }}"
  loop: "{{ groups['haproxy']|difference([inventory_hostname]) }}"

- name: Ensure ssh host key known
  lineinfile:
    dest: "/home/{{ haproxy_certbot_user }}/.ssh/known_hosts"
    create: yes
    state: present
    line: "{{ lookup('pipe', 'ssh-keyscan -t ecdsa -p22 ' + hostvars[item]['ansible_host'] + ' ' + '2>/dev/null', errors='warn') }}"
  loop: "{{ groups['haproxy']|difference([inventory_hostname]) }}"