https://github.com/elan-ev/opencast_certbot

Ansible role to configure TLS certificate renewal via certbot for Opencast
https://github.com/elan-ev/opencast_certbot

ansible ansible-role opencast

Last synced: 3 months ago
JSON representation

Ansible role to configure TLS certificate renewal via certbot for Opencast

• Host: GitHub
• URL: https://github.com/elan-ev/opencast_certbot
• Owner: elan-ev
• License: bsd-3-clause
• Created: 2021-07-01T19:12:43.000Z (almost 5 years ago)
• Default Branch: main
• Last Pushed: 2025-01-09T20:54:30.000Z (over 1 year ago)
• Last Synced: 2025-02-25T10:46:44.300Z (over 1 year ago)
• Topics: ansible, ansible-role, opencast
• Homepage:
• Size: 9.77 KB
• Stars: 0
• Watchers: 3
• Forks: 3
• Open Issues: 5
• Metadata Files:
  • Readme: README.md
  • License: LICENSE

Awesome Lists containing this project

README

          
Ansible: Opencast Certbot Role

==============================

[![lint](https://github.com/elan-ev/opencast_certbot/actions/workflows/lint.yml/badge.svg)](https://github.com/elan-ev/opencast_certbot/actions/workflows/lint.yml)

This Ansible role configures TLS certificate renewal via certbot for Opencast.

Role Variables

--------------

- `opencast_certbot_letsencrypt_email`

  - Email address for Let's Encrypt account (_required_)

  - This is used by Let's Encrypt to send certificate expiration warnings if necessary.

- `opencast_certbot_deploy_hook`

  - Command to run after certbot has updated certificate. The value is optional.

    Already created certificates will not be updated.

- `opencast_certbot_enable_epel`

  - On RedHat system certbot package is living in the EPEL repository. Here you can enable (value: `true`)

    or disable (value: `false`) installation of the `epel-release` package (default: `true`).

    On RedHat installation with Satellite this property can be handy.

  - On Debian based systems this property do nothing.

Dependencies

------------

Certbot runs an ACME Webroot challenge to obtain a certificate. This requires a web server that

exposes the path `/var/lib/nginx/` (especially the subdirectory `.well-known/acme-challenge`)

over HTTP. This can be done using the Ansible role `elan.opencast_nginx` or others.

The `elan.opencast_nginx` role is no longer a hard dependency.

Example Playbook

----------------

Example of how to configure and use the role:

```yaml

- hosts: servers

  become: true

  roles:

    - elan.opencast_nginx

    - role: elan.opencast_certbot

      opencast_certbot_letsencrypt_email: admin@example.com

      opencast_certbot_deploy_hook: /usr/bin/systemctl reload nginx

```