adc/ansible/roles/acmedns_bouncer_updater/tasks/main.yml

---

- name: Add bouncer server to known_hosts
  known_hosts:
    name: "{{ acmedns_bouncer_updater_bouncer_server }}"
    key: "{{ acmedns_bouncer_updater_bouncer_server_pubkey }}"
  become: yes
  become_user: "{{ acmedns_bouncer_updater_user }}"

- name: Install script
  template:
    src: "{{ item.src }}"
    dest: "{{ item.dest }}"
    owner: root
    group: "{{ acmedns_bouncer_updater_group }}"
    mode: "0750"
  with_items:
    - src: acmedns_update.sh.j2
      dest: "{{ acmedns_bouncer_updater_script_path }}"

- name: Configure cronvar
  cronvar:
    name: "{{ item.name }}"
    value: "{{ item.value }}"
    cron_file: "{{ acmedns_bouncer_updater_cron_file }}"
  with_items:
    - name: MAILTO
      value: "{{ acmedns_bouncer_updater_email }}"

- name: Configure cronjob
  cron:
    name: "{{ acmedns_bouncer_updater_job_name }}"
    day: "*"
    hour: "3"
    minute: "47"
    job: "{{ acmedns_bouncer_updater_script_path }}"
    user: "{{ acmedns_bouncer_updater_user }}"
    cron_file: "{{ acmedns_bouncer_updater_cron_file }}"

- name: Copy a new "httpd-ssl.conf-cipher" file into place
  template: src=acmedns_httpd-ssl.conf-cipher dest=/etc/acmedns/certificates/storage/certificates/httpd-ssl.conf-cipher owner=root mode=0644

- name: Run wrapper script once
  # Wrapper script passes --days, so this won't contact Let's Encrypt unless necessary
  command: "{{ acmedns_bouncer_updater_script_path }}"
  become: yes
  become_user: "{{ acmedns_bouncer_updater_user }}"
  when: acmedns_bouncer_updater_runonce|bool

- name: Allow all users to run wrapper script as our user
  lineinfile:
    path: /etc/sudoers.d/acmedns_{{ acmedns_bouncer_updater_job_name }}
    line: "ALL ALL=({{ acmedns_bouncer_updater_user }}) NOPASSWD: {{ acmedns_bouncer_updater_script_path }}"
    owner: root
    group: root
    mode: "0640"
    create: yes
    validate: visudo -cf %s