Add lego_version parameter and update to lego 5.x

README.md

@@ -27,6 +27,10 @@ No dependencies required.
 
 ## Role Variables
 
+- `lego_version`:
+    - Version of lego to install (tag in its GitHub repo). Simple appended to `https://api.github.com/repos/go-acme/lego/releases/tags/`.
+    - Required
+
 - `lego_email`:
     - Domain administrators email address. It will be passed to the ACME provider (e.g. LetsEncrypt).
     - Required
@@ -52,7 +56,7 @@ No dependencies required.
     - Default: `[]`
 
 - `lego_hook`:
-    - Lego run/renew certificate hook. The hook is executed only when the certificates are effectively obtained/renewed.
+    - Lego run/renew certificate hook. The hook is executed only when the certificates are effectively obtained/renewed. Can be a multi line string to include multiple commands.
     - Default:
 
 - `lego_link_certificate_path`:

files/lego-renew.sh

@@ -2,6 +2,7 @@
 
 CONF_DIR="/etc/lego"
 LEGO_BIN="/opt/lego/lego"
+HOOK_SCRIPT="/opt/lego/hook.sh"
 DOMAIN="$1"
 CERT_PATH="${CONF_DIR}/certificates/${DOMAIN}.crt"
 
@@ -12,10 +13,5 @@ test -f "${CONF_DIR}/config/${DOMAIN}" && . "${CONF_DIR}/config/${DOMAIN}"
 set +a
 
 set -e
-if [ -f "${CERT_PATH}" ]; then
-    echo "Renew ${DOMAIN} certificate if needed"
-    "${LEGO_BIN}" --accept-tos --path "${CONF_DIR}" $ARGS $DOMAIN_ARGS renew --renew-hook "$HOOK"
-else
-    echo "Obtain ${DOMAIN} certificate"
-    "${LEGO_BIN}" --accept-tos --path "${CONF_DIR}" $ARGS $DOMAIN_ARGS run --run-hook "$HOOK"
-fi
+echo "Obtaining/renewing ${DOMAIN} certificate"
+"${LEGO_BIN}" run --accept-tos --path "${CONF_DIR}" $ARGS $DOMAIN_ARGS --deploy-hook "$HOOK_SCRIPT"

molecule/default/converge.yml

@@ -8,6 +8,7 @@
 - name: Converge
   hosts: all
   vars:
+    lego_version: v5.2.2
     lego_email: lego@localhost
     lego_domains:
       - molecule.lego.elan

tasks/main.yml

@@ -14,7 +14,7 @@
 
 - name: Fetch download URL
   ansible.builtin.uri:
-    url: https://api.github.com/repos/go-acme/lego/releases/latest
+    url: https://api.github.com/repos/go-acme/lego/releases/tags/{{ lego_version }}
     return_content: true
   register: lego_release_latest
 
@@ -100,6 +100,15 @@
     mode: "0755"
   notify: Renew certificate
 
+- name: Install hook script
+  ansible.builtin.template:
+    src: hook.sh
+    dest: /opt/lego/
+    owner: root
+    group: root
+    mode: "0755"
+  notify: Renew certificate
+
 - name: Create service and timer definitions
   ansible.builtin.copy:
     src: "{{ item }}"

templates/env_domain

@@ -1,5 +1,4 @@
 DOMAIN_ARGS="{{ lego_domain_extra_args | join(' ') }}{% for lego_domain in lego_domains %} --domains {{ lego_domain }}{% endfor %}"
-HOOK="{{ lego_hook }}"
 
 {% for lego_domain_env_var in lego_domain_env_vars %}
 {{ lego_domain_env_var }}

templates/hook.sh

@@ -0,0 +1,3 @@
+#!/bin/sh
+
+{{ lego_hook }}