preparation for role domaincontroller

roles/domaincontroller/tasks/certs.yml

@@ -0,0 +1,37 @@
+---
+- name: domaincontroller | certs | ensure step-ca root cert is trusted
+  include_role:
+    name: base
+    tasks_from: system_setup/import_stepca.yml
+
+- name: domaincontroller | certs | obtain certificate from step-ca via certbot
+  command: >
+    certbot certonly --standalone -n
+    -d {{ ansible_fqdn }}
+    --server {{ samba_stepca_server_url }}/acme/acme/directory
+    --agree-tos
+    --email admin@{{ samba_realm | lower }}
+  args:
+    creates: /etc/letsencrypt/live/{{ ansible_fqdn }}/fullchain.pem
+  notify: restart samba-ad-dc
+
+- name: domaincontroller | certs | create certbot.service override directory
+  file:
+    path: /etc/systemd/system/certbot.service.d
+    state: directory
+    mode: '0755'
+
+- name: domaincontroller | certs | create service override for step-ca
+  copy:
+    dest: /etc/systemd/system/certbot.service.d/override.conf
+    content: |
+      [Service]
+      Environment="REQUESTS_CA_BUNDLE=/root/root_ca.crt"
+    mode: '0644'
+  notify: systemd daemon-reload
+
+- name: domaincontroller | certs | enable and start certbot timer
+  systemd:
+    name: certbot.timer
+    state: started
+    enabled: true