provision.yml

---
- name: Provision a new server with SSH key, and updated software
  hosts: all

  # Specify the user you want to connect to the server.
  # With a new installation, you will connect with `root`. If you want to
  # re-run this playbook at a later date, you should change `remote_user` to
  # the user you specified under `vars/username` below and uncomment the
  # `become: true` line. You should then run the playbook using the
  # `--ask-become-pass` flag, like so:
  # `ansible-playbook -k provision.yml --ask-become-pass`.
  remote_user: root
  # become: true

  vars:
    username: host

    # Check provision.README.md for information about creating a hashed password
    password: $6$rounds=656000$nu8NSZXJ5.7PTfjq$5fvlD50cJ9Wa60NLxneLpdS1PxzagQkjM2W6x9DfN/VJM5NBUeVEvlRTXsG5H7nV0zwH3xFyRTdVorJZTzkHZ.
    public_key: ~/.ssh/id_rsa.pub

  roles:
    - domainname
    - user
    - packages
    - ssh


- name: Store known hosts of 'all' the hosts in the inventory file
  hosts: localhost
  connection: local

  vars:
    ssh_known_hosts_file: "{{ lookup('env','HOME') + '/.ssh/known_hosts' }}"
    ssh_known_hosts: "{{ groups['all'] }}"

  tasks:

  - name: For each host, scan for its ssh public key
    shell: "ssh-keyscan {{ item }},`dig +short {{ item }}`"
    with_items: "{{ ssh_known_hosts }}"
    register: ssh_known_host_results
    ignore_errors: yes

  - name: Add/update the public key in the '{{ ssh_known_hosts_file }}'
    known_hosts:
      name: "{{ item.item }}"
      key: "{{ item.stdout }}"
      path: "{{ ssh_known_hosts_file }}"
    with_items: "{{ ssh_known_host_results.results }}"


- name: Get certificates

  hosts: all

  remote_user: root

  vars_files: vars_with_secret.yml
  vars:
    words: "{{ inventory_hostname.split('.') }}"
    domain_name: "{{ words[0]+'.ext.'+'.'.join(words[1:]) }}"

  tasks:
    - include_tasks: letsencrypt.yml
      with_items:
        - "{{ domain_name }}"

    - include_tasks: letsencrypt-subdomain.yml
      with_items:
        - "{{ subdomains }}"

    - name: Reboot
      reboot:
        reboot_timeout: 3600
      become: true