refactor: remove deprecated certificate management playbooks and hooks

2026-03-17 17:29:26 +00:00
parent 0a053c1cd6
commit e472d83372
6 changed files with 6 additions and 926 deletions
--- a/ansible/certbot/deploy.yml
+++ b/ansible/certbot/deploy.yml
@@ -138,16 +138,6 @@
        state: present
        virtualenv: "{{ certbot_directory }}/.venv"

-    - name: Install OCI CLI in certbot venv (vault upload hosts)
-      become: true
-      become_user: "{{ certbot_user }}"
-      ansible.builtin.pip:
-        name:
-          - oci-cli
-        state: present
-        virtualenv: "{{ certbot_directory }}/.venv"
-      when: certbot_vault_upload | default(false)
-
    # -------------------------------------------------------------------------
    # Namecheap Credentials
    # -------------------------------------------------------------------------
@@ -179,7 +169,7 @@
    # Renewal Hooks
    # -------------------------------------------------------------------------

-    - name: Template renewal hook script (HAProxy reload)
+    - name: Template renewal hook script
      become: true
      ansible.builtin.template:
        src: renewal-hook.sh.j2
@@ -187,17 +177,6 @@
        owner: "{{ certbot_user }}"
        group: "{{ certbot_group }}"
        mode: '0750'
-      when: not (certbot_vault_upload | default(false))
-
-    - name: Template vault upload hook script
-      become: true
-      ansible.builtin.template:
-        src: vault-upload-hook.sh.j2
-        dest: "{{ certbot_directory }}/hooks/renewal-hook.sh"
-        owner: "{{ certbot_user }}"
-        group: "{{ certbot_group }}"
-        mode: '0750'
-      when: certbot_vault_upload | default(false)

    - name: Create Prometheus textfile directory
      become: true
@@ -289,24 +268,13 @@
    - name: Run renewal hook after certificate requests
      become: true
      ansible.builtin.command: "{{ certbot_directory }}/hooks/renewal-hook.sh"
-      environment: >-
-        {{ {'RENEWED_LINEAGE': certbot_directory + '/config/live/' + item.item.cert_name}
-           if certbot_vault_upload | default(false) else {} }}
+      environment:
+        RENEWED_LINEAGE: "{{ certbot_directory }}/config/live/{{ item.item.cert_name }}"
      loop: "{{ certbot_requests.results | default([]) }}"
      when: item.changed | default(false)
      loop_control:
        label: "{{ item.item.cert_name }}"

-    - name: Ensure vault is populated with current certificates
-      become: true
-      ansible.builtin.command: "{{ certbot_directory }}/hooks/renewal-hook.sh"
-      environment:
-        RENEWED_LINEAGE: "{{ certbot_directory }}/config/live/{{ item.cert_name }}"
-      loop: "{{ _certbot_certs }}"
-      when: certbot_vault_upload | default(false)
-      loop_control:
-        label: "{{ item.cert_name }}"
-
    # -------------------------------------------------------------------------
    # Systemd Timer for Auto-Renewal
    # -------------------------------------------------------------------------