main.yml

---

acmebot_account_mail: "{{ adminaddr }}"
acmebot_version: "v2.7.0"
acmebot_enable_update_check: true

acmebot_settings: {}
acmebot_default_settings:
  log_level: "detail"
  color_output: true

  acme_directory_url: "https://acme-v02.api.letsencrypt.org/directory"
  public_suffix_list_url: "https://publicsuffix.org/list/public_suffix_list.dat"
  ocsp_responder_urls:
    - "http://ocsp.int-x3.letsencrypt.org"
  reload_zone_command: null
  nsupdate_command: null
  hpkp_report_uri: null
  ct_submit_logs:
    - "google_argon"
    - "google_xenon"

  file_user: root
  file_group: root

  key_size: 4096  # null to turn off RSA certificates
  key_curve: "secp384r1"  # null to turn off ECDSA certificates
  key_cipher: null
  key_passphrase: null  # null to turn off private key encryption
  dhparam_size: 2048  # null to turn off custom dhparams
  ecparam_curve: "secp384r1"  # null to turn off custom EC params

  follower_mode: false
  ocsp_must_staple: false  # application support isn't good enough
  auto_rollover: true  # must be false on followers
  pin_subdomains: false
  verify: null  # e.g. [443]
  services: null  # e.g. [nginx-proxy]

  hpkp_days: 60
  renewal_days: 30
  expiration_days: 730
  max_dns_lookup_attempts: 60
  dns_lookup_delay: 10
  max_domains_per_order: 100
  max_authorization_attempts: 30
  authorization_delay: 10
  cert_poll_time: 30
  max_ocsp_verify_attempts: 10
  ocsp_verify_retry_delay: 5
  min_run_delay: 300
  max_run_delay: 3600

# can be empty string, e.g. when using only one key type
acmebot_key_suffixes: {}
acmebot_default_key_suffixes:
  rsa: ".rsa"
  ecdsa: ".ecdsa"

# format strings with: name (of privkey or cert), key_type, suffix, server
# http_challenge uses: zone, host (without zone, "." if fqdn == zone), fqdn
# if http_challenge is set, defaults to http-01
#   set to null for specified certs to use dns-01 for those
acmebot_directories: {}
acmebot_default_directories:
  pid: "/run/acmebot"
  log: "/var/log/acmebot"
  resource: "/var/lib/acmebot"
  temp: null