Quick and dirty ansible playbook to deploy rootless acme.sh based on https://gist.github.com/Greelan/28a46a33140b65c9a045573ca460f044

acme.sh_non-root.yml

---
- name: Set up ACME wildcard certificate using acme.sh
  hosts: cloud
  become: yes
  vars:
    mydomain: ""
    dedyn_token: ""
    email: ""

  tasks:
    - name: Create system user for acme
      user:
        name: acme
        createhome: yes
        home: /var/lib/acme
        shell: /usr/sbin/nologin
        system: yes

    - name: Create directory for certificates
      file:
        path: /etc/ssl/certs/{{ mydomain }}
        state: directory
        owner: acme
        mode: 0710

    - name: Add sudoers rule for acme user
      lineinfile:
        path: /etc/sudoers
        line: 'acme    ALL=(ALL) NOPASSWD: /bin/systemctl reload caddy.service'

    - name: Install socat
      apt:
        name: socat
        state: present
      when: ansible_os_family == "Debian"

    - name: Install socat
      yum:
        name: socat
        state: present
      when: ansible_os_family == "RedHat"
  
    - name: Change to acme user
      block:
        - name: Clone acme.sh
          git:
            repo: https://github.com/Neilpang/acme.sh.git
            dest: /var/lib/acme/acme.sh
            clone: yes

        - name: Install acme.sh
          command: ./acme.sh --install
          args:
            chdir: /var/lib/acme/acme.sh

        - name: Change to acme directory
          command: cd /var/lib/acme

        - name: Register ZeroSSL account
          command: /var/lib/acme/.acme.sh/acme.sh --register-account -m "{{ email }}" --server zerossl

        - name: Create certificate
          command: /var/lib/acme/.acme.sh/acme.sh --issue -d {{ mydomain }} -d *.{{ mydomain }} -k ec-384 --dns dns_desec --force
          environment:
            DEDYN_TOKEN: "{{ dedyn_token }}"

        - name: Install certificate with reloadcmd
          command: /var/lib/acme/.acme.sh/acme.sh --install-cert --ecc --domain {{ mydomain }} \
            --ca-file /etc/ssl/certs/{{ mydomain }}/chain.pem \
            --key-file /etc/ssl/certs/{{ mydomain }}/key.pem \
            --fullchain-file /etc/ssl/certs/{{ mydomain }}/fullchain.pem \
            --reloadcmd "sudo systemctl reload caddy.service" --force
          ignore_errors: true
            
        - name: Uninstall cron job
          command: /var/lib/acme/.acme.sh/acme.sh --uninstall-cronjob --force
      become: yes
      become_user: acme

    - name: Add setfacl command to allow caddy user to access certificates
      command: setfacl -R -m u:caddy:rX /etc/ssl/certs/{{ mydomain }}

    - name: Create systemd service for certificate renewal
      template:
        src: acme_renew.service.j2
        dest: /etc/systemd/system/acme_renew.service

    - name: Create systemd timer for certificate renewal
      template:
        src: acme_renew.timer.j2
        dest: /etc/systemd/system/acme_renew.timer

    - name: Start and enable systemd timer
      systemd:
        name: acme_renew.timer
        state: started
        enabled: yes

    - name: Restart caddy service
      systemd:
        name: caddy
        state: restarted
        enabled: yes
      ignore_errors: true

acme_renew.service.j2

[Unit]
Description=Renew ACME certificates using acme.sh
After=network-online.target

[Service]
Type=oneshot
User=acme
Group=acme
Environment="HOME=/var/lib/acme"
ExecStart=/var/lib/acme/.acme.sh/acme.sh --cron
SuccessExitStatus=0 2

acme_renew.timer.j2

[Unit]
Description=Daily renewal of ACME certificates

[Timer]
OnCalendar=daily
RandomizedDelaySec=1h
Persistent=true

[Install]
WantedBy=timers.target