homeserver/roles/hispanico.nginx-revproxy/tasks/letsencrypt.yml

---

- name: Install certbot
  get_url:
    url: https://dl.eff.org/certbot-auto
    dest: /usr/bin/certbot-auto
    mode: "a+x"
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Get Active Sites
  command: ls -1 /etc/nginx/sites-enabled/
  changed_when: "active.stdout_lines != nginx_revproxy_sites.keys()|sort()"
  check_mode: false
  register: active
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Enable sites for ACME protocol
  block:
    - name: Add Https Site Config
      template:
        src: reverseproxy_ssl.conf.j2
        dest: /etc/nginx/sites-available/{{ item.key }}.conf
        owner: root
        group: root
      with_dict: "{{ nginx_revproxy_sites }}"
      register: siteconfig
      when:
        - item.value.letsencrypt | default(False)
        - item.key not in active.stdout_lines

    - name: Enable Site Config
      file:
        src: /etc/nginx/sites-available/{{ item.key }}.conf
        dest: /etc/nginx/sites-enabled/{{ item.key }}
        state: link
      with_dict: "{{ nginx_revproxy_sites }}"
      register: site_enabled
      when:
        - siteconfig is success
        - not ansible_check_mode
        - item.value.letsencrypt | default(False)
        - item.key not in active.stdout_lines

    - name: Reload Nginx
      service:
        name: nginx
        state: reloaded
      when:
        - site_enabled is success
  when:
    - active.changed
    - nginxinstalled is success
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Generate certs (first time)
  command: |
    certbot-auto certonly
    --webroot -w /var/www/{{ item.key }}
    -d {{ item.value.domains | join(' -d ') }}
    --email {{ item.value.letsencrypt_email }}
    --non-interactive --cert-name {{ item.key }}
    --agree-tos creates=/etc/letsencrypt/live/{{ item.key }}/fullchain.pem
  with_dict: "{{ nginx_revproxy_sites }}"
  when: item.value.letsencrypt | default(False)
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Update Site Config
  template:
    src: reverseproxy_ssl_letsencrypt.conf.j2
    dest: /etc/nginx/sites-available/{{ item.key }}.conf
    owner: root
    group: root
  with_dict: "{{ nginx_revproxy_sites }}"
  notify: Reload Nginx
  when:
    - item.value.letsencrypt | default(False)
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Insert cert-bot renew in crontab
  cron:
    name: "cert-bot renew"
    job: 'certbot-auto renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/letsencrypt-update.log 2>&1'
    hour: "3"
    minute: "30"
    weekday: "1"
  tags:
    - lesencrypt
    - nginxrevproxy
first commit 2020-08-18 11:57:53 +02:00			`---`

			`- name: Install certbot`
			`get_url:`
			`url: https://dl.eff.org/certbot-auto`
			`dest: /usr/bin/certbot-auto`
			`mode: "a+x"`
			`tags:`
			`- lesencrypt`
			`- nginxrevproxy`

			`- name: Get Active Sites`
			`command: ls -1 /etc/nginx/sites-enabled/`
			`changed_when: "active.stdout_lines != nginx_revproxy_sites.keys()\|sort()"`
			`check_mode: false`
			`register: active`
			`tags:`
			`- lesencrypt`
			`- nginxrevproxy`

			`- name: Enable sites for ACME protocol`
			`block:`
			`- name: Add Https Site Config`
			`template:`
			`src: reverseproxy_ssl.conf.j2`
			`dest: /etc/nginx/sites-available/{{ item.key }}.conf`
			`owner: root`
			`group: root`
			`with_dict: "{{ nginx_revproxy_sites }}"`
			`register: siteconfig`
			`when:`
			`- item.value.letsencrypt \| default(False)`
			`- item.key not in active.stdout_lines`

			`- name: Enable Site Config`
			`file:`
			`src: /etc/nginx/sites-available/{{ item.key }}.conf`
			`dest: /etc/nginx/sites-enabled/{{ item.key }}`
			`state: link`
			`with_dict: "{{ nginx_revproxy_sites }}"`
			`register: site_enabled`
			`when:`
			`- siteconfig is success`
			`- not ansible_check_mode`
			`- item.value.letsencrypt \| default(False)`
			`- item.key not in active.stdout_lines`

			`- name: Reload Nginx`
			`service:`
			`name: nginx`
			`state: reloaded`
			`when:`
			`- site_enabled is success`
			`when:`
			`- active.changed`
			`- nginxinstalled is success`
			`tags:`
			`- lesencrypt`
			`- nginxrevproxy`

			`- name: Generate certs (first time)`
			`command: \|`
			`certbot-auto certonly`
			`--webroot -w /var/www/{{ item.key }}`
			`-d {{ item.value.domains \| join(' -d ') }}`
			`--email {{ item.value.letsencrypt_email }}`
			`--non-interactive --cert-name {{ item.key }}`
			`--agree-tos creates=/etc/letsencrypt/live/{{ item.key }}/fullchain.pem`
			`with_dict: "{{ nginx_revproxy_sites }}"`
			`when: item.value.letsencrypt \| default(False)`
			`tags:`
			`- lesencrypt`
			`- nginxrevproxy`

			`- name: Update Site Config`
			`template:`
			`src: reverseproxy_ssl_letsencrypt.conf.j2`
			`dest: /etc/nginx/sites-available/{{ item.key }}.conf`
			`owner: root`
			`group: root`
			`with_dict: "{{ nginx_revproxy_sites }}"`
			`notify: Reload Nginx`
			`when:`
			`- item.value.letsencrypt \| default(False)`
			`tags:`
			`- lesencrypt`
			`- nginxrevproxy`

			`- name: Insert cert-bot renew in crontab`
			`cron:`
			`name: "cert-bot renew"`
			`job: 'certbot-auto renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/letsencrypt-update.log 2>&1'`
			`hour: "3"`
			`minute: "30"`
			`weekday: "1"`
			`tags:`
			`- lesencrypt`
			`- nginxrevproxy`