homeserver/roles/hispanico.nginx-revproxy/tasks/letsencrypt.yml

---

- name: Install certbot
  get_url:
    url: https://dl.eff.org/certbot-auto
    dest: /usr/bin/certbot-auto
    mode: "a+x"
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Get Active Sites
  command: ls -1 /etc/nginx/sites-enabled/
  changed_when: "active.stdout_lines != nginx_revproxy_sites.keys()|sort()"
  check_mode: false
  register: active
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Enable sites for ACME protocol
  block:
    - name: Add Https Site Config
      template:
        src: reverseproxy_ssl.conf.j2
        dest: /etc/nginx/sites-available/{{ item.key }}.conf
        owner: root
        group: root
      with_dict: "{{ nginx_revproxy_sites }}"
      register: siteconfig
      when:
        - item.value.letsencrypt | default(False)
        - item.key not in active.stdout_lines

    - name: Enable Site Config
      file:
        src: /etc/nginx/sites-available/{{ item.key }}.conf
        dest: /etc/nginx/sites-enabled/{{ item.key }}
        state: link
      with_dict: "{{ nginx_revproxy_sites }}"
      register: site_enabled
      when:
        - siteconfig is success
        - not ansible_check_mode
        - item.value.letsencrypt | default(False)
        - item.key not in active.stdout_lines

    - name: Reload Nginx
      service:
        name: nginx
        state: reloaded
      when:
        - site_enabled is success
  when:
    - active.changed
    - nginxinstalled is success
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Generate certs (first time)
  command: |
    certbot-auto certonly
    --webroot -w /var/www/{{ item.key }}
    -d {{ item.value.domains | join(' -d ') }}
    --email {{ item.value.letsencrypt_email }}
    --non-interactive --cert-name {{ item.key }}
    --agree-tos creates=/etc/letsencrypt/live/{{ item.key }}/fullchain.pem    
  with_dict: "{{ nginx_revproxy_sites }}"
  when: item.value.letsencrypt | default(False)
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Update Site Config
  template:
    src: reverseproxy_ssl_letsencrypt.conf.j2
    dest: /etc/nginx/sites-available/{{ item.key }}.conf
    owner: root
    group: root
  with_dict: "{{ nginx_revproxy_sites }}"
  notify: Reload Nginx
  when:
    - item.value.letsencrypt | default(False)
  tags:
    - lesencrypt
    - nginxrevproxy

- name: Insert cert-bot renew in crontab
  cron:
    name: "cert-bot renew"
    job: 'certbot-auto renew --post-hook "systemctl reload nginx" >> /var/log/letsencrypt/letsencrypt-update.log 2>&1'
    hour: "3"
    minute: "30"
    weekday: "1"
  tags:
    - lesencrypt
    - nginxrevproxy