add nginx role

roles/nginx/tasks/certbot.yml

@@ -0,0 +1,46 @@
+---
+
+- name: Esnure certbot installed
+  ansible.builtin.apt:
+    name:
+      - certbot
+      - python3-certbot-nginx
+    state: present
+
+- name: Check if certificate exists
+  ansible.builtin.stat:
+    path: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
+  register: cert
+
+- name: Get current certificate info
+  community.crypto.x509_certificate_info:
+    path: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
+  register: certinfo
+
+- name: Set fact to regenerate certificates if new domains are added
+  ansible.builtin.set_fact:
+    certbot_regenerate: true
+  when: item.name is defined and 'DNS:' + item.name not in certinfo.subject_alt_name
+  loop: "{{ nginx_servers }}"
+
+- name: Generate new certificate if one doesn't exist.
+  ansible.builtin.command: >
+    certbot --nginx certonly
+    --non-interactive
+    --email {{ certbot_admin_email }}
+    --agree-tos
+    --expand
+    --domains {{ ansible_fqdn }}{% for server in nginx_servers %}{% if server.name is defined %},{{ server.name }}{% endif %}{% endfor %}
+  when: not cert.stat.exists or certbot_regenerate
+  notify: Reload nginx
+
+- name: Ensure certificate configured for nginx
+  ansible.builtin.template:
+    src: letsencrypt.conf.j2
+    dest: /etc/nginx/conf.d/letsencrypt.conf
+    mode: 0644
+  notify: Reload nginx
+
+- name: Add ssl header config to the list of configs
+  ansible.builtin.set_fact:
+    nginx_confs: "{{ nginx_confs + ['ssl-headers'] }}"