47 lines
1.4 KiB
YAML
47 lines
1.4 KiB
YAML
---
|
|
|
|
- name: Esnure certbot installed
|
|
ansible.builtin.apt:
|
|
name:
|
|
- certbot
|
|
- python3-certbot-nginx
|
|
state: present
|
|
|
|
- name: Check if certificate exists
|
|
ansible.builtin.stat:
|
|
path: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
|
|
register: cert
|
|
|
|
- name: Get current certificate info
|
|
community.crypto.x509_certificate_info:
|
|
path: /etc/letsencrypt/live/{{ ansible_fqdn }}/cert.pem
|
|
register: certinfo
|
|
|
|
- name: Set fact to regenerate certificates if new domains are added
|
|
ansible.builtin.set_fact:
|
|
certbot_regenerate: true
|
|
when: item.name is defined and 'DNS:' + item.name not in certinfo.subject_alt_name
|
|
loop: "{{ nginx_servers }}"
|
|
|
|
- name: Generate new certificate if one doesn't exist.
|
|
ansible.builtin.command: >
|
|
certbot --nginx certonly
|
|
--non-interactive
|
|
--email {{ certbot_admin_email }}
|
|
--agree-tos
|
|
--expand
|
|
--domains {{ ansible_fqdn }}{% for server in nginx_servers %}{% if server.name is defined %},{{ server.name }}{% endif %}{% endfor %}
|
|
when: not cert.stat.exists or certbot_regenerate
|
|
notify: Reload nginx
|
|
|
|
- name: Ensure certificate configured for nginx
|
|
ansible.builtin.template:
|
|
src: letsencrypt.conf.j2
|
|
dest: /etc/nginx/conf.d/letsencrypt.conf
|
|
mode: 0644
|
|
notify: Reload nginx
|
|
|
|
- name: Add ssl header config to the list of configs
|
|
ansible.builtin.set_fact:
|
|
nginx_confs: "{{ nginx_confs + ['ssl-headers'] }}"
|