main.yml

---
- name: install certbot
  ansible.builtin.package:
    force_apt_get: true
    install_recommends: false
    name: certbot

- name: get all server_name values
  when: letsencrypt_domains == []
  changed_when: false
  register: letsencryt_nginx_output
  ansible.builtin.shell:
    executable: /bin/bash
    cmd: >
      set -o pipefail;
      nginx -T 2>&1 | grep -v localhost | grep -P '^\s+server_name\s+.*;$' | sed -r 's/\s+server_name\s+(.*);/\1/' | uniq

- name: save result as list
  when: letsencrypt_domains == []
  ansible.builtin.set_fact:
    letsencrypt_domains: "{{ letsencryt_nginx_output.stdout.split() }}"

- name: save domains list in a file
  register: letsencrypt_save_list
  ansible.builtin.copy:
    dest: /etc/letsencrypt/domains.txt
    content: |
      {% for domain in letsencrypt_domains %}
      {{ domain }}
      {% endfor %}
    mode: "644"

- name: create webroot directory
  ansible.builtin.file:
    path: "{{ letsencrypt_webroot }}"
    state: directory
    mode: "755"

- name: create pre hook directory
  ansible.builtin.file:
    path: /etc/letsencrypt/renewal-hooks/pre
    state: directory
    mode: "755"

- name: create pre hook script
  ansible.builtin.copy:
    dest: /etc/letsencrypt/renewal-hooks/pre/mkdir
    mode: "0755"
    content: |
      #!/usr/bin/env bash
      CERTBOT_DOCROOT=/var/www/letsencrypt
      mkdir -p "$CERTBOT_DOCROOT"
      chmod 755 "$CERTBOT_DOCROOT"

- name: create deploy hook directory
  ansible.builtin.file:
    path: /etc/letsencrypt/renewal-hooks/deploy
    state: directory
    mode: "755"

- name: create deploy hook script
  ansible.builtin.copy:
    dest: /etc/letsencrypt/renewal-hooks/deploy/nginx
    mode: "0755"
    content: |
      #!/usr/bin/env bash
      systemctl reload nginx

- name: test generate certificates
  when:
    - letsencrypt_domains != []
    - letsencrypt_save_list is changed
  register: letsencrypt_dry_run
  ignore_errors: true
  changed_when: false
  ansible.builtin.command:
    cmd: >
      certbot certonly
        --dry-run
        -n --agree-tos -m {{ letsencrypt_email }}
        --webroot -w {{ letsencrypt_webroot }}
        --expand
        -d {{ letsencrypt_domains | join(',') }}

- name: remove domains list file in case of failure
  when: letsencrypt_dry_run is failed
  ansible.builtin.file:
    path: "{{ letsencrypt_save_list.dest }}"
    state: absent

- name: exit in case of failure
  when: letsencrypt_dry_run is failed
  ansible.builtin.fail:

- name: generate certificates
  notify: restart nginx
  when:
    - letsencrypt_domains != []
    - letsencrypt_save_list is changed
    - letsencrypt_dry_run is succeeded
  ansible.builtin.command:
    cmd: >
      certbot certonly
        {% if letsencrypt_testing %}--staging{% endif %}
        -n --agree-tos -m {{ letsencrypt_email }}
        --webroot -w {{ letsencrypt_webroot }}
        --expand
        -d {{ letsencrypt_domains | join(',') }}
    creates: "/etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem"

- name: update nginx certificate configuration
  when:
    - letsencrypt_domains != []
    - letsencrypt_save_list is changed
    - letsencrypt_dry_run is succeeded
  notify: restart nginx
  ansible.builtin.lineinfile:
    path: /etc/nginx/conf.d/ssl_certificate.conf
    regexp: 'ssl_certificate\s+([\w/\-\_\.]+);'
    line: ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/fullchain.pem;

- name: update nginx certificate key configuration
  when:
    - letsencrypt_domains != []
    - letsencrypt_save_list is changed
    - letsencrypt_dry_run is succeeded
  notify: restart nginx
  ansible.builtin.lineinfile:
    path: /etc/nginx/conf.d/ssl_certificate.conf
    regexp: 'ssl_certificate_key\s+([\w/\-\_\.]+);'
    line: ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem;