---
- name: install certbot
ansible.builtin.package:
force_apt_get: true
install_recommends: false
name: certbot
- name: get all server_name values
when: letsencrypt_domains == []
changed_when: false
register: letsencryt_nginx_output
ansible.builtin.shell:
executable: /bin/bash
cmd: >
set -o pipefail;
nginx -T 2>&1 | grep -v localhost | grep -P '^\s+server_name\s+.*;$' | sed -r 's/\s+server_name\s+(.*);/\1/' | uniq
- name: save result as list
when: letsencrypt_domains == []
ansible.builtin.set_fact:
letsencrypt_domains: "{{ letsencryt_nginx_output.stdout.split() }}"
- name: save domains list in a file
register: letsencrypt_save_list
ansible.builtin.copy:
dest: /etc/letsencrypt/domains.txt
content: |
{% for domain in letsencrypt_domains %}
{{ domain }}
{% endfor %}
mode: "644"
- name: create webroot directory
ansible.builtin.file:
path: "{{ letsencrypt_webroot }}"
state: directory
mode: "755"
- name: create pre hook directory
ansible.builtin.file:
path: /etc/letsencrypt/renewal-hooks/pre
state: directory
mode: "755"
- name: create pre hook script
ansible.builtin.copy:
dest: /etc/letsencrypt/renewal-hooks/pre/mkdir
mode: "0755"
content: |
#!/usr/bin/env bash
CERTBOT_DOCROOT=/var/www/letsencrypt
mkdir -p "$CERTBOT_DOCROOT"
chmod 755 "$CERTBOT_DOCROOT"
- name: create deploy hook directory
ansible.builtin.file:
path: /etc/letsencrypt/renewal-hooks/deploy
state: directory
mode: "755"
- name: create deploy hook script
ansible.builtin.copy:
dest: /etc/letsencrypt/renewal-hooks/deploy/nginx
mode: "0755"
content: |
#!/usr/bin/env bash
systemctl reload nginx
- name: test generate certificates
when:
- letsencrypt_domains != []
- letsencrypt_save_list is changed
register: letsencrypt_dry_run
ignore_errors: true
changed_when: false
ansible.builtin.command:
cmd: >
certbot certonly
--dry-run
-n --agree-tos -m {{ letsencrypt_email }}
--webroot -w {{ letsencrypt_webroot }}
--expand
-d {{ letsencrypt_domains | join(',') }}
- name: remove domains list file in case of failure
when: letsencrypt_dry_run is failed
ansible.builtin.file:
path: "{{ letsencrypt_save_list.dest }}"
state: absent
- name: exit in case of failure
when: letsencrypt_dry_run is failed
ansible.builtin.fail:
- name: generate certificates
notify: restart nginx
when:
- letsencrypt_domains != []
- letsencrypt_save_list is changed
- letsencrypt_dry_run is succeeded
ansible.builtin.command:
cmd: >
certbot certonly
{% if letsencrypt_testing %}--staging{% endif %}
-n --agree-tos -m {{ letsencrypt_email }}
--webroot -w {{ letsencrypt_webroot }}
--expand
-d {{ letsencrypt_domains | join(',') }}
creates: "/etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem"
- name: update nginx certificate configuration
when:
- letsencrypt_domains != []
- letsencrypt_save_list is changed
- letsencrypt_dry_run is succeeded
notify: restart nginx
ansible.builtin.lineinfile:
path: /etc/nginx/conf.d/ssl_certificate.conf
regexp: 'ssl_certificate\s+([\w/\-\_\.]+);'
line: ssl_certificate /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/fullchain.pem;
- name: update nginx certificate key configuration
when:
- letsencrypt_domains != []
- letsencrypt_save_list is changed
- letsencrypt_dry_run is succeeded
notify: restart nginx
ansible.builtin.lineinfile:
path: /etc/nginx/conf.d/ssl_certificate.conf
regexp: 'ssl_certificate_key\s+([\w/\-\_\.]+);'
line: ssl_certificate_key /etc/letsencrypt/live/{{ letsencrypt_domains[0] }}/privkey.pem;