Install LE cert. when there is none
gitea/ansible-roles/pipeline/head This commit looks good
Details
gitea/ansible-roles/pipeline/head This commit looks good
Details
This commit is contained in:
parent
6e0d6b8a32
commit
1c1bc2fe9f
|
@ -174,37 +174,42 @@
|
|||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
#- name: Generate certificate only if required (first time)
|
||||
#block:
|
||||
#- name: Template vhost without SSL for successfull LE challengce
|
||||
#template:
|
||||
#src: "vhost.j2"
|
||||
#dest: "/etc/nginx/sites-available/{{ service }}"
|
||||
#- name: Enable temporary nginx vhost for LE
|
||||
#file:
|
||||
#src: "/etc/nginx/sites-available/{{ service }}"
|
||||
#dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||
#state: link
|
||||
#- name: Reload nginx conf
|
||||
#service:
|
||||
#name: nginx
|
||||
#state: reloaded
|
||||
#- name: Generate certificate with certbot
|
||||
#shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
|
||||
#when: ssl.stat.exists == false
|
||||
- name: Generate certificate only if required (first time)
|
||||
block:
|
||||
- name: Template vhost without SSL for successfull LE challengce
|
||||
template:
|
||||
src: "vhost.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}"
|
||||
- name: Enable temporary nginx vhost for LE
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||
state: link
|
||||
- name: Reload nginx conf
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
- name: Generate certificate with certbot
|
||||
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
|
||||
when: ssl.stat.exists == false
|
||||
|
||||
#- name: (Re)template conf file for nginx vhost with SSL
|
||||
#template:
|
||||
#src: "vhost.j2"
|
||||
#dest: "/etc/nginx/sites-available/{{ service }}"
|
||||
- name: (Re)check if SSL certificate is present and register result
|
||||
stat:
|
||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||
register: ssl
|
||||
|
||||
#- name: Enable nginx vhost for mastodon
|
||||
#file:
|
||||
#src: "/etc/nginx/sites-available/{{ service }}"
|
||||
#dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||
#state: link
|
||||
- name: (Re)template conf file for nginx vhost with SSL
|
||||
template:
|
||||
src: "vhost.j2"
|
||||
dest: "/etc/nginx/sites-available/{{ service }}"
|
||||
|
||||
#- name: Reload nginx conf
|
||||
#service:
|
||||
#name: nginx
|
||||
#state: reloaded
|
||||
- name: Enable nginx vhost for mastodon
|
||||
file:
|
||||
src: "/etc/nginx/sites-available/{{ service }}"
|
||||
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||
state: link
|
||||
|
||||
- name: Reload nginx conf
|
||||
service:
|
||||
name: nginx
|
||||
state: reloaded
|
||||
|
|
|
@ -19,8 +19,10 @@ server {
|
|||
listen [::]:443 ssl http2;
|
||||
server_name {{ domains |first }};
|
||||
|
||||
include /etc/nginx/ssl/{{ service }}.conf;
|
||||
include /etc/nginx/snippets/letsencrypt.conf;
|
||||
ssl_certificate /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem;
|
||||
ssl_certificate_key /etc/letsencrypt/live/{{ domains |first }}/privkey.pem;
|
||||
ssl_trusted_certificate /etc/letsencrypt/live/{{ domains |first }}/chain.pem;
|
||||
|
||||
# OCSP stapling
|
||||
ssl_stapling on;
|
||||
|
|
Loading…
Reference in New Issue