Install LE cert. when there is none
gitea/ansible-roles/pipeline/head This commit looks good Details

This commit is contained in:
Mathieu Gauthier-Pilote 2023-01-12 16:27:00 -05:00
parent 6e0d6b8a32
commit 1c1bc2fe9f
2 changed files with 39 additions and 32 deletions

View File

@ -174,37 +174,42 @@
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
register: ssl
#- name: Generate certificate only if required (first time)
#block:
#- name: Template vhost without SSL for successfull LE challengce
#template:
#src: "vhost.j2"
#dest: "/etc/nginx/sites-available/{{ service }}"
#- name: Enable temporary nginx vhost for LE
#file:
#src: "/etc/nginx/sites-available/{{ service }}"
#dest: "/etc/nginx/sites-enabled/{{ service }}"
#state: link
#- name: Reload nginx conf
#service:
#name: nginx
#state: reloaded
#- name: Generate certificate with certbot
#shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
#when: ssl.stat.exists == false
- name: Generate certificate only if required (first time)
block:
- name: Template vhost without SSL for successfull LE challengce
template:
src: "vhost.j2"
dest: "/etc/nginx/sites-available/{{ service }}"
- name: Enable temporary nginx vhost for LE
file:
src: "/etc/nginx/sites-available/{{ service }}"
dest: "/etc/nginx/sites-enabled/{{ service }}"
state: link
- name: Reload nginx conf
service:
name: nginx
state: reloaded
- name: Generate certificate with certbot
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
when: ssl.stat.exists == false
#- name: (Re)template conf file for nginx vhost with SSL
#template:
#src: "vhost.j2"
#dest: "/etc/nginx/sites-available/{{ service }}"
- name: (Re)check if SSL certificate is present and register result
stat:
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
register: ssl
#- name: Enable nginx vhost for mastodon
#file:
#src: "/etc/nginx/sites-available/{{ service }}"
#dest: "/etc/nginx/sites-enabled/{{ service }}"
#state: link
- name: (Re)template conf file for nginx vhost with SSL
template:
src: "vhost.j2"
dest: "/etc/nginx/sites-available/{{ service }}"
#- name: Reload nginx conf
#service:
#name: nginx
#state: reloaded
- name: Enable nginx vhost for mastodon
file:
src: "/etc/nginx/sites-available/{{ service }}"
dest: "/etc/nginx/sites-enabled/{{ service }}"
state: link
- name: Reload nginx conf
service:
name: nginx
state: reloaded

View File

@ -19,8 +19,10 @@ server {
listen [::]:443 ssl http2;
server_name {{ domains |first }};
include /etc/nginx/ssl/{{ service }}.conf;
include /etc/nginx/snippets/letsencrypt.conf;
ssl_certificate /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ domains |first }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ domains |first }}/chain.pem;
# OCSP stapling
ssl_stapling on;