Install LE cert. when there is none
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
All checks were successful
gitea/ansible-roles/pipeline/head This commit looks good
This commit is contained in:
parent
6e0d6b8a32
commit
1c1bc2fe9f
|
@ -174,37 +174,42 @@
|
||||||
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||||
register: ssl
|
register: ssl
|
||||||
|
|
||||||
#- name: Generate certificate only if required (first time)
|
- name: Generate certificate only if required (first time)
|
||||||
#block:
|
block:
|
||||||
#- name: Template vhost without SSL for successfull LE challengce
|
- name: Template vhost without SSL for successfull LE challengce
|
||||||
#template:
|
template:
|
||||||
#src: "vhost.j2"
|
src: "vhost.j2"
|
||||||
#dest: "/etc/nginx/sites-available/{{ service }}"
|
dest: "/etc/nginx/sites-available/{{ service }}"
|
||||||
#- name: Enable temporary nginx vhost for LE
|
- name: Enable temporary nginx vhost for LE
|
||||||
#file:
|
file:
|
||||||
#src: "/etc/nginx/sites-available/{{ service }}"
|
src: "/etc/nginx/sites-available/{{ service }}"
|
||||||
#dest: "/etc/nginx/sites-enabled/{{ service }}"
|
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||||
#state: link
|
state: link
|
||||||
#- name: Reload nginx conf
|
- name: Reload nginx conf
|
||||||
#service:
|
service:
|
||||||
#name: nginx
|
name: nginx
|
||||||
#state: reloaded
|
state: reloaded
|
||||||
#- name: Generate certificate with certbot
|
- name: Generate certificate with certbot
|
||||||
#shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
|
shell: certbot certonly --webroot --webroot-path /var/lib/letsencrypt -d {{ domains |first }}
|
||||||
#when: ssl.stat.exists == false
|
when: ssl.stat.exists == false
|
||||||
|
|
||||||
#- name: (Re)template conf file for nginx vhost with SSL
|
- name: (Re)check if SSL certificate is present and register result
|
||||||
#template:
|
stat:
|
||||||
#src: "vhost.j2"
|
path: "/etc/letsencrypt/live/{{ domains |first }}/fullchain.pem"
|
||||||
#dest: "/etc/nginx/sites-available/{{ service }}"
|
register: ssl
|
||||||
|
|
||||||
#- name: Enable nginx vhost for mastodon
|
- name: (Re)template conf file for nginx vhost with SSL
|
||||||
#file:
|
template:
|
||||||
#src: "/etc/nginx/sites-available/{{ service }}"
|
src: "vhost.j2"
|
||||||
#dest: "/etc/nginx/sites-enabled/{{ service }}"
|
dest: "/etc/nginx/sites-available/{{ service }}"
|
||||||
#state: link
|
|
||||||
|
|
||||||
#- name: Reload nginx conf
|
- name: Enable nginx vhost for mastodon
|
||||||
#service:
|
file:
|
||||||
#name: nginx
|
src: "/etc/nginx/sites-available/{{ service }}"
|
||||||
#state: reloaded
|
dest: "/etc/nginx/sites-enabled/{{ service }}"
|
||||||
|
state: link
|
||||||
|
|
||||||
|
- name: Reload nginx conf
|
||||||
|
service:
|
||||||
|
name: nginx
|
||||||
|
state: reloaded
|
||||||
|
|
|
@ -19,8 +19,10 @@ server {
|
||||||
listen [::]:443 ssl http2;
|
listen [::]:443 ssl http2;
|
||||||
server_name {{ domains |first }};
|
server_name {{ domains |first }};
|
||||||
|
|
||||||
include /etc/nginx/ssl/{{ service }}.conf;
|
|
||||||
include /etc/nginx/snippets/letsencrypt.conf;
|
include /etc/nginx/snippets/letsencrypt.conf;
|
||||||
|
ssl_certificate /etc/letsencrypt/live/{{ domains |first }}/fullchain.pem;
|
||||||
|
ssl_certificate_key /etc/letsencrypt/live/{{ domains |first }}/privkey.pem;
|
||||||
|
ssl_trusted_certificate /etc/letsencrypt/live/{{ domains |first }}/chain.pem;
|
||||||
|
|
||||||
# OCSP stapling
|
# OCSP stapling
|
||||||
ssl_stapling on;
|
ssl_stapling on;
|
||||||
|
|
Loading…
Reference in a new issue